Define Auto Routing policies for IKE negotiation

Our goal is two establish IPSec protected VPN based on Tunnel Routing (See “Tunnel Routing”) through two TR tunnels, which implies two IPSec SAs being established on the two TR tunnels. Therefore, it requires routing policies to route the IKE negotiation packets for establishing the two IPSec SAs.

Packets of IKE negotiation are generated by FortiWAN itself (source and destination IP address of the packets is respectively the Local IP and Remote IP of Phase 1 configuration), therefor the Source and Destination of the Auto Routing filter for IKE negotiation must be configured with the Local IP and Remote IP (the IP address of WAN port of two FortiWAN units). Remember that the IPSec SAs are established on the WAN port of both the two FortiWANs.

Go to Service > Auto Routing

Add two Auto Routing policies on the both endpoints like:

Auto Routing Policy	Local endpoint (Site A)	Local endpoint (Site A)	Remote endpoint (Site B)	Remote endpoint (Site B)
Label	IPSec_WAN1 (Any name you desire)	IPSec_WAN2 (Any name you desire)	IPSec_WAN1 (Any name you desire)	IPSec_WAN2 (Any name you desire)
T	Enable Threshold or not	Enable Threshold or not	Enable Threshold or not	Enable Threshold or not
Algorithm	Fixed	Fixed	Fixed	Fixed
Parameter	Only 1 is checked	Only 2 is checked	Only 1 is checked	Only 2 is checked

Then you add two IPv4 filters like:

Auto Routing Filter	Local endpoint (Site A)	Local endpoint (Site A)	Remote endpoint (Site B)	Remote endpoint (Site B)
When	All-Time	All-Time	All-Time	All-Time
Input Port	Any Port	Any Port	Any Port	Any Port
Source	10.10.10.10 or Localhost	11.11.11.11 or Localhost	20.20.20.20 or Localhost	21.21.21.21 or Localhost
Destination	20.20.20.20	21.21.21.21	10.10.10.10	11.11.11.11
Service	Any or IKE(500)	Any or IKE(500)	Any or IKE(500)	Any or IKE(500)
Routing Policy	IPSec_WAN1	IPSec_WAN2	IPSec_WAN1	IPSec_WAN2
Fail-Over Policy	NO-ACTION	NO-ACTION	NO-ACTION	NO-ACTION

Tunnel Routing itself takes the responsibility to route packets over multiple tunnels, therefore Auto Routing policies are not required for packets of IPSec communication. For the details of Auto Routing, see “Auto Routing”. Note that packets of IKE negotiations are generated from FortiWAN’s localhost, the Source field of an AR filter must be configured to “Localhost” to match the negotiation traffic and direct it to correct WAN link.

Define IPSec parameters

Next is the Phase 1 configurations for two IPSec SAs in Transport mode. To associate an IPSec SA with a TR tunnel, make sure the Phase 1 configuration and the TR tunnel are equal on the Local IP and Remote IP.

Go to Services > IPSec

Add Phase 1 configurations for IPSec Transport mode SAs between site A’s WAN 1 (10.10.10.10) and site B’s WAN 1 (20.20.20.20), and site A’s WAN 1 (11.11.11.11) and site B’s WAN 1 (21.21.21.21). The other parameters are not listed here.

Phase 1	Local endpoint (Site A)	Local endpoint (Site A)	Remote endpoint (Site B)	Remote endpoint (Site B)
Name	peers_AB_1	peers_AB_2	peers_BA_1	peers_BA_2
Local IP	10.10.10.10	11.11.11.11	20.20.20.20	21.21.21.21
Remote IP	20.20.20.20	21.21.21.21	10.10.10.10	11.11.11.11

Next you need to configure the settings to Phase 2 for the four Phase 1 configurations above. Phase 2 of Transport mode does not require specifying a Quick Mode selector, only a name and IKE proposal are required. For the details of IPSec configuration, see “IPSec VPN in the Web UI”.

Define Tunnel Routing policies for IPSec communications

As for the communication packets between networks behind the two FortiWAN units, Tunnel Routing controls the routing of them. You need the configurations to set up the two TR tunnels, and the policies to route GRE packets over the TR tunnels.

To establish the TR tunnels, go to Service > Tunnel Routing > add a new Tunnel Group with two Group Tunnels and appropriate balancing algorithm:

Tunnel Group	Local endpoint (Site A)		Remote endpoint (Site B)
Name	Tunnel_Group_AB		Tunnel_Group_BA
Algorithm	Round-Robin (for example)		Round-Robin (for example)
Group Tunnel 1
E	Checked		Checked
Local IP	10.10.10.10		20.20.20.20
Remote IP	20.20.20.20		10.10.10.10
Weight	1 (for example)		1 (for example)
Group Tunnel 2
E	Checked		Checked
Local IP	11.11.11.11		21.21.21.21
Remote IP	21.21.21.21		11.11.11.11
Weight	1 (for example)		1 (for example)

Next, you need a new rule to Routing Rules, like this:

Routing Rule	Local endpoint (Site A)	Remote endpoint (Site B)
Source	192.168.10.0/255.255.255.0	192.168.100.0/255.255.255.0
Destination	192.168.100.0/255.255.255.0	192.168.10.0/255.255.255.0
Service	Any	Any
Group	Tunnel_Group_AB	Tunnel_Group_BA
Fail-Over	NO-ACTION	NO-ACTION

A packet matching the rule will be delivered to appropriate tunnel according the Tunnel Routing algorithm (or you can say a packet matching the rule will be GRE encapsulated and delivered to appropriate WAN port). The IPSec SAs established on the tunnels guarantee the privacy to transmission on the tunnels by encrypting the packets before they are transferred outward.

The pair of Local IP and Remote IP is the link to associated a GRE tunnel with an IPSec Transport mode SA, please make sure the configurations are equal on this. Note that please do not configure an Tunnel mode Phase 1 with the Local IP and Remote IP of a TR tunnel and configure the Phase 2 Quick Mode selector being equal to a TR routing rule, or Tunnel Routing goes to failure.

For the details of Tunnel Routing, see “Tunnel Routing”.

Procedures to set up a Tunnel Routing over IPSec Transport mode

To set up a Tunnel Routing over IPSec Transport mode, we suggest the steps to follow as below:

1. Configure Network Settings on both units.
2. Define correspondent Auto Routing policies on both units.
3. Configure the settings of IPSec Transport mode Phase 1 and Phase 2 on both units.
4. Define Tunnel Routing policies and routing rules on both units.