IPsec Auto-Discovery VPN (ADVPN)

Consider a company that wants to provide direct secure (IPsec) connections between all of its offices in New York, Chicago, Greenwich, London, Paris, Frankfurt, Tokyo, Shanghai, and Hong Kong.

A straightforward solution is to create a full mesh of connections such that every site has eight IPsec configurations, one for each of the other sites.  If there were ninety sites, that could still be done but now the configuration is becoming tedious, since every time a new site is added, N-1 other sites have to have their configuration updated.

An efficient and secure alternative is IPsec Auto-Discovery VPN (ADVPN), which allows a minimum amount of configuration per site but still allows direct IPsec connections to be made between every site. RF C 7018 essentially describes this problem, along with some requirements for candidate solutions.

The ADVPN solution involves partitioning the sites into spokes and hubs such that a spoke has to have enough IPsec configuration to enable it to connect to at least one hub.  A hub does not have specific configuration for each spoke, so the amount of configuration does not grow with the number of spokes that are connected to that hub.  A hub to hub connection would typically involve both hubs having configuration for each other.

So, one possible partition for the original nine sites would be that Chicago and Greenwich would be spokes for the New York hub, Paris and Frankfurt would be spokes for the London hub, and Tokyo and Hong Kong would be spokes for the Shanghai hub:

Once a spoke has established a connection to its hub then initially IPsec traffic to another site transits via one or more hubs.  For example, traffic from Chicago to Hong Kong would transit via the New York and Shanghai hubs.  This transit traffic then triggers an attempt to create a more direct connection.

In FortiOS:

 

• Direct connections are only created between the two endpoints that want to exchange traffic (e.g. Chicago and Hong Kong); we do not create intermediate connections (say Chicago to Shanghai, or New York to Hong Kong) as a side-effect.
• Learning the peer subnets is done via a dynamic routing protocol running over the IPsec connections.
• Negotiation of the direct connections is done via IKE. l Both PSK and certificate authentication is supported.

Example ADVPN configuration

Since dynamic routing with IPsec under FortiOS requires that an interface have an IP address, then for every site a unique IP address from some unused range is allocated.  For example we’ll assume that 10.100.0.0/16 is unused and so assign the IP addresses:

l   Chicago 10.100.0.4 l   Greenwich 10.100.0.5 l   New York 10.100.0.1

l   London 10.100.0.2 l   Shanghai 10.100.0.3 l   Paris 10.100.0.6

l   Frankfurt 10.100.0.7 l   Hong Kong 10.100.0.8 l   Tokyo 10.100.0.9

We’ll assume that each site has one or more subnets that it protects that it wants to make available to the peers.  For the purposes of exposition we’ll assume there is only one subnet per site and they are allocated as:

l   Chicago 10.0.4.0/16 l   Greenwich 10.0.5.0/24 l   New York 10.0.1.0/24

l   London 10.0.2.0/24 l   Shanghai 10.0.3.0/24 l   Paris 10.0.6.0/24

l   Frankfurt 10.0.7.0/24 l   Hong Kong 10.0.8.0/24 l   Tokyo 10.0.9.0/24

Our example network topology now looks like this:

Example ADVPN configuration                                                                            IPsec Auto-Discovery VPN (ADVPN)

The configuraton in Chicago would be as follows:

config vpn ipsec phase1-interface edit “New York” set type static set interface wan1

set remote-gw <New-York-IP-address> set psk <New-York-PSK> set auto-discovery-receiver enable

next

end

The attribute auto-discovery-receiver indicates that this IPsec tunnel wishes to participate in an autodiscovery VPN.  The IPsec interface would then have its IP assigned according to the Chicago address:

config system interface edit “New York” set ip 10.100.0.4/32 set remote-ip 10.100.0.1

next

end

RIP (for simplicity, you could use OSPF or BGP) is then configured to run on the IPsec interface and on the Chicago subnet (you could use redistribute connected, but we’ll allow for the fact that there may be other subnets learned from another router on the 10.0.4.0/24 subnet):

config router rip

edit 1 set prefix 10.100.0.0/16

next edit 2 set prefix 10.0.4.0/24

next

end

Other than the firewall policy and a minimal phase 2 configuration, this concludes the configuration for Chicago.  Each spoke would have a similar configuration.

The New York hub would have a dynamic phase 1 for its spoke connections, and two static phase 1s for its connections to the other hubs:

config vpn ipsec phase1-interface edit “Spokes” set type dynamic set interface wan1 set psk <New-York-PSK> set auto-discovery-sender enable set auto-discovery-psk enable set add-route disable

next edit “London” set type static set interface wan1 set psk <New-York-London-PSK> set auto-discovery-forwarder enable

next edit “Shanghai” set type static set interface wan1 set psk <New-York-Shanghai-PSK> set auto-discovery-forwarder enable

next

end

The ‘Spokes’ connection has set auto-discovery-sender enable to indicate that when IPsec traffic transits the hub it should optionally generate a message to the initiator of the traffic to indicate that it could perhaps establish a more direct connection.  The set add-route disable ensures that IKE does not automatically add a route back over the spoke and instead leaves routing to a separately configured routing protocol.

The two inter-hub connections have set auto-discovery-forwarder enable to indicate that these connections can participate in the auto-discovery process.  The interface IP addresses are assigned: config system interface edit “Spokes” set ip 10.100.0.1/32 set remote-ip 10.100.0.254

next edit “London” set ip 10.100.0.1/32 set remote-ip 10.100.0.2

next edit “London” set ip 10.100.0.1/32

Example ADVPN configuration                                                                            IPsec Auto-Discovery VPN (ADVPN)

set remote-ip 10.100.0.3

next

end

 

Following this, RIP is enabled on the relevant interfaces: config router rip edit 1 set prefix 10.100.0.0/16

next edit 2 set prefix 10.0.1.0/24

next

end

 

A similar configuration would be used on the other two hubs.

Traffic flow and tunnel connection

With the configuration in place at all spokes and hubs, assuming all the spokes are connected to a hub, then

Chicago would learn (via RIP) that the route to the Hong Kong subnet 10.0.8.0/24 is via its “New York” interface.  If a device on the Chicago protected subnet (say 10.0.4.45) attempted to send traffic to the Hong Kong protected subnet (say 10.0.8.13) then it should flow over the New York interface to New York, which should then transmit it over the Shanghai tunnel to Shanghai, which should then send it over the dynamically negotiated Hong Kong tunnel to Hong Kong.

At the point when the traffic transits New York it should notice that the Chicago Spoke tunnel and the Shanghai tunnel have auto-discovery enabled, causing the New York hub to send a message via IKE to Chicago informing it that it may want to try and negotiate a direct connection for traffic from 10.0.4.45 to 10.0.8.13.

On receipt of this message, IKE on Chicago creates the (FortiOS-specific) IKE INFORMATIONAL SHORTCUTQUERY message which contains the Chicago public IP address, the source IP of the traffic (10.0.4.45), the desired destination IP (10.0.8.13), and the PSK that should be used to secure any direct tunnel (if certificates are confgured, it is assumed that they all share the same CA and so no additional authentication information is required).  This message is sent via IKE to New York since routing indicates that New York is the best route to 10.0.8.13.

On receipt of the IKE INFORMATIONAL query, New York checks its routing table to see who owns 10.0.8.13.  It finds that 10.0.8.13 should be routed via Shanghai, and since Shanghai is marked as an auto-discovery-forwarder then the query is forwarded.

Shanghai repeats the process, finds that 10.0.8.13 should be routed via its Hong Kong Spoke and so sends it to Hong Kong.  Hong Kong checks 10.0.8.13, finds that it owns the subnet, so it remembers the Chicago public IP address (and PSK) and creates an IKE INFORMATIONAL reply message containing its external IP address.  To work out where to send the IKE message, the FortiGate does a routing lookup for the original source IP

(10.0.4.45), determines that the message should be routed via its Shanghai tunnel and so sends the reply back to Shanghai.  The reply then makes its way back to Chicago following the reverse of the path that it used to arrive at Hong Kong.

When the reply makes it back to the Chicago initator then it now knows the IP address of the Hong Kong device.  Chicago now creates a new dynamic tunnel with the remote gateway as the Hong Kong public IP address and initiates an IKE negotiation  (the dynamic tunnel nameis auto-generated from the tunnel over which it performed the query; in this case it would be called ‘New York_0’).

This negotiation should succeed since Hong Kong is set up to expect an attempted negotiation from the Chicago public IP address.  Once the negotiation succeeds, RIP will start to run on the newly created tunnels at Chicago and Hong Kong.  This will update the routing on Chicago (and Hong Kong) so that the prefered route to 10.0.8.0 (10.0.4.0) is via the newly created tunnel rather than via the connection to New York (Shanghai).

Notes about ADVPN in FortiOS

• Auto-discovery is only supported by IKEv1.
• All Spokes must have an IP address that is routable from any other spoke; devices behind NAT are not currently supported.
• The feature requires the use of a dynamic routing protocol. There is no support for IKE handling routing.
• RIP is not a very scalable routing protocol. When there are more than a few spokes it would be advisable to use route summarization to avoid huge RIP updates.  Better yet, use BGP instead of RIP.
• It is assumed that spokes will not be used to transit other spoke traffic, for example: traffic from Chicago to Tokyo would not transit an existing Chicago to Hong Kong tunnel even though that has a shorter hop count than a route via New York and Shanghai.
• There is no facility to allow you to filter which traffic that transits the hub should trigger the message sent to the initiator suggesting it create a direct connection. Currently any and all traffic will trigger it.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

BGP over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows BGP.

Configuring IPsec on FortiGate 1

1. Go to Policy & Objects > Addresses and select create new Address.

Name	Remote_loop_int
Type	Subnet
Subnet/IP Range	10.10.10.10
Interface	any

2. Create an Address Group.

Group Name	VPN_DST
Show in Address List	enable
Members	Remote_loop_int all

3. Go to Dashboard and enter the CLI Console widget.
4. Create phase 1:

config vpn ipsec phase1-interface edit Dialup set type dynamic set interface wan1 set mode aggressive set peertype one set mode-cfg enable set proposal 3des-sha1 aes128-sha1 set peerid dial set assign-ip disable set psksecret

next

end

 

5. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2 set phase1name Dialup set proposal 3des-sha1 aes128-sha1 set src-addr-type name set dst-addr-type name set src-name all set dst-name VPN_DST next

BGP over dynamic IPsec

end

Configuring BGP on FortiGate 1

1. Go to Network > Interfaces and create a Loopback interface.
2. Set IP/Network Mask to 20.20.20/255.255.255.255.
3. Go to Dashboard and enter the CLI Console widget.
4. Create a BGP route.

config router bgp set as 100 set router-id 1.1.1.1 config neighbor edit 10.10.10.10 set ebgp-enforce-multihop enable set remote-as 200 set update-source loop

next

end

config redistribute connected set status enable

end

end

Adding policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces. 2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Configuring IPsec on FortiGate 2

1. Go to Dashboard and enter the CLI Console widget.
2. Create phase 1:

config vpn ipsec phase1-interface edit Dialup set interface wan1 set mode aggressive set mode-cfg enable

set proposal 3des-sha1 aes128-sha1 set localid dial set remote-gw 172.20.120.22 set assign-ip disable set psksecret

next

end

 

3. Create phase 2:

config vpn ipsec phase2-interface edit dial_p2 set phase1name Dialup

set proposal 3des-sha1 aes128-sha1 set keepalive enable

next end

BGP over dynamic IPsec

Configuring BGP on FortiGate 2

1. Go to Network > Interfaces and create a Loopback interface.
2. Set IP/Network Mask to 10.10.10/255.255.255.255.
3. Go to Dashboard and enter the CLI Console
4. Create a BGP route.

config router bgp set as 200 set router-id 1.1.1.2 config neighbor edit 20.20.20.20 set ebgp-enforce-multihop enable set remote-as 100 set update-source loop

next

end

config redistribute connected set status enable

end

end

Adding policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from Dialup to loop interfaces. 2. Go to Policy & Objects > IPv4 Policy and create a policy allowing BGP traffic from loop to Dialup interfaces.

Adding a static route on FortiGate 2

Go to Network > Static Routes and add a route to the remote Loopback interface via Dialup interface.

Destination IP/Mask	20.20.20.20/255.255.255.255
Device	Dialup
Administrative Distance	10

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via BGP.
2. From FortiGate 1, go to Dashboard.
3. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

 

BGP over dynamic IPsec

4. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via BGP.
5. From FortiGate 2, go to Dashboard.
6. Enter the CLI Console widget and type this command to verify BGP neighbors:

get router info bgp summary

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Protecting OSPF with IPsec

For enhanced security, OSPF dynamic routing can be carried over IPsec VPN links. The following topics are included in this section:

Configuration overview

This chapter shows an example of OSPF routing conducted over an IPsec tunnel between two FortiGate units. The network shown below is a single OSPF area. FortiGate_1 is an Area border router that advertises a static route to 10.22.10.0/24 in OSPF. FortiGate_2 advertises its local LAN as an OSPF internal route.

OSPF over an IPsec VPN tunnel

The section Configuration overview describes the configuration with only one IPsec VPN tunnel, tunnel_wan1. Then, the section Configuration overview  describes how you can add a second tunnel to provide a redundant backup path. This is shown above as VPN tunnel “tunnel_wan2”.

Only the parts of the configuration concerned with creating the IPsec tunnel and integrating it into the OSPF network are described. It is assumed that security policies are already in place to allow traffic to flow between the interfaces on each FortiGate unit.

OSPF over IPsec configuration

There are several steps to the OSPF-over-IPsec configuration:

 

• Configure a route-based IPsec VPN on an external interface. It will connect to a corresponding interface on the other FortiGate unit. Define the two tunnel-end addresses.
• Configure a static route to the other FortiGate unit.
• Configure the tunnel network as part of the OSPF network and define the virtual IPsec interface as an OSPF interface.

This section describes the configuration with only one VPN, tunnel_wan1. The other VPN is added in the section Configuration overview on page 197.

Configuring the IPsec VPN

A route-based VPN is required. In this chapter, preshared key authentication is shown. Certificate authentication is also possible. Both FortiGate units need this configuration.

Configuring Phase 1

1. Define the Phase 1 configuration needed to establish a secure connection with the other FortiGate unit. For more information, see Phase 1 parameters on page 52. Enter these settings in particular:

Name	Enter a name to identify the VPN tunnel, tunnel_wan1 for example. This becomes the name of the virtual IPsec interface.
Remote Gateway	Select Static IP Address.
IP Address	Enter the IP address of the other FortiGate unit’s public (Port 2) interface.
Local Interface	Select this FortiGate unit’s public (Port 2) interface.
Mode	Select Main (ID Protection).
Authentication Method	Preshared Key
Pre-shared Key	Enter the preshared key. It must match the preshared key on the other FortiGate unit.
Advanced	Select Advanced.

Assigning the tunnel end IP addresses

1. Go to Network > Interfaces, select the virtual IPsec interface that you just created on Port 2 and select Edit. 2. In the IP and Remote IP fields, enter the following tunnel end addresses:

	FortiGate_1	FortiGate_2
IP	10.1.1.1	10.1.1.2
Remote_IP	10.1.1.2	10.1.1.1

These addresses are from a network that is not used for anything else.

Configuring Phase 2

1. Enter a name to identify this Phase 2 configuration, twan1_p2, for example.
2. Select the name of the Phase 1 configuration that you defined in Step “Configuration overview” on page 197, tunnel_wan1 for example.

Configuring static routing

You need to define the route for traffic leaving the external interface.

1. Go to Network > Static Routes, select Create New.
2. Enter the following information.

Destination IP/Mask	Leave as 0.0.0.0 0.0.0.0.
Device	Select the external interface.
Gateway	Enter the IP address of the next hop router.

Configuring OSPF

This section does not attempt to explain OSPF router configuration. It focusses on the integration of the IPsec tunnel into the OSPF network. This is accomplished by assigning the tunnel as an OSPF interface, creating an OSPF route to the other FortiGate unit.

This configuration uses loopback interfaces to ease OSPF troubleshooting. The OSPF router ID is set to the loopback interface address.The loopback interface ensures the router is always up. Even though technically the router ID doesn’t have to match a valid IP address on the FortiGate unit, having an IP that matches the router ID makes troubleshooting a lot easier.

The two FortiGate units have slightly different configurations. FortiGate_1 is an AS border router that advertises its static default route. FortiGate_2 advertises its local LAN as an OSPF internal route.

Setting the router ID for each FortiGate unit to the lowest possible value is useful if you want the FortiGate units to be the designated router (DR) for their respective ASes. This is the router that broadcasts the updates for the AS.

Leaving the IP address on the OSPF interface at 0.0.0.0 indicates that all potential routes will be advertised, and it will not be limited to any specific subnet. For example if this IP address was 10.1.0.0, then only routes that match that subnet will be advertised through this interface in OSPF.

FortiGate_1 OSPF configuration

When configuring FortiGate_1 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.

With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.

Creating the loopback interface

A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.1, you would enter:

config system interface edit lback1 set vdom root set ip 10.0.0.1 255.255.255.255 set type loopback

end

The loopback addresses and corresponding router IDs on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.

Configuring OSPF area, networks, and interfaces – web-based manager

1. On FortiGate_1, go to Network > OSPF.
2. Enter the following information to define the router, area, and interface information.

Router ID	Enter 10.0.0.1. Select Apply before entering the remaining information.
Advanced Options
Redistribute	Select the Connected and Static check boxes. Use their default metric values.
Areas	Select Create New, enter the Area and Type and then select OK.
Area	0.0.0.0
Type	Regular
Interfaces	Enter a name for the OSPF interface, ospf_wan1 for example.
Name
Interface	Select the virtual IPsec interface, tunnel_wan1.
IP	0.0.0.0

3. For Networks, select Create New.
4. Enter the IP/Netmask of 1.1.0/255.255.255.0 and an Area of 0.0.0.0. 5. For Networks, select Create New.
5. Enter the IP/Netmask of 0.0.1/255.255.255.0 and an Area of 0.0.0.0.
6. Select Apply.

Configuring OSPF area and interfaces – CLI

Your loopback interface is 10.0.0.1, your tunnel ends are on the 10.1.1.0/24 network, and your virtual IPsec interface is named tunnel_wan1. Enter the following CLI commands:

config router ospf set router-id 10.0.0.1 config area edit 0.0.0.0

end config network edit 4 set prefix 10.1.1.0 255.255.255.0

next edit 2 set prefix 10.0.0.1 255.255.255.255

end

config ospf-interface edit ospf_wan1 set cost 10

set interface tunnel_wan1 set network-type point-to-point

end

config redistribute connected set status enable

end

config redistribute static set status enable

end

end

FortiGate_2 OSPF configuration

When configuring FortiGate_2 for OSPF, the loopback interface is created, and then you configure OSPF area networks and interfaces.

Configuring FortiGate_2 differs from FortiGate_1 in that three interfaces are defined instead of two. The third interface is the local LAN that will be advertised into OSPF.

With the exception of creating the loopback interface, OSPF for this example can all be configured in either the web-based manager or CLI.

Creating the loopback interface

A loopback interface can be configured in the CLI only. For example, if the interface will have an IP address of 10.0.0.2, you would enter:

config system interface edit lback1 set vdom root

set ip 10.0.0.2 255.255.255.255 set type loopback

end

The loopback addresses on the two FortiGate units must be different. For example, set the FortiGate 1 loopback to 10.0.0.1 and the FortiGate 2 loopback to 10.0.0.2.

Configuring OSPF area and interfaces – web-based manager

1. On FortiGate_2, go to Network > OSPF.
2. Complete the following.

Router ID			10.0.0.2
Areas			Select Create New, enter the Area and Type and then select OK.
Area			0.0.0.0
Type			Regular
Interfaces
Name			Enter a name for the OSPF interface, ospf_wan1 for example.
Interface			Select the virtual IPsec interface, tunnel_wan1.
IP			0.0.0.0

3. For Networks, select Create New.
4. Enter the following information for the loopback interface:

IP/Netmask		10.0.0.2/255.255.255.255
Area		0.0.0.0

5. For Networks, select Create New.
6. Enter the following information for the tunnel interface:

IP/Netmask		10.1.1.0/255.255.255.255
Area		0.0.0.0

7. For Networks, select Create New.
8. Enter the following information for the local LAN interface:

IP/Netmask	10.31.101.0/255.255.255.255
Area	0.0.0.0

9. Select Apply.

Configuring OSPF area and interfaces – CLI

If for example, your loopback interface is 10.0.0.2, your tunnel ends are on the 10.1.1.0/24 network, your local LAN is 10.31.101.0/24, and your virtual IPsec interface is named tunnel_wan1, you would enter:

config router ospf set router-id 10.0.0.2 config area edit 0.0.0.0

end config network edit 1 set prefix 10.1.1.0 255.255.255.0

next edit 2 set prefix 10.31.101.0 255.255.255.0

next edit 2

 

Creating a redundant configuration

set prefix 10.0.0.2 255.255.255.255

end

config ospf-interface edit ospf_wan1 set interface tunnel_wan1 set network-type point-to-point

end

end

Creating a redundant configuration

You can improve the reliability of the OSPF over IPsec configuration described in the previous section by adding a second IPsec tunnel to use if the default one goes down. Redundancy in this case is not controlled by the IPsec VPN configuration but by the OSPF routing protocol.

To do this you:

• Create a second route-based IPsec tunnel on a different interface and define tunnel end addresses for it.
• Add the tunnel network as part of the OSPF network and define the virtual IPsec interface as an additional OSPF interface.
• Set the OSPF cost for the added OSPF interface to be significantly higher than the cost of the default route.

Adding the second IPsec tunnel

The configuration is the same as in Configuring the IPsec VPN on page 198, but the interface and addresses will be different. Ideally, the network interface you use is connected to a different Internet service provider for added redundancy.

When adding the second tunnel to the OSPF network, choose another unused subnet for the tunnel ends, 10.1.2.1 and 10.1.2.2 for example.

Adding the OSPF interface

OSPF uses the metric called cost when determining the best route, with lower costs being preferred. Up to now in this example, only the default cost of 10 has been used. Cost can be set only in the CLI.

The new IPsec tunnel will have its OSPF cost set higher than that of the default tunnel to ensure that it is only used if the first tunnel goes down. The new tunnel could be set to a cost of 200 compared to the default cost is 10. Such a large difference in cost will ensure this new tunnel will only be used as a last resort.

If the new tunnel is called tunnel_wan2, you would enter the following on both FortiGate units:

config router ospf config ospf-interface edit ospf_wan2 set cost 200 set interface tunnel_wan2 set network-type point-to-point

end end

Redundant OSPF routing over IPsec

This example sets up redundant secure communication between two remote networks using an Open Shortest Path First (OSPF) VPN connection. In this example, the HQ FortiGate unit will be called FortiGate 1 and the Branch FortiGate unit will be called FortiGate 2.

The steps include:

1. Creating redundant IPsec tunnels on FortiGate 1.
2. Configuring IP addresses and OSPF on FortiGate 1.
3. Configuring firewall addresses on FortiGate 1.
4. Configuring security policies on FortiGate 1.
5. Creating redundant IPsec tunnels for FortiGate 2.
6. Configuring IP addresses and OSPF on FortiGate 2.
7. Configuring firewall addresses on FortiGate 2.
8. Configuring security policies on FortiGate 2.

Creating redundant IPsec tunnels on FortiGate 1

1. Go to VPN > IPsec Tunnels.
2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template). Set the following:

Remote Gateway	Static IP Address
IP Address	FortiGate 2’s wan1 IP
Local Interface	wan1 (the primary Internet-facing interface)
Pre-shared Key	Enter

4. Go to VPN > IPsec Tunnels.
5. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
6. Set the following:

Remote Gateway	Static IP Address
IP Address	FortiGate 2’s wan2 IP
Local Interface	wan2 (the secondary Internet-facing interface)
Pre-shared Key	Enter

Configuring IP addresses and OSPF on FortiGate 1

1. Go to Network > Interfaces.
2. Select the arrow for wan1 to expand the list.

Redundant OSPF routing over

3. Edit the primary tunnel interface and create IP addresses.

IP		10.1.1.1
Remote IP		10.1.1.2

4. Select the arrow for wan2 to expand the list.
5. Edit the secondary tunnel interface and create IP addresses.

IP	10.2.1.1
Remote IP	10.2.1.2

6. Go to Network > OSPF and enter the Router ID for FortiGate 1.
7. Select Create New in the Area
8. Add the backbone area of 0.0.0.
9. Select Create New in the Networks
10. Create the networks and select Area 0.0.0.0 for each one.
11. Select Create New in the Interfaces
12. Create primary and secondary tunnel interfaces.
13. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 1

1. Go to Policy & Objects > Addresses.
2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Configuring security policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy.
2. Create the four security policies required for both FortiGate 1’s primary and secondary interfaces to connect to FortiGate 2’s primary and secondary interfaces.

Creating redundant IPsec tunnels on FortiGate 2

1. Go to VPN > IPsec Tunnels.
2. Select Create New, name the primary tunnel and select Custom VPN Tunnel (No Template). Set the following:

Remote Gateway			Static IP Address
IP Address			FortiGate 1’s wan1 IP
Local Interface			wan1 (the primary Internet-facing interface)
Pre-shared Key			Enter

 

Redundant OSPF routing over IPsec

4. Go to VPN > IPsec Tunnels.
5. Select Create New, name the secondary tunnel and select Custom VPN Tunnel (No Template).
6. Set the following:

Remote Gateway	Static IP Address
IP Address	FortiGate 1’s wan1 IP
Local Interface	wan2 (the secondary Internet-facing interface)
Pre-shared Key	Enter

Configuring IP addresses and OSPF on FortiGate 1

1. Go to Network > Interfaces.
2. Select the arrow for wan1 to expand the list.
3. Edit the primary tunnel interface and create IP addresses.

IP		10.1.1.2
Remote IP		10.1.1.1

4. Select the arrow for wan2 to expand the list.
5. Edit the secondary tunnel interface and create IP addresses.

IP		10.2.1.2
Remote IP		10.2.1.1

6. Go to Network > OSPF and enter the Router ID for FortiGate 2.
7. Select Create New in the Area
8. Add the backbone area of 0.0.0.
9. Select Create New in the Networks
10. Create the networks and select Area 0.0.0.0 for each one.
11. Select Create New in the Interfaces
12. Create primary and secondary tunnel interfaces.
13. Set a Cost of 10 for the primary interface and 100 for the secondary interface.

Configuring firewall addresses on FortiGate 2

1. Go to Policy & Objects > Addresses.
2. Create/Edit the subnets behind FortiGate 1 and FortiGate 2.
3. Create/Edit the primary and secondary interfaces of FortiGate 2.

Redundant OSPF routing over

Configuring security policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy.
2. Create the four security policies required for both FortiGate 2’s primary and secondary interfaces to connect to FortiGate 1’s primary and secondary interfaces.

Results

1. Go to Monitor > IPsec Monitor to verify the statuses of both the primary and secondary IPsec VPN tunnels on FortiGate 1 and FortiGate 2.
2. Go to Monitor > Routing Monitor. Monitor to verify the routing table on FortiGate 1 and FortiGate 2. Type OSPF for the Type and select Apply Filter to verify the OSPF route.
3. Verify that traffic flows via the primary tunnel:
   • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP address 10.21.1.00 behind FortiGate 2 and vise versa.
   • From PC1, you should see that the traffic goes through 10.1.1.2 which is the primary tunnel interface IP set on FortiGate 2.
   • From PC2, you should see the traffic goes through 10.1.1.1 which is the primary tunnel interface IP set on FortiGate 1.
4. The VPN network between the two OSPF networks uses the primary VPN connection. Disconnect the wan1 interface and confirm that the secondary tunnel will be used automatically to maintain a secure connection.
5. Verify the IPsec VPN tunnel statuses on FortiGate 1 and FortiGate 2. Both FortiGates should show that primary tunnel is DOWN and secondary tunnel is UP.
6. Go to Monitor > IPsec Monitor to verify the status.
7. Verify the routing table on FortiGate 1 and FortiGate 2.

The secondary OSPF route (with cost = 100) appears on both FortiGate units.

8. Go to Monitor > Routing Monitor. Type OSPF for the Type and select Apply Filter to verify OSPF route.
9. Verify that traffic flows via the secondary tunnel:
   • From a PC1 set to IP:10.20.1.100 behind FortiGate 1, run a tracert to a PC2 set to IP:10.21.1.100 behind FortiGate 2 and vice versa.
   • From PC1, you should see that the traffic goes through 10.2.1.2 which is the secondary tunnel interface IP set on FortiGate 2.
   • From PC2, you should see the traffic goes through 10.2.1.1 which is the secondary tunnel interface IP set on FortiGate 1.

OSPF over dynamic IPsec

The following example shows how to create a dynamic IPsec VPN tunnel that allows OSPF.

Configuring IPsec on FortiGate 1

1. Go to Dashboard and enter the CLI Console widget 2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up” set type dynamic set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set ipv4-start-ip 10.10.101.0 set ipv4-end-ip 10.10.101.255 set psksecret

next

end

 

3. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-p2” set phase1name “dial-up” set proposal 3des-sha1 aes128-sha1

next

end

Configuring OSPF on FortiGate 1

1. Go to Dashboard and enter the CLI Console
2. Create OSPF route.

config router ospf set router-id 172.20.120.22 config area edit 0.0.0.0 next

end config network edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

OSPF over dynamic

Adding policies on FortiGate 1

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up to port5.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up

Configuring IPsec on FortiGate 2

1. Go to Dashboard and enter the CLI Console widget 2. Create phase 1:

config vpn ipsec phase1-interface edit “dial-up-client” set interface “wan1” set mode-cfg enable set proposal 3des-sha1 set add-route disable set remote-gw 172.20.120.22 set psksecret

next

end

 

3. Create phase 2:

config vpn ipsec phase2-interface edit “dial-up-client” set phase1name “dial-up-client” set proposal 3des-sha1 aes128-sha1 set auto-negotiate enable

next

end

Configuring OSPF on FortiGate 2

1. Go to Dashboard and enter the CLI Console
2. Create OSPF route.

config router ospf set router-id 172.20.120.15 config area edit 0.0.0.0 next

end config network edit 1 set prefix 10.10.101.0 255.255.255.0

next

end

config redistribute “connected” set status enable

end

config redistribute “static” set status enable

end

end

 

OSPF over dynamic IPsec

Adding policies on FortiGate 2

1. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from dial-up-client to port5.
2. Go to Policy & Objects > IPv4 Policy and create a policy allowing OSPF traffic from port5 to dial-up-client

Verifying the tunnel is up

Go to Monitor > IPsec Monitor to verify that the tunnel is Up.

Results

1. From FortiGate 1, go to Monitor > Routing Monitor and verify that routes from FortiGate 2 were successfully advertised to FortiGate 1 via OSPF.
2. From FortiGate 1, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

 

OSPF process 0:

Neighbor      ID Pri State Dead  Time     Address Interface

172.20.120.25 1  Full  /     –   00:00:34 10.10.101.1  dial-up_0

3. From FortiGate 2, go to Monitor > Routing Monitor and verify that routes from FortiGate 1 were successfully advertised to FortiGate 2 via OSPF.
4. From FortiGate 2, go to Dashboard. Enter the CLI Console widget and type this command to verify OSPF neighbors:

get router info ospf neighbor

 

OSPF process 0:

Neighbor      ID Pri State Dead  Time     Address     Interface

172.20.120.22 1  Full  /     –   00:00:30 10.10.101.2  dial-up_client

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

GRE over IPsec (Cisco VPN)

This section describes how to configure a FortiGate VPN that is compatible with Cisco-style VPNs that use GRE in an IPsec tunnel.

The following topics are included in this section:

Configuration overview

Configuring the Cisco router

Keep-alive support for GRE

Cisco products that include VPN support often use Generic Routing Encapsulation (GRE) protocol tunnel over

IPsec encryption. This chapter describes how to configure a FortiGate unit to work with this type of Cisco VPN.

Cisco VPNs can use either transport mode or tunnel mode IPsec. Before FortiOS 4.0 MR2, the FortiGate unit was compatible only with tunnel mode IPsec.

Example FortiGate to Cisco GRE-over-IPsec VPN

In this example, users on LAN1 are provided access to LAN2.

Configuration overview

The following section consists of configuring the FortiGate unit and configuring the Cisco router.

Configuring the FortiGate unit

There are several steps to the GRE-over-IPsec configuration:

• Enable overlapping subnets. This is needed because the IPsec and GRE tunnels will use the same addresses.
• Configure a route-based IPsec VPN on the external interface.
• Configure a GRE tunnel on the virtual IPsec interface. Set its local gateway and remote gateway addresses to match the local and remote gateways of the IPsec tunnel.
• Configure security policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
• Configure security policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
• Configure a static route to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnel.

Enabling overlapping subnets

By default, each FortiGate unit network interface must be on a separate network. The configuration described in this chapter assigns an IPsec tunnel end point and the external interface to the same network. Enable subnet overlap as follows:

config system settings set allow-subnet-overlap enable

end

Configuring the IPsec VPN

A route-based VPN is required. It must use encryption and authentication algorithms compatible with the Cisco equipment to which it connects. In this chapter, preshared key authentication is shown.

Configuring the IPsec VPN – web-based manager

1. Define the Phase 1 configuration needed to establish a secure connection with the remote Cisco device. Enter these settings in particular:

Name	Enter a name to identify the VPN tunnel, tocisco for example. This is the name of the virtual IPsec interface. It appears in Phase 2 configurations, security policies and the VPN monitor.
Remote Gateway	Select Static IP Address.
IP Address	Enter the IP address of the Cisco device public interface. For example, 192.168.5.113.
Local Interface	Select the FortiGate unit’s public interface. For example, 172.20.120.141.

Configuration overview

Mode	Select Main (ID Protection).
Authentication Method	Preshared Key
Pre-shared Key	Enter the preshared key. It must match the preshared key on the Cisco device.
Advanced	Select the Advanced button to see the following settings.
Phase 1 Proposal	3DES-MD5 At least one proposal must match the settings on the Cisco unit.

For more information about these settings, see Phase 1 parameters on page 52.

2. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For compatibility with the Cisco router, Quick Mode Selectors must be entered, which includes specifying protocol 47, the GRE protocol. Enter these settings in particular:

Phase 2 Proposal	3DES-MD5 At least one proposal must match the settings on the Cisco unit.
Quick Mode Selector
Source Address	Enter the GRE local tunnel end IP address. For example 172.20.120.141.
Source Port	0
Destination Address	Enter the GRE remote tunnel end IP address. For example 192.168.5.113.
Destination Port	0
Protocol	47

For more information about these settings, see Phase 2 parameters on page 72.

3. If the Cisco device is configured to use transport mode IPsec, you need to use transport mode on the FortiGate VPN. You can configure this only in the CLI. In your Phase 2 configuration, set encapsulation to transport-mode as follows:

config vpn phase2-interface edit to_cisco_p2 set encapsulation transport-mode

end

Configuring the IPsec VPN – CLI

config vpn ipsec phase1-interface edit tocisco set interface port1

set proposal 3des-sha1 aes128-sha1

set remote-gw 192.168.5.113 set psksecret xxxxxxxxxxxxxxxx

end

config vpn ipsec phase2-interface edit tocisco_p2 set phase1name “tocisco” set proposal 3des-md5 set encapsulation tunnel-mode // if tunnel mode set encapsulation transport-mode  // if transport mode set protocol 47 set src-addr-type ip set dst-start-ip 192.168.5.113 set src-start-ip 172.20.120.141

end

Adding IPsec tunnel end addresses

The Cisco configuration requires an address for its end of the IPsec tunnel. The addresses are set to match the GRE gateway addresses. Use the CLI to set the addresses, like this:

config system interface edit tocisco set ip 172.20.120.141 255.255.255.255 set remote-ip 192.168.5.113

end

Configuring the GRE tunnel

The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router. You must use the CLI to configure a GRE tunnel. In the example, you would enter:

config system gre-tunnel edit gre1 set interface tocisco set local-gw 172.20.120.141 set remote-gw 192.168.5.113

end

interface is the virtual IPsec interface, local-gw is the FortiGate unit public IP address, and remote-gw is the remote Cisco device public IP address

Adding GRE tunnel end addresses

You will also need to add tunnel end addresses. The Cisco router configuration requires an address for its end of the GRE tunnel. Using the CLI, enter tunnel end addresses that are not used elsewhere on the FortiGate unit, like this:

config system interface edit gre1 set ip 10.0.1.1 255.255.255.255 set remote-ip 10.0.1.2

end

Configuring security policies

Two sets of security policies are required:

Configuration overview

• Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
• Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.

Configuring security policies – web-based manager

1. Define an ACCEPT firewall security policy to permit communications between the protected network and the GRE tunnel:

Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Source Address	All
Outgoing Interface	Select the GRE tunnel virtual interface you configured.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable

2. To permit the remote client to initiate communication, you need to define a firewall address security policy for communication in that direction:

Incoming Interface	Select the GRE tunnel virtual interface you configured.
Source Address	All
Outgoing Interface	Select the interface that connects to the private network behind this FortiGate unit.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable

3. Define a pair of ACCEPT firewall address security policies to permit traffic to flow between the GRE virtual interface and the IPsec virtual interface:

Incoming Interface	Select the GRE virtual interface. See Configuring the GRE tunnel on page 191.
Source Address	All
Outgoing Interface	Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 189.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable

 

Incoming Interface	Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 189.
Source Address	All
Outgoing Interface	Select the GRE virtual interface.See Configuring the GRE tunnel on page 191.
Destination Address	All
Action	ACCEPT
Enable NAT	Disable

Configuring security policies – CLI

config firewall policy edit 1 // LAN to GRE tunnel set srcintf port2 set dstintf gre1 set srcaddr all set dstaddr all set action accept set schedule always set service ANY

next edit 2 // GRE tunnel to LAN set srcintf gre1 set dstintf port2 set srcaddr all set dstaddr all set action accept set schedule always set service ANY

next

edit 3 // GRE tunnel to IPsec interface set srcintf “gre1” set dstintf “tocisco” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ANY”

next

edit 4 // IPsec interface to GRE tunnel

set srcintf “tocisco” set dstintf “gre1” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ANY” end

Configuring the Cisco router

Configuring routing

Traffic destined for the network behind the Cisco router must be routed to the GRE tunnel. To do this, create a static route

1. Go to Network > Static Routes and select Create New. 2. Enter the following information and select OK.

Destination IP/Mask	Enter the IP address and netmask for the network behind the Cisco router. For example 10.21.101.0 255.255.255.0.
Device	Select the GRE virtual interface.
Distance (Advanced)	Leave setting at default value.

In the CLI, using the example values, you would enter

config router static edit 0 set device gre1

set dst 10.21.101.0 255.255.255.0

end

Configuring the Cisco router

Using Cisco IOS, you would configure the Cisco router as follows, using the addresses from the example:

config ter

crypto ipsec transform-set myset esp-3des esp-md5-hmac no mode exit no ip access-list extended tunnel ip access-list extended tunnel

permit gre host 192.168.5.113 host 172.20.120.141 exit

interface Tunnel1

ip address 10.0.1.2 255.255.255.0 tunnel source 192.168.5.113 tunnel destination 172.20.120.141 ! ip route 10.11.101.0 255.255.255.0 Tunnel1 end clea crypto sa clea crypto isakmp

For transport mode, change no mode to mode transport.

This is only the portion of the Cisco router configuration that applies to the GRE-over-IPsec tunnel. For more information, refer to the Cisco documentation.

 

Keep-alive support for GRE

Keep-alive support for GRE

The FortiGate can send a GRE keep-alive response to a Cisco device to detect a GRE tunnel. If it fails, it will remove any routes over the GRE interface.

Syntax

config system gre-tunnel edit <id> set keepalive-interval <value: 0-32767> set keepalive-failtimes <value: 1-255>

next end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

L2TP and IPsec (Microsoft VPN)

This section describes how to set up a VPN that is compatible with the Microsoft Windows native VPN, which is Layer 2 Tunneling Protocol (L2TP) with IPsec encryption.

The following topics are included in this section:

Overview

Assumptions

Configuration overview

 

For troubleshooting information, refer to Troubleshooting L2TP and IPsec.

Overview

The topology of a VPN for Microsoft Windows dialup clients is very similar to the topology for FortiClient Endpoint Security clients.

Example FortiGate VPN configuration with Microsoft clients

Assumptions

For users, the difference is that instead of installing and using the FortiClient application, they configure a network connection using the software built into the Microsoft Windows operating system. Starting in FortiOS 4.0 MR2, you can configure a FortiGate unit to work with unmodified Microsoft VPN client software.

Layer 2 Tunneling Protocol (L2TP)

L2TP is a tunneling protocol published in 1999 that is used with VPNs, as the name suggests. Microsoft Windows operating system has a built-in L2TP client starting since Windows 2000. Mac OS X 10.3 system and higher also have a built-in client.

L2TP provides no encryption and used UDP port 1701. IPsec is used to secure L2TP packets. The initiator of the L2TP tunnel is called the L2TP Access Concentrator (LAC).

L2TP and IPsec is supported for native Windows XP, Windows Vista and Mac OSX native VPN clients. However, in Mac OSX (OSX 10.6.3, including patch releases) the L2TP feature does not work properly on the Mac OS side.

Assumptions

The following assumptions have been made for this example:

• L2TP protocol traffic is allowed through network firewalls (TCP and UDP port 1701)
• User has Microsoft Windows 2000 or higher — a Windows version that supports L2TP

Configuration overview

The following section consists of configuring the FortiGate unit and configuring the Windows PC.

Configuring the FortiGate unit

To configure the FortiGate unit, you must:

• Configure LT2P users and firewall user group.
• Configure the L2TP VPN, including the IP address range it assigns to clients.
• Configure an IPsec VPN with encryption and authentication settings that match the Microsoft VPN client.
• Configure security policies.

Configuring LT2P users and firewall user group

Remote users must be authenticated before they can request services and/or access network resources through the VPN. The authentication process can use a password defined on the FortiGate unit or an established external authentication mechanism such as RADIUS or LDAP.

Creating user accounts

You need to create user accounts and then add these users to a firewall user group to be used for L2TP authentication. The Microsoft VPN client can automatically send the user’s Window network logon credentials. You might want to use these for their L2TP user name and password.

Creating a user account – web-based manager

1. Go to User & Device > User Definitionand select Create New.
2. Enter the User Name.
3. Do one of the following:

l Select Password and enter the user’s assigned password.

 l Select Match user on LDAP server, Match user on RADIUS server, or Match user onTACACS+

server and select the authentication server from the list. The authentication server must be already configured on the FortiGate unit.

4. Select OK.

Creating a user account – CLI

To create a user account called user1 with the password 123_user, enter:

config user local edit user1 set type password set passwd “123_user” set status enable

end

Creating a user group

When clients connect using the L2TP-over-IPsec VPN, the FortiGate unit checks their credentials against the user group you specify for L2TP authentication. You need to create a firewall user group to use for this purpose.

Creating a user group – web-based manager

1. Go to User & Device > User Groups, select Create New, and enter the following:

Name	Type or edit the user group name (for example, L2TP_group).
Type	Select Firewall.
Available Users/Groups	The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, or PKI users that can be added to the user group. To add a member to this list, select the name and then select the right arrow button.
Members	The list of Local users, RADIUS servers, LDAP servers, TACACS+ servers, or PKI users that belong to the user group. To remove a member, select the name and then select the left arrow button.

2. Select OK.

Creating a user group – CLI

To create the user group L2TP_group and add members User_1, User_2, and User_3, enter:

config user group edit L2TP_group set group-type firewall set member User_1 User_2 User_3 end

 

Configuring L2TP

You can only configure L2TP settings in the CLI. As well as enabling L2TP, you set the range of IP address values that are assigned to L2TP clients and specify the user group that can access the VPN. For example, to allow access to users in the L2TP_group and assign them addresses in the range 192.168.0.50 to 192.168.0.59, enter:

config vpn l2tp set sip 192.168.0.50 set eip 192.168.0.59 set status enable set usrgrp “L2TP_group”

end

One of the security policies for the L2TP over IPsec VPN uses the client address range, so you need also need to create a firewall address for that range. For example,

config firewall address edit L2TPclients set type iprange set start-ip 192.168.0.50 set end-ip 192.168.0.59

end

 

Alternatively, you could define this range in the web-based manager.

Configuring IPsec

The Microsoft VPN client uses IPsec for encryption. The configuration needed on the FortiGate unit is the same as for any other IPsec VPN with the following exceptions.

• Transport mode is used instead of tunnel mode.
• The encryption and authentication proposals must be compatible with the Microsoft client.

L2TP over IPsec is supported on the FortiGate unit for both policy-based and route-based configurations, but the following example is policy-based.

Configuring Phase 1 – web-based manager

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

	Name			Enter a name for this VPN, dialup_p1 for example.
Remote Gateway				Dialup User
Local Interface				Select the network interface that connects to the Internet. For example, port1.
Mode				Main (ID protection)
Authentication Method				Preshared Key
Pre-shared Key				Enter the preshared key. This key must also be entered in the Microsoft VPN client.
Advanced				Select Advanced to enter the following information.
Phase 1 Proposal				Enter the following Encryption/Authentication pairs: AES256-MD5, 3DES-SHA1, AES192-SHA1
Diffie-Hellman Group				2
NAT Traversal				Enable
Dead Peer Detection				Enable

Configuring Phase 1 – CLI

To create a Phase 1 configuration called dialup_p1 on a FortiGate unit that has port1 connected to the Internet, you would enter:

config vpn ipsec phase1 edit dialup_p1 set type dynamic set interface port1 set mode main set psksecret ********

set proposal aes256-md5 3des-sha1 aes192-sha1 set dhgrp 2 set nattraversal enable

set dpd [disable | on-idle | on-demand]

end

It is worth noting here that the command config vpn ipsec phase1 is used rather than config vpn ipsec phase1-interface because this configuration is policy-based and not route-based.

Configuring Phase 2 – web-based manager

1. Open the Phase 2 Selectors
2. Enter the following information and then select OK.

Phase 2 Proposal	Enter the following Encryption/Authentication pairs: AES256-MD5, 3DES-SHA1, AES192-SHA1
Enable replay detection	Enable
Enable perfect forward secrecy (PFS)	Disable
Keylife	3600 seconds

3. Make this a transport-mode VPN. You must use the CLI to do this. If your Phase 2 name is dialup_p2, you would enter:

config vpn ipsec phase2 edit dialup_p2 set encapsulation transport-mode

end

Configuring Phase 2 – CLI

To configure a Phase 2 to work with your phase_1 configuration, you would enter:

config vpn ipsec phase2 edit dialup_p2 set phase1name dialup_p1

set proposal aes256-md5 3des-sha1 aes192-sha1 set replay enable set pfs disable set keylifeseconds 3600 set encapsulation transport-mode

end

Once again, note here that the command config vpn ipsec phase2 is used rather than config vpn ipsec phase2-interface because this configuration is policy-based and not route-based.

Configuring security policies

The security policies required for L2TP over IPsec VPN are:

• An IPsec policy, as you would create for any policy-based IPsec VPN
• A regular ACCEPT policy to allow traffic from the L2TP clients to access the protected network

Configuring the IPsec security policy – web-based manager

1. Go to System > Feature Visibility and enable Policy-based IPsec VPN.
2. Go to Policy & Objects > IPv4 Policy and select Create New.
3. Set the Action to IPsec and enter the following information:

	Incoming Interface	Select the interface that connects to the private network behind this FortiGate unit.
Source Address			All
Outgoing Interface			Select the FortiGate unit’s public interface.
Destination Address			All
VPN Tunnel			Select Use Existing and select the name of the Phase 1 configuration that you created. For example, dialup_p1. See Configuring IPsec on page 182.
Allow traffic to be initiated from the remote site			enable

4. Select OK.

Configuring the IPsec security policy – CLI

If your VPN tunnel (Phase 1) is called dialup_p1, your protected network is on port2, and your public interface is port1, you would enter:

config firewall policy edit 0 set srcintf port2 set dstintf port1 set srcaddr all set dstaddr all set action ipsec set schedule always set service all set inbound enable set vpntunnel dialup_p1

end

Configuring the ACCEPT security policy – web-based manager

1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information and select OK:

Incoming Interface		Select the FortiGate unit’s public interface.
Source Address		Select the firewall address that you defined for the L2TP clients.
Outgoing Interface		Select the interface that connects to the private network behind this FortiGate unit.
Destination Address		All
Action		ACCEPT

Configuring the ACCEPT security policy – CLI

If your public interface is port1, your protected network is on port2, and L2TPclients is the address range that L2TP clients use, you would enter: config firewall policy

edit 1 set srcintf port1 set dstintf port2 set srcaddr L2TPclients set dstaddr all set action accept set schedule always set service all

end

Configuring the Windows PC

Configuration of the Windows PC for a VPN connection to the FortiGate unit consists of the following:

1. In Network Connections, configure a Virtual Private Network connection to the FortiGate unit.
2. Ensure that the IPSEC service is running.
3. Ensure that IPsec has not been disabled for the VPN client. It may have been disabled to make the Microsoft VPN compatible with an earlier version of FortiOS.

The instructions in this section are based on Windows XP. Other versions of Windows may vary slightly.

Configuring the network connection

1. Open Network Connections.

This is available through the Control Panel.

2. Double-click New Connection Wizard and Select Next.
3. Select Connect to the network at my workplace.
4. Select Next.
5. Select Virtual Private Network connection and select Next.
6. In the Company Name field, enter a name for the connection and select Next.
7. Select Do not dial the initial connection and then select Next.
8. Enter the public IP address or FQDN of the FortiGate unit and select Next.
9. Optionally, select Add a shortcut to this connection to my desktop.
10. Select Finish.

The Connect dialog opens on the desktop.

11. Select Properties and then select the Security
12. Select IPsec Settings.
13. Select Use pre-shared key for authentication, enter the preshared key that you configured for your VPN, and select OK. Select OK.

Checking that the IPsec service is running

1. Open Administrative Tools through the Control Panel.
2. Double-click Services.
3. Look for IPSEC Services. Confirm that the Startup Type is Automatic and Status is set to Started. If needed, double-click IPsec Services to change these settings.

Checking that IPsec has not been disabled

1. Select Start > Run.
2. Enter regedit and select OK.
3. Find the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
4. If there is a ProhibitIPsec value, it must be set to 0.

Enforcing IPsec in L2TP configuration

An enforce-ipsec option is available in L2TP configuration to force the FortiGate L2TP server to accept only IPsec encrypted connections.

Syntax

config vpn l2tp set eip 50.0.0.100 set sip 50.0.0.1 set status enable

set enforce-ipsec-interface {disable | enable}      (default = disable) set usrgrp <group_name> end

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 IPsec VPNs

This chapter describes how to configure your FortiGate unit’s IPv6 IPsec VPN functionality.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

                                    To enable IPv6

1. Go to System > Feature Visibility.
2. Enable IPv6.
3. Select Apply.

The following topics are included in this section: Configuration examples

IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support. FortiOS 4.0 MR3 is IPv6 Ready Logo Program Phase 2 certified.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can combine IPv6 and IPv4 addressing in an autokeyed VPN in the following ways:

IPv4 over IPv6	The VPN gateways have IPv6 addresses. The protected networks have IPv4 addresses. The Phase 2 configurations at either end use IPv4 selectors.
IPv6 over IPv4	The VPN gateways have IPv4 addresses. The protected networks use IPv6 addresses. The Phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

• Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
• Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
• Redundant IPv6 tunnels are not supported.

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

Configuration examples

This section consists of the following configuration examples:

• Site-to-site IPv6 over IPv6 VPN example
• Site-to-site IPv6 over IPv4 VPN example
• Site-to-site IPv4 over IPv6 VPN example

Site-to-site IPv6 over IPv6 VPN example

In this example, computers on IPv6-addressed private networks communicate securely over public IPv6 infrastructure.

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

                                    To enable IPv6

1. Go to System > Feature Visibility.
2. Enable IPv6.
3. Select Apply.

Example IPv6-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the public network and port 3 connects to the local network.

config system interface edit port2 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f2/64

end

next edit port3 config ipv6 set ip6-address fec0::0000:209:0fff:fe83:25f3/64

end

next

end

 

Configure FortiGate A IPsec settings

The Phase 1 configuration creates a virtual IPsec interface on port 2 and sets the remote gateway to the public IP address FortiGate B. This configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address.

config vpn ipsec phase1-interface edit toB set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

By default, Phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. The address all6 must be defined using the firewall address6 command as ::/0.

config firewall policy6 edit 1 set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6

set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB. A default route sends all IPv6 traffic out on port2.

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toB

set dst fec0:0000:0000:0004::/64

end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. Security policies enable traffic to pass between the private network and the IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes through the VPN and that all IPv6 packets are routed to the public network.

config system interface edit port2 config ipv6 set ip6-address fec0::0003:209:0fff:fe83:25c7/64

end

next edit port3 config ipv6 set ip6-address fec0::0004:209:0fff:fe83:2569/64

end

end

config vpn ipsec phase1-interface edit toA set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1 set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toA

set dst fec0:0000:0000:0000::/64

end

Site-to-site IPv6 over IPv4 VPN example

In this example, IPv6-addressed private networks communicate securely over IPv4 public infrastructure.

Example IPv6-over-IPv4 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv4 public network and port 3 connects to the IPv6 LAN.

config system interface edit port2 set 10.0.0.1/24 next edit port3 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f3/64

end

Configure FortiGate A IPsec settings

The Phase 1 configuration uses IPv4 addressing.

config vpn ipsec phase1-interface edit toB set interface port2 set remote-gw 10.0.1.1

set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

 

The Phase 2 configuration uses IPv6 selectors. By default, Phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

Configure FortiGate A security policies

IPv6 security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. Define the address all6 using the firewall address6 command as ::/0.

config firewall policy6 edit 1 set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv6 static route. A default route sends all IPv4 traffic, including the IPv4 IPsec packets, out on port2.

config router static6 edit 1 set device toB

set dst fec0:0000:0000:0004::/64

end

config router static edit 1 set device port2 set dst 0.0.0.0/0 set gateway 10.0.0.254

end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the IPv4 public IP address of FortiGate A. The IPsec Phase 2 configuration has IPv6 selectors.

IPv6 security policies enable traffic to pass between the private network and the IPsec interface. An IPv6 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to the public network.

config system interface edit port2 set 10.0.1.1/24

next edit port3 config ipv6 set ip6-address fec0::0004:209:0fff:fe83:2569/64

end

config vpn ipsec phase1-interface edit toA set interface port2 set remote-gw 10.0.0.1

set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2 set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1 set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

config router static6 edit 1 set device toA

set dst fec0:0000:0000:0000::/64

end

config router static edit 1 set device port2

set gateway 10.0.1.254

end

Site-to-site IPv4 over IPv6 VPN example

In this example, two private networks with IPv4 addressing communicate securely over IPv6 infrastructure.

Example IPv4-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv6 public network and port 3 connects to the IPv4 LAN.

config system interface edit port2 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f2/64

end

next edit port3 set 192.168.2.1/24

end

Configure FortiGate A IPsec settings

The Phase 1 configuration is the same as in the IPv6 over IPv6 example.

config vpn ipsec phase1-interface edit toB set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

The Phase 2 configuration is the same as you would use for an IPv4 VPN. By default, Phase 2 selectors are set to accept all subnet addresses for source and destination.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable

end

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. These are IPv4 security policies.

config firewall policy edit 1 set srcintf port3 set dstintf toB set srcaddr all set dstaddr all set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv4 static route. A default route sends all IPv6 traffic, including the IPv6 IPsec packets, out on port2.

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toB set dst 192.168.3.0/24 end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. The IPsec Phase 2 configuration has IPv4 selectors.

IPv4 security policies enable traffic to pass between the private network and the IPsec interface. An IPv4 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to the public network.

config system interface edit port2 config ipv6 set ip6-address fec0::0003:fe83:25c7/64

end

next edit port3 set 192.168.3.1/24

end

config vpn ipsec phase1-interface edit toA set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd [disable | on-idle | on-demand] set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2 set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable

end

config firewall policy edit 1 set srcintf port3 set dstintf toA set srcaddr all set dstaddr all set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY set schedule always

end

config router static6 edit 1 set device port2

set dst 0::/0

next edit 2

set device toA set dst 192.168.2.0/24 end

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Transparent mode VPNs

This section describes transparent VPN configurations, in which two FortiGate units create a VPN tunnel between two separate private networks transparently.

The following topics are included in this section: Configuration overview

Configuration overview

In transparent mode, all interfaces of the FortiGate unit except the management interface (which by default is assigned IP address 10.10.10.1/255.255.255.0) are invisible at the network layer. Typically, when a FortiGate unit runs in transparent mode, different network segments are connected to the FortiGate interfaces. The figure below shows the management station on the same subnet. The management station can connect to the FortiGate unit directly through the web-based manager.

Management station on internal network

An edge router typically provides a public connection to the Internet and one interface of the FortiGate unit is connected to the router. If the FortiGate unit is managed from an external address (see the figure below), the router must translate (NAT) a routable address to direct management traffic to the FortiGate management interface.

Management station on external network

Transparent mode VPNs

In a transparent VPN configuration, two FortiGate units create a VPN tunnel between two separate private networks transparently. All traffic between the two networks is encrypted and protected by FortiGate security policies.

Both FortiGate units may be running in transparent mode, or one could be running in transparent mode and the other running in NAT mode. If the remote peer is running in NAT mode, it must have a static public IP address.

VPNs between two FortiGate units running in transparent mode do not support inbound/outbound NAT (supported through CLI commands) within the tunnel. In addition, a FortiGate unit running in transparent mode cannot be used in a hub-andspoke configuration.

Encrypted packets from the remote VPN peer are addressed to the management interface of the local FortiGate unit. If the local FortiGate unit can reach the VPN peer locally, a static route to the VPN peer must be added to the routing table on the local FortiGate unit. If the VPN peer connects through the Internet, encrypted packets from the local FortiGate unit must be routed to the edge router instead. For information about how to add a static route to the FortiGate routing table, see the Advanced Routing Guide.

In the example configuration shown above, Network Address Translation (NAT) is enabled on the router. When an encrypted packet from the remote VPN peer arrives at the router through the Internet, the router performs inbound NAT and forwards the packet to the FortiGate unit. Refer to the software supplier’s documentation to configure the router.

If you want to configure a VPN between two FortiGate units running in transparent mode, each unit must have an independent connection to a router that acts as a gateway to the Internet, and both units must be on separate networks that have a different address space. When the two networks linked by the VPN tunnel have different address spaces (see the figure below), at least one router must separate the two FortiGate units, unless the packets can be redirected using ICMP (as shown in the following figure).

Link between two FortiGate units in transparent mode

In the figure below, interface C behind the router is the default gateway for both FortiGate units. Packets that cannot be delivered on Network_1 are routed to interface C by default. Similarly, packets that cannot be delivered on Network_2 are routed to interface C. In this case, the router must be configured to redirect packets destined for Network_1 to interface A and redirect packets destined for Network_2 to interface B.

Transparent mode VPNs                                                                                                                           overview

ICMP redirecting packets to two FortiGate units in transparent mode

If there are additional routers behind the FortiGate unit (see the figure below) and the destination IP address of an inbound packet is on a network behind one of those routers, the FortiGate routing table must include routes to those networks. For example, in the following figure, the FortiGate unit must be configured with static routes to interfaces A and B in order to forward packets to Network_1 and Network_2 respectively.

Destinations on remote networks behind internal routers

Transparent VPN infrastructure requirements

• The local FortiGate unit must be operating in transparent mode.
• The management IP address of the local FortiGate unit specifies the local VPN gateway. The management IP address is considered a static IP address for the local VPN peer.
• If the local FortiGate unit is managed through the Internet, or if the VPN peer connects through the Internet, the edge router must be configured to perform inbound NAT and forward management traffic and/or encrypted packets to the FortiGate unit.
• If the remote peer is operating in NAT mode, it must have a static public IP address.

Transparent mode VPNs

A FortiGate unit operating in transparent mode requires the following basic configuration to operate as a node on the IP network:

• The unit must have sufficient routing information to reach the management station.
• For any traffic to reach external destinations, a default static route to an edge router that forwards packets to the Internet must be present in the FortiGate routing table.
• When all of the destinations are located on the external network, the FortiGate unit may route packets using a single default static route. If the network topology is more complex, one or more static routes in addition to the default static route may be required in the FortiGate routing table.

Only policy-based VPN configurations are possible in transparent mode.

Before you begin

An IPsec VPN definition links a gateway with a tunnel and an IPsec policy. If your network topology includes more than one virtual domain, you must choose components that were created in the same virtual domain. Therefore, before you define a transparent VPN configuration, choose an appropriate virtual domain in which to create the required interfaces, security policies, and VPN components. For more information, see the Virtual Domains guide.

Configuring the VPN peers

1. The local VPN peer need to operate in transparent mode.

To determine if your FortiGate unit is in transparent mode, go to the Dashboard > System Information widget.

Select [change]. Select transparent for the Operation Mode. Two new fields will appear to enter the

Management IP/Netmask, and the Default Gateway.

In transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are on the same subnet and share the same IP address. You only have to configure a management IP address so that you can make configuration changes.

The remote VPN peer may operate in NAT mode or transparent mode.

2. At the local FortiGate unit, define the Phase 1 parameters needed to establish a secure connection with the remote peer. See Phase 1 parameters on page 52. Select Advanced and enter these settings in particular:

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the public interface to the remote peer. If the remote peer is a FortiGate unit running in transparent mode, type the IP address of the remote management interface.
Advanced	Select Nat-traversal, and type a value into the Keepalive Frequency field. These settings protect the headers of encrypted packets from being altered by external NAT devices and ensure that NAT address mappings do not change while the VPN tunnel is open. For more information, see Phase 1 parameters on page 52 and Phase 1 parameters on page 52.

3. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. See Phase 2 parameters on page 72. Select the set of Phase 1 parameters that you defined for the remote peer. The name of the remote peer can be selected from the Static IP Address
4. Define the source and destination addresses of the IP packets that are to be transported through the VPN tunnel. See Defining VPN security policies on page 1. Enter these settings in particular:

Transparent mode VPNs                                                                                                                           overview

• For the originating address (source address), enter the IP address and netmask of the private network behind the local peer network. for the management interface, for example, 10.10.0/24. This address needs to be a range to allow traffic from your network through the tunnel. Optionally select any for this address.
• For the remote address (destination address), enter the IP address and netmask of the private network behind the remote peer (for example, 168.10.0/24). If the remote peer is a FortiGate unit running in transparent mode, enter the IP address of the remote management interface instead.

5. Define an IPsec security policy to permit communications between the source and destination addresses. See Defining VPN security policies on page 1. Enter these settings in particular:

Incoming Interface	Select the local interface to the internal (private) network.
Source Address	Select the source address that you defined in Step 4.
Outgoing Interface	Select the interface to the edge router. When you configure the IPsec security policy on a remote peer that operates in NAT mode, you select the public interface to the external (public) network instead.
Destination Address	Select the destination address that you defined in Step 4.
VPN Tunnel	Select Use Existing and select the name of the Phase 2 tunnel configuration that you created in Step 3 from the drop-down list. Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

6. Place the policy in the policy list above any other policies having similar source and destination addresses.
7. Define another IPsec security policy to permit communications between the source and destination addresses in the opposite direction. This security policy and the previous one form a bi-directional policy pair. See Defining VPN security policies on page 1. Enter these settings in particular:

Incoming Interface	Select the interface to the edge router. When you configure the IPsec security policy on a remote peer that operates in NAT mode, you select the public interface to the external (public) network instead.
Source Address	Select the destination address that you defined in Step 4..
Outgoing Interface	Select the local interface to the internal (private) network.
Destination Address	Select the source address that you defined in Step 4.
VPN Tunnel	Select Use Existing and select the name of the Phase 2 tunnel configuration that you created in Step 3 from the drop-down list. Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

8. Repeat this procedure at the remote FortiGate unit to create bidirectional security policies. Use the local interface and address information local to the remote FortiGate unit.

For more information on transparent mode, see the System Administration Guide.

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Redundant VPN configurations

This section discusses the options for supporting redundant and partially redundant IPsec VPNs, using routebased approaches.

The following topics are included in this section: Configuration overview

Configuration overview

A FortiGate unit with two interfaces connected to the Internet can be configured to support redundant VPNs to the same remote peer. If the primary connection fails, the FortiGate unit can establish a VPN using the other connection.

Redundant tunnels do not support Tunnel Mode or manual keys. You must use Interface Mode.

A fully-redundant configuration requires redundant connections to the Internet on both peers. The figure below shows an example of this. This is useful to create a reliable connection between two FortiGate units with static IP addresses.

When only one peer has redundant connections, the configuration is partially-redundant. For an example of this, see Configuration overview on page 157. This is useful to provide reliable service from a FortiGate unit with static IP addresses that accepts connections from dialup IPsec VPN clients.

In a fully-redundant VPN configuration with two interfaces on each peer, four distinct paths are possible for VPN traffic from end to end. Each interface on a peer can communicate with both interfaces on the other peer. This ensures that a VPN will be available as long as each peer has one working connection to the Internet.

You configure a VPN and an entry in the routing table for each of the four paths. All of these VPNs are ready to carry data. You set different routing distances for each route and only the shortest distance route is used. If this route fails, the route with the next shortest distance is used.

The redundant configurations described in this chapter use route-based VPNs, otherwise known as virtual IPsec interfaces. This means that the FortiGate unit must operate in NAT mode. You must use auto-keying. A VPN that is created using manual keys cannot be included in a redundant-tunnel configuration.

The configuration described here assumes that your redundant VPNs are essentially equal in cost and capability. When the original VPN returns to service, traffic continues to use the replacement VPN until the replacement VPN fails. If your redundant VPN uses more expensive facilities, you want to use it only as a backup while the main VPN is down. For information on how to do this, see Configuration overview on page 157. 157

Redundant VPN configurations                                                                                            Configuration overview

Example redundant-tunnel configuration

A VPN that is created using manual keys cannot be included in a redundant-tunnel configuration.

General configuration steps

A redundant configuration at each VPN peer includes:

• One Phase 1 configuration (virtual IPsec interface) for each path between the two peers. In a fully-meshed redundant configuration, each network interface on one peer can communicate with each network interface on the remote peer. If both peers have two public interfaces, this means that each peer has four paths, for example.
• One Phase 2 definition for each Phase 1 configuration.
• One static route for each IPsec interface, with different distance values to prioritize the routes.
• Two Accept security policies per IPsec interface, one for each direction of traffic. l Dead peer detection enabled in each Phase 1 definition.

The procedures in this section assume that two separate interfaces to the Internet are available on each VPN peer.

 

Redundant VPN configurations

Configuring the VPN peers – route-based VPN

VPN peers are configured using Interface Mode for redundant tunnels.

Configure each VPN peer as follows:

1. Ensure that the interfaces used in the VPN have static IP addresses.
2. Create a Phase 1 configuration for each of the paths between the peers.
3. Enable dead peer detection so that one of the other paths is activated if this path fails.
4. Enter these settings in particular, and any other VPN settings as required:

Path 1

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the primary interface of the remote peer.
Local Interface	Select the primary public interface of this peer.
Dead Peer Detection	Enable

Path 2

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the secondary interface of the remote peer.
Local Interface	Select the primary public interface of this peer.
Dead Peer Detection	Enable

Path 3

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the primary interface of the remote peer.
Local Interface	Select the secondary public interface of this peer.
Dead Peer Detection	Enable

Path 4

Remote Gateway	Select Static IP Address.
IP Address	Type the IP address of the secondary interface of the remote peer.
Local Interface	Select the secondary public interface of this peer.
Dead Peer Detection	Enable

For more information, see Phase 1 parameters on page 52.

Redundant VPN configurations                                                                                             Configuration overview

5. Create a Phase 2 definition for each path. See Phase 2 parameters on page 72. Select the Phase 1 configuration (virtual IPsec interface) that you defined for this path. You can select the name from the Static IP Address part of the list.
6. Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices.

Destination IP/Mask	The IP address and netmask of the private network behind the remote peer.
Device	One of the virtual IPsec interfaces on the local peer.
Distance	For each path, enter a different value to prioritize the paths.

7. Define the security policy for the local primary interface. See Defining VPN security policies on page 1. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular:

Incoming Interface	Select the local interface to the internal (private) network.
Source Address	All
Outgoing Interface	Select one of the virtual IPsec interfaces you created in Step 2.
Destination Address	All
Schedule	Always
Service	Any
Action	ACCEPT

8. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:

Incoming Interface	Select one of the virtual IPsec interfaces you created in Step 2.
Source Address	All
Outgoing Interface	Select the local interface to the internal (private) network.
Destination Address	All
Schedule	Always
Service	Any
Action	ACCEPT

9. Place the policy in the policy list above any other policies having similar source and destination addresses.
10. Repeat this procedure at the remote FortiGate unit.

Redundant VPN configurations

Creating a backup IPsec interface

You can configure a route-based VPN that acts as a backup facility to another VPN. It is used only while your main VPN is out of service. This is desirable when the redundant VPN uses a more expensive facility.

You can configure a backup IPsec interface only in the CLI. The backup feature works only on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified Phase 1 configuration.

In the following example, backup_vpn is a backup for main_vpn.

config vpn ipsec phase1-interface edit main_vpn set dpd on set interface port1 set nattraversal enable set psksecret “hard-to-guess” set remote-gw 192.168.10.8 set type static

end edit backup_vpn set dpd on set interface port2 set monitor main_vpn set nattraversal enable set psksecret “hard-to-guess” set remote-gw 192.168.10.8 set type static end

 

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!