Configure the VPN peers – route-based VPN

Configure the VPN peers – route-based VPN

VPN peers are configured using Interface Mode for redundant tunnels. Configure each VPN peer as follows:

1. Ensure that the interfaces used in the VPN have static IP addresses.

2. Create a Phase 1 configuration for each of the paths between the peers.

3. Enable dead peer detection so that one of the other paths is activated if this path fails.

4. Enter these settings in particular, and any other VPN settings as required:

Path 1

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the primary interface of the remote peer.

Local Interface                          Select the primary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 2

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the secondary interface of the remote peer.

Local Interface                          Select the primary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 3

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the primary interface of the remote peer.

Local Interface                          Select the secondary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 4

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the secondary interface of the remote peer.

Local Interface                          Select the secondary public interface of this peer.

Dead Peer Detection                 Enable

For more information, see Phase 1 parameters on page 1624.

5. Create a Phase 2 definition for each path. See Phase 2 parameters on page 1642. Select the Phase 1 configuration (virtual IPsec interface) that you defined for this path. You can select the name from the Static IP Address part of the list.

6. Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices.

Destination IP/Mask                 The IP address and netmask of the private network behind the remote peer.

Device                                         One of the virtual IPsec interfaces on the local peer.

Distance                                     For each path, enter a different value to prioritize the paths.

7. Define the security policy for the local primary interface. See Defining VPN security policies on page 1648. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular:

Incoming Interface                   Select the local interface to the internal (private) network.

Source Address                        All

Outgoing Interface                   Select one of the virtual IPsec interfaces you created in Step 2.

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

8. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:

Incoming Interface                   Select one of the virtual IPsec interfaces you created in Step 2.

Source Address                        All

Outgoing Interface                   Select the local interface to the internal (private) network.

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Place the policy in the policy list above any other policies having similar source and destination addresses.

10. Repeat this procedure at the remote FortiGate unit.

This entry was posted in FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.