Category Archives: FortiOS 6.2

LT2P over IPsec

LT2P over IPsec

This recipe provides an example configuration of LT2P over IPsec. A locally defined user is used for authentication, a Windows PC or Android tablet is acting as the client, and net-device is set to enable in the phase1-interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

The following shows the network topology for this example:

To configure LT2P over an IPsec tunnel using the CLI:

Configure the WAN interface and static route on HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next end

Configure IPsec phase1-interface and phase2-interface on HQ:

config vpn ipsec phase1-interface edit “L2tpoIPsec” set type dynamic set interface “port9” set peertype any

set proposal aes256-md5 3des-sha1 aes192-sha1 set dpd on-idle set dhgrp 2 set net-device enable set psksecret sample set dpd-retryinterval 60

end

config vpn ipsec phase2-interface edit “L2tpoIPsec” set phase1name “L2tpoIPsec”

set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable

set encapsulation transport-mode

set l2tp enable

end

Configure a user and user group on HQ:

config user local edit “usera” set type password set passwd usera

end config user group edit “L2tpusergroup” set member “usera”

end

Configure L2TP on HQ:

config vpn l2tp set status enable set eip 10.10.10.100 set sip 10.10.10.1 set usrgrp “L2tpusergroup”

end

Configure a firewall address, that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established:

config firewall address edit “L2TPclients” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.100

next end

Configure a firewall policy:

config firewall policy edit 1 set name “Bridge_IPsec_port9_for_l2tp negotiation” set srcintf “L2tpoIPsec” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “L2TP”

next edit 2 set srcintf “L2tpoIPsec” set dstintf “port10” set srcaddr “L2TPclients” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL” set nat enable

end

Optionally, view the VPN tunnel list on HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg

parent=L2tpoIPsec index=0

proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0 stat: rxp=470 txp=267 rxb=57192 txb=12679

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:10.1.100.15-10.1.100.15:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048 seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0

life: type=01 bytes=0/0 timeout=3585/3600

dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432

enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9 ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a

dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744

npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0

—-

name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg

parent=L2tpoIPsec index=1

proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0 stat: rxp=5 txp=4 rxb=592 txb=249

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:22.1.1.2-22.1.1.2:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000005 itn=0

life: type=01 bytes=0/0 timeout=28790/28800 dec: spi=ca646446 esp=aes key=32

ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec

enc: spi=0b514df2 esp=aes key=32

a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196 ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d

dec:pkts/bytes=5/245, enc:pkts/bytes=4/464

npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0

Optionally, view the L2TP VPN status, by enabling debug (diagnose debug enable), then using the diagnose vpn l2tp status command:

—-

HQ # Num of tunnels: 2

—-

Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1, assigned ip = 10.10.10.2 data_seq_num = 0,

tx = 152 bytes (2), rx= 21179 bytes (205)

Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2, assigned ip = 10.10.10.3 data_seq_num = 0,

tx = 152 bytes (2), rx= 0 bytes (0)

—-

–VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100 enforece-ipsec = false

—-

To configure LT2P over an IPsec tunnel using the GUI:

Go to VPN > IPsec Wizard.
Enter a name for the VPN in the Name In this example L2tpoIPsec is used.
Set the following, then click Next: l Template Type to Remote Access l Remote Device Type to Native and Windows Native
Set the following, then click Next:
- Incoming Interface to port9 l Authentication Method to Pre-shared Key l Pre-shared Key to your-psk l UserGroup to L2tpusergroup
Set the following, then click Create: l Local Interface as port10 l Local Address as 16.101.0
- Client Address Range as 10.10.1-10.10.10.100 l Subnet Mask is left as its default value.

VxLAN over IPsec tunnel

This recipe provides an example configuration of VxLAN over IPsec tunnel. VxLAN encapsulation is used in the phase1-interface setting and virtual-switch is used to bridge the internal with VxLAN over IPsec tunnel.

The following shows the network topology for this example:

To configure GRE over an IPsec tunnel:

Configure the WAN interface and default route:
HQ1:

config system interface edit “port1” set ip 172.16.200.1 255.255.255.0

end config router static edit 1 set gateway 172.16.200.3 set device “port1”

end

HQ2:

config system interface edit “port25” set ip 172.16.202.1 255.255.255.0

end config router static edit 1 set gateway 172.16.202.2 set device “port25”

end

Configure IPsec phase1-interface:
HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan

set encapsulation-address ipv4 set encap-local-gw4 172.16.200.1 set encap-remote-gw4 172.16.202.1 set remote-gw 172.16.202.1 set psksecret sample

end

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 172.16.202.1 set encap-remote-gw4 172.16.200.1 set remote-gw 172.16.200.1 set psksecret sample

end

config vpn ipsec phase2-interface edit “to_HQ1” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

Configure the firewall policy:
HQ1:

config firewall policy edit 1 set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept

set schedule “always” set service “ALL”

end

HQ2:

config firewall policy edit 1 set srcintf “port9” set dstintf “to_HQ1” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Configure the virtual switch:
1. HQ1:

config system switch-interface edit “vxlan-HQ2” set member “dmz” “to_HQ2” set intra-switch-policy explicit

end

HQ2:

config system switch-interface edit “vxlan-HQ1” set member “port9” “to_HQ1” set intra-switch-policy explicit

end

Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_HQ2 ver=1 serial=2 172.16.200.1:0->172.16.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/2 options[0002]= encap-addr: 172.16.200.1->172.16.202.1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=0 ad=/0 stat: rxp=13 txp=3693 rxb=5512 txb=224900

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=45 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41944/0B replaywin=2048 seqno=e6e esn=0 replaywin_lastseq=0000000e itn=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=635e9bb1 esp=aes key=16 c8a374905ef9156e66504195f46a650c ah=sha1 key=20 a09265de7d3b0620b45441fb5af44dab125f2afe

enc: spi=a4d0cd1e esp=aes key=16 e9d0f3f0bb7e15a833f80c42615a3b91 ah=sha1 key=20 609a315c385471b8909b771c76e4fa7214996e50

dec:pkts/bytes=13/4640, enc:pkts/bytes=3693/623240

Optionally, view the bridge control interface on HQ1 with the diagnose netlink brctl name host vxlan-HQ1 command:

show bridge control interface vxlan-HQ1 host.

fdb: size=2048, used=17, num=17, depth=1 Bridge vxlan-a host table

port no device devname mac addr ttl attributes

1 1. dmz 00:0c:29:4e:33:c9 1. Hit(1)

1 1. dmz 00:0c:29:a8:c3:ea 105 Hit(105)

1 1. dmz 90:6c:ac:53:76:29 18 Hit(18)

1 1. dmz 08:5b:0e:dd:69:cb 1. Local Static

1 1. dmz 90:6c:ac:84:3e:5d 1. Hit(5)

dmz 00:0b:fd:eb:21:d6 1. Hit(0)
38 to_HQ2 56:45:c3:3f:57:b4 Local Static
dmz 00:0c:29:d2:66:40 78 Hit(78)
38 to_HQ2 90:6c:ac:5b:a6:eb 124 Hit(124)

1 1. dmz 00:0c:29:a6:bc:e6 19 Hit(19)

1 1. dmz 00:0c:29:f0:a2:e7 1. Hit(0)

1 1. dmz 00:0c:29:d6:c4:66 164 Hit(164)

1 1. dmz 00:0c:29:e7:68:19 1. Hit(0)

1 1. dmz 00:0c:29:bf:79:30 19 Hit(19)

1 1. dmz 00:0c:29:e0:64:7d 1. Hit(0)

1 1. dmz 36:ea:c7:30:c0:f1 25 Hit(25)

1 1. dmz 36:ea:c7:30:cc:71 1. Hit(0)

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Disable automatic ASIC offloading

Leave a reply

Disable automatic ASIC offloading

When auto-asic-offload is set to disable in the firewall policy, traffic is nt offloaded and the NPU hosting counter is ticked.

# diagnose vpn ipsec status All ipsec crypto devices in use:

NP6_0:

Encryption (encrypted/decrypted)

null
des 0	1.
3des : 0	1.
aes : 0	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 0	1.
sha1 : 0	1.
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0 NP6_1: Encryption (encrypted/decrypted)	1.
null : 14976	15357
des : 0	1.
3des : 0	1.
aes : 110080	2175
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 110080	2175
sha1 : 14976	15357
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0 NPU Host Offloading: Encryption (encrypted/decrypted)	1.
null : 3	1.
des : 0	1.
3des : 0	1.
aes : 111090	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 111090	1.
sha1 : 3	1.
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0 CP8: Encryption (encrypted/decrypted)	1.
null : 1	1.
des : 0	1.

VPN and ASIC offload

Leave a reply

VPN and ASIC offload

Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.

# get hardware status

Model name: [[QualityAssurance62/FortiGate]]-900D

ASIC version: CP8

ASIC SRAM: 64M

CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz

Number of CPUs: 4

RAM: 16065 MB

Compact Flash: 1925 MB /dev/sda

Hard disk: 244198 MB /dev/sdb

USB Flash: not available

Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)

Check port to NPU mapping.

# diagnose npu np6 port-list
Chip —-	XAUI Ports				Max Cross-chip Speed offloading
np6_0	0
	1.		port17		1G		Yes
	1.		port18		1G		Yes
	1.		port19		1G		Yes
	1.		port20		1G		Yes
	1.		port21		1G		Yes
	1.		port22		1G		Yes
	1.		port23		1G		Yes
	1.		port24		1G		Yes
	1.		port27		1G		Yes
	1.		port28		1G		Yes
	1.		port25		1G		Yes
	1.		port26		1G		Yes
	1.		port31		1G		Yes
	1.		port32		1G		Yes
	1.		port29		1G		Yes
	1.		port30		1G		Yes
—-	1. 1.		portB		10G		Yes
np6_1	0
	1.		port1		1G		Yes
	1.		port2		1G		Yes
	1.		port3		1G		Yes
	1.		port4		1G		Yes
	1.		port5		1G		Yes
	1.		port6		1G		Yes
	1.		port7		1G		Yes
	1.		port8		1G		Yes
	1.		port11		1G		Yes
	1.		port12		1G		Yes
	1.		port9		1G		Yes
	1.		port10		1G		Yes
	1.		port15		1G		Yes
	1.		port16		1G		Yes
		1.		port13		1G	Yes
		1.		port14		1G	Yes
		1. 1.		portA		10G	Yes

—-

Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).

config vpn ipsec phase1/phase1-interface edit “vpn_name” set npu-offload enable/disable

end

Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660

enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e

dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2

FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)
null : 0	1.
des : 0	1.
3des : 0	1.
aes : 0	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 0	1.
sha1 : 0	1.
sha256 : 0	1.
sha384 : 0	1.

sha512 : 0 NP6_1: Encryption (encrypted/decrypted)	1.
null : 14976	15357
des : 0	1.
3des : 0	1.
aes : 1664	2047
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 1664	2047
sha1 : 14976	15357
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0 NPU Host Offloading: Encryption (encrypted/decrypted)	1.
null : 3	1.
des : 0	1.
3des : 0	1.
aes : 3	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 3	1.
sha1 : 3	1.
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0 CP8: Encryption (encrypted/decrypted)	1.
null : 1	1.
des : 0	1.
3des : 0	1.
aes : 1	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 1	1.
sha1 : 1	1.
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0	1.

SOFTWARE:

Encryption (encrypted/decrypted)
null : 0	1.
des : 0	1.
3des : 0	1.
aes : 0	1.
aes-gcm : 29882	29882
aria : 21688	21688
seed : 153774	153774
chacha20poly1305 : 29521 Integrity (generated/validated)	29521
null : 59403	59403
md5 : 0	1.
sha1 : 175462	175462
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0	1.

If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.

VPN Tunneled Internet Browsing

Leave a reply

Tunneled Internet Browsing

This recipe provides an example configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneling to HQ, including Internet browsing.

The following shows the sample network topology for this example:

To configure a dialup VPN to tunnel Internet browsing using the GUI:

Configure the dialup VPN server FortiGate at HQ:
1. Go to VPN > IPsec Wizard, enter a VPN name (HQ in this example), make the following selections, and then click Next:
  - Site to Site to Template Type l FortiGate to Remote Device Type
  - The remote side is behind NAT to NAT Configuration
2. Make the following selections, and then click Next:
  - Incoming Interface to port9 l Authentication Method to Pre-Shared Key l Pre-shared Key to sample
3. Make the following selections, and then click Create:
  - Local Interface to port10 l Local Subnets to 16.101.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Share Local l Shared WAN to port9
4. Configure the dialup VPN client FortiGate at a branch:
5. Go to VPN > IPsec Wizard, enter a VPN name (Branch1 or Branch2 in this example), make the following selections, then click Next:
  - Site to Site to Template Type l FortiGate to Remote Device Type l This side is behind NAT to NAT Configuration
6. Make the following selections, and then click Next:
  - IP Address to Remote Device, then enter the IP address: 22.1.1.1 l Outgoing Interface to wan1 l Authentication Method to Pre-shared Key l Pre-shared Key to sample
7. Make the following selections, and then click Create: l Local Interface to internal l Local Subnets to 1.100.0/192.1684.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Use Remote l Local Gateway to 15.1.1.1/13.1.1.1

To configure a dialup VPN to tunnel Internet browsing using the CLI:

Configure the WAN interface and static route on the FortiGate at HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

end

Configure IPsec phase1-interface and phase2-interface configuration at HQ:

config vpn ipsec phase1-interface edit “HQ” set type dynamic set interface “port9” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60 next

end

config vpn ipsec phase2-interface edit “HQ” set phase1name “HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

Configure the firewall policy at HQ:

config firewall policy edit 1 set srcintf “HQ” set dstintf “port9” “port10” set srcaddr “10.1.100.0” “192.168.4.0” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

end

Configure the WAN interface and static route on the FortiGate at the branches:
Branch1:

config system interface edit “wan1” set ip 15.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

end

config router static edit 1 set gateway 15.1.1.1 set device “wan1”

end

Branch2:

config system interface edit “wan1” set ip 13.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

end

config router static edit 1 set gateway 13.1.1.1 set device “wan1”

next end

Configure IPsec phase1-interface and phase2-interface configuration at the branches: a. Branch1:

config vpn ipsec phase1-interface edit “branch1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

end

config vpn ipsec phase2-interface edit “branch1” set phase1name “branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0

end

Branch2:

config vpn ipsec phase1-interface edit “branch2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

end

config vpn ipsec phase2-interface edit “branch2” set phase1name “branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

end

Configure the firewall policy at the branches:
Branch1:

config firewall policy edit 1 set name “outbound” set srcintf “internal” set dstintf “branch1” set srcaddr “all”

set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch1” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

end

Branch2:

config firewall policy edit 1

set name “outbound” set srcintf “internal” set dstintf “branch2” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch2” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

end

Configure the static routes at the branches:
Branch1:

config router static

edit 2

set dst 22.1.1.1/32 set gateway 15.1.1.1 set device “wan1” set distance 1

next edit 3

set device “branch1” set distance 5

next end

Branch2:

config router static edit 2 set dst 22.1.1.1/32 set gateway 13.1.1.1 set device “wan1” set distance 1

next edit 3 set device “branch2” set distance 5

end

Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=1661 rxb=65470 txb=167314

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=2368/2400

dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2 ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7

enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0

dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

Optionally, view static routing table on a branch with the get router info routing-table static command:

Routing table for VRF=0

S* 0.0.0.0/0 [5/0] is directly connected, branch1

S* 22.1.1.1/32 [1/0] via 15.1.1.1, wan1

Troubleshooting – IPsec related diagnose command

Leave a reply

IPsec related diagnose command

This document provides IPsec related diagnose commands.

Daemon IKE summary information list: diagnose vpn ike status

connection: 2/50

IKE SA: created 2/51 established 2/9 times 0/13/40 ms

IPsec SA: created 1/13 established 1/7 times 0/8/30 ms

IPsec phase1 interface status: diagnose vpn ike gateway list

vd: root/0 name: tofgtc version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 172.16.200.3:500

created: 4313s ago

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 0/0

id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b direction: initiator

status: established 4313-4313s ago = 10ms proposal: aes128-sha256

key: 74aa3d63d88e10ea-8a1c73b296b06578 lifetime/rekey: 86400/81786

DPD sent/recv: 00000000/00000000

vd: root/0 name: to_HQ version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 1013s ago assigned IPv4 address: 11.11.11.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 95 255791bd30c749f4/c2505db65210258b direction: initiator

status: established 1013-1013s ago = 0ms proposal: aes128-sha256

key: bb101b9127ed5844-1582fd614d5a8a33 lifetime/rekey: 86400/85086 DPD sent/recv: 00000000/00000010

IPsec phase2 tunnel status: diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_ dev

proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0 —-

name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0 stat: rxp=1 txp=4 rxb=152 txb=336

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=42900/43200

dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a

enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4 ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe

dec:pkts/bytes=1/84, enc:pkts/bytes=4/608

npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

Packets encrypted/decrypted counter: diagnose vpn ipsec status

All ipsec crypto devices in use: NP6_0:

Encryption (encrypted/decrypted)
null : 0	1.
des : 0	1.
3des : 0	1.
aes : 0	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 0	1.
sha1 : 0	1.
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0	1.

NP6_1:

Encryption (encrypted/decrypted)
null : 0	1.
des : 0	1.
3des : 0	1.
aes : 337152	46069
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 0	1.
sha1 : 337152	46069
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0 NPU Host Offloading: Encryption (encrypted/decrypted)	1.
null : 0	1.
des : 0	1.
3des : 0	1.
aes : 38	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 0	1.
sha1 : 38	1.
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0 CP8: Encryption (encrypted/decrypted)	1.
null : 0	1.
des : 0	1.
3des : 1337	1582
aes : 71	11426
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 48	28
sha1 : 1360	12980
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0	1.

SOFTWARE:

Encryption (encrypted/decrypted)

null : 0	1.
des : 0	1.
3des : 0	1.
aes : 0	1.
aes-gcm : 0	1.
aria : 0	1.
seed : 0	1.
chacha20poly1305 : 0 Integrity (generated/validated)	1.
null : 0	1.
md5 : 0	1.
sha1 : 0	1.
sha256 : 0	1.
sha384 : 0	1.
sha512 : 0	1.

diagnose debug application ike -1 l diagnose vpn ike log-filter dst-addr4 11.101.1.1 l diagnose vpn ike log-filter src-addr4 173.1.1.1

# ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message… ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000

ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624 ike 0:to_HQ:101: initiator: aggressive mode get 1st response… ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:to_HQ:101: DPD negotiated

ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204 ike 0:to_HQ:101: peer supports UNITY

ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0) ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1 ike 0:to_HQ:101: negotiation result ike 0:to_HQ:101: proposal id = 1: ike 0:to_HQ:101: protocol id = ISAKMP: ike 0:to_HQ:101: trans_id = KEY_IKE. ike 0:to_HQ:101: encapsulation = IKE/none ike 0:to_HQ:101: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:to_HQ:101: type=OAKLEY_HASH_ALG, val=SHA2_256.

ike 0:to_HQ:101: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:to_HQ:101: type=OAKLEY_GROUP, val=MODP2048.

ike 0:to_HQ:101: ISAKMP SA lifetime=86400 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: selected NAT-T version: RFC 3947 ike 0:to_HQ:101: NAT not detected

ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key

16:D81CAE6B2500435BFF195491E80148F3 ike 0:to_HQ:101: PSK authentication succeeded ike 0:to_HQ:101: authentication OK

ike 0:to_HQ:101: add INITIAL-CONTACT

ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75 ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92 ike 0:to_HQ:101: mode-cfg type 16521 request 0: ike 0:to_HQ:101: mode-cfg type 16522 request 0: ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92 ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 ike 0:to_HQ:101: initiating mode-cfg pull from peer ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:to_HQ:101: mode-cfg request UNITY_PFS

ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172 ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01 ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1 ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC

ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252 ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1 ike 0:to_HQ:101: mode-cfg type 28676 response

28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION ‘FortiGate-100D v6.0.3,build0200,181009 (GA)’

ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to ‘to_HQ’/58 ike 0:to_HQ: set oper up ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101: no pending Quick-Mode negotiations

ike shrank heap by 159744 bytes

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0 ike 0:to_HQ:to_HQ: using existing connection

# ike 0:to_HQ:to_HQ: config found

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0-

>0:0.0.0.0/0.0.0.0:0:0

ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444 ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: my proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1:

ike 0:to_HQ:101:to_HQ:259:	protocol id = IPSEC_ESP:
ike 0:to_HQ:101:to_HQ:259:	PFS DH group = 14
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA1
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 128)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_CBC (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=SHA2_256
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_GCM_16 (key_len = 128)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_AES_GCM_16 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259:	trans_id = ESP_CHACHA20_POLY1305 (key_len = 256)
ike 0:to_HQ:101:to_HQ:259:	encapsulation = ENCAPSULATION_MODE_TUNNEL
ike 0:to_HQ:101:to_HQ:259:	type = AUTH_ALG, val=NULL
ike 0:to_HQ:101:to_HQ:259: incoming proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1: ike 0:to_HQ:101:to_HQ:259: protocol id = IPSEC_ESP: ike 0:to_HQ:101:to_HQ:259: PFS DH group = 14 ike 0:to_HQ:101:to_HQ:259: trans_id = ESP_AES_CBC (key_len = 128) ike 0:to_HQ:101:to_HQ:259: encapsulation = ENCAPSULATION_MODE_TUNNEL ike 0:to_HQ:101:to_HQ:259: type = AUTH_ALG, val=SHA1 ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101:to_HQ:259: replay protection enabled ike 0:to_HQ:101:to_HQ:259: SA life soft seconds=42902. ike 0:to_HQ:101:to_HQ:259: SA life hard seconds=43200. ike 0:to_HQ:101:to_HQ:259: IPsec SA selectors #src=1 #dst=1 ike 0:to_HQ:101:to_HQ:259: src 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: dst 0 4 0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: add IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: IPsec SA dec spi ca64644b key

16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key

16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37 ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap

ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01

Troubleshooting – Understanding VPN related logs

Leave a reply

Understanding VPN related logs

This document provides some IPsec log samples:

IPsec phase1 negotiating

logid=”0101037127″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”Progress IPsec phase 1″ msg=”progress IPsec phase 1″ action=”negotiate” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cook-

ies=”e41eeecb2c92b337/0000000000000000″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase1 negotiated

ies=”e41eeecb2c92b337/1230131a28eb4e73″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=2 role=”initiator” result=”DONE”

IPsec phase1 tunnel up

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunnelup” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910918 tunneltype=”ipsec” duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 IPsec phase2 negotiate

logid=”0101037129″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”Progress IPsec phase 2″ msg=”progress IPsec phase 2″ action=”negotiate” remip=11.101.1.1

locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” status=”success” init=”local” mode=”quick” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase2 tunnel up

logid=”0101037139″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec phase 2 status changed” msg=”IPsec phase 2 status change” action=”phase2-up” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

phase2_name=”to_HQ” IPsec phase2 sa install

logid=”0101037133″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec SA installed” msg=”install IPsec SA” action=”install_sa” remip=11.101.1.1 locipp=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ userr=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” role=”initiator” in_spi=”ca646448″ out_spi=”747c10c6″ IPsec tunnel statistics

logid=”0101037141″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544131118 logdesc=”IPsec tunnel statistics” msg=”IPsec tunnel statistics” action=”tunnel-stats” remip=10.1.100.15 locip=172.16.200.4 remport=500 locport=500 outintf=”mgmt1″ cookies=”3539884dbd8f3567/c32e4c1beca91b36″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”L2tpoIPsec_ 0″ tunnelip=10.1.100.15 tunnelid=1530910802 tunneltype=”ipsec” duration=6231 sentbyte=57343 rcvdbyte=142640 nextstat=60 IPsec phase2 tunnel down

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunneldown” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910786 tunneltype=”ipsec” duration=6425 sentbyte=504 rcvdbyte=152 nextstat=0 IPsec phase1 sa deleted

logid=”0101037134″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec phase 1 SA deleted” msg=”delete IPsec phase 1 SA” action=”delete_phase1_sa” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

IPsec VPN authenticating a remote FortiGate peer with a certificate

Leave a reply

IPsec VPN authenticating a remote FortiGate peer with a certificate

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

Import the certificate. 2. Configure user peers.
Configure the HQ1 FortiGate:
In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
3. Click Next.
Configure the following settings for Authentication:
1. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1.
For Authentication Method, select Signature.
In the Certificate name field, select the imported certificate.
From the PeerCertificate CA dropdown list, select the desired peer CA certificate.

Click Next.

Configure the following settings for Policy & Routing:
From the Local Interface dropdown menu, select the proper local interface.
Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
Click Create.
Configure the HQ2 FortiGate:
In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
3. Click Next.
Configure the following settings for Authentication:
1. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
2. For Authentication Method, select Signature.
3. In the Certificate name field, select the imported certificate.
4. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.

Click Next.

Configure the following settings for Policy & Routing:
1. From the Local Interface dropdown menu, select the proper local interface.
2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

end

config router static edit 1

gateway 172.16.200.3 device “port1”

end

Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

end

Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

end

Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

end

Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step:
Configure HQ1:

config vpn certificate local edit “test1” …

set range global

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next end

Configure HQ2:

config vpn certificate local edit “test2” …

set range global

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

end

Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
1. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following: Configure HQ1:

config user peer edit “peer1” set ca “CA_Cert_1”

end

Configure HQ2:

config user peer edit “peer2” set ca “CA_Cert_1”

end

If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA:
1. Configure HQ1:

config user peer edit “peer1” set ca “Fortinet_CA”

end

Configure HQ2:

config user peer edit “peer2” set ca “Fortinet_CA”

end

Configure the IPsec phase1-interface:
1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set authmethod signature net-device enable

proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 172.16.202.1 set certificate “test1” set peer “peer1”

end

Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set authmethod signature set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set certificate “test2” set peer “peer2”

end

Configure the IPsec phase2-interface:
1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

end

Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

end

Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

end

Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

end

Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

end

Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” srcintf “port9” dstintf “to_HQ1”

set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:

ike 0: to_HQ2:15314: certificate validation failed

The following commands are useful to check IPsec phase1/phase2 interface status.

Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 7s ago peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

peer-id-auth: yes

IKE SA: created 1/1 established 1/1 time 70/70/70 ms IPsec SA: created 1/1 established 1/1 time 80/80/80 ms

id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-

43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42897/43200 dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c

ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2 enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece

ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

IPsec VPN authenticating a remote FortiGate peer with a pre-shared key

1 Reply

IPsec VPN authenticating a remote FortiGate peer with a pre-shared key

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

Configure the HQ1 FortiGate:
In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
3. Click Next.
Configure the following settings for Authentication:
1. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1. iv. For Authentication Method, select Pre-shared Key.
In the Pre-shared Key field, enter sample as the key.
Click Next.
Configure the following settings for Policy & Routing:
From the Local Interface dropdown menu, select the proper local interface.
Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
Click Create.
Configure the HQ2 FortiGate:
In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
3. Click Next.
Configure the following settings for Authentication:
1. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
2. For Authentication Method, select Pre-shared Key.
3. In the Pre-shared Key field, enter sample as the key.
4. Click Next.
Configure the following settings for Policy & Routing:
1. From the Local Interface dropdown menu, select the proper local interface.
2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.200.3 set device “port1”

next end

Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

end

Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

end

Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

end

Configure the IPsec phase1-interface:
1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

end

Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample

end

Configure the IPsec phase2-interface:
1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

end

Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

end

Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

end

Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

end

Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel: a. Configure HQ1:

end

Configure HQ2:

next edit 2 set name “outbound” set srcintf “port9” set dstintf “to_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the PSK failed to match, the following error shows up in the debug output:

ike 0:to_HQ2:15037: parse error ike 0:to_HQ2:15037: probable pre-shared secret mismatch’

The following commands are useful to check IPsec phase1/phase2 interface status.

Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 5s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 2/2 established 2/2 time 0/0/0 ms id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024 direction: responder status: established 5-5s ago = 0ms proposal: aes128-sha256 key: b3efb46d0d385aff-7bb9ee241362ee8d lifetime/rekey: 86400/86124

DPD sent/recv: 00000000/00000000

Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=11 ilast=7 olast=87 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42927/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16 a2c6584bf654d4f956497b3436f1cfc7 ah=sha1 key=20 82c5e734bce81e6f18418328e2a11aeb7baa021b enc: spi=791e898e esp=aes key=16 0dbb4588ba2665c6962491e85a4a8d5a ah=sha1 key=20 2054b318d2568a8b12119120f20ecac97ab730b3 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0