Policy-based IPsec tunnel

Policy-based IPsec tunnel

This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is used and HQ is the IPsec concentrator.

The following shows the network topology for this example:

To configure a policy-based IPsec tunnel using the GUI:

  1. Configure the IPsec VPN at HQ:
    1. Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
    2. Go to VPN > IPsec Wizard, enter a VPN name (to_branch2 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
    3. Configure the IPsec concentrator at HQ:
      1. Go to VPN > IPsec Concentrator, enter a name, in this example, branch.
      2. Add to_branch1 and to_branch2 as Members.
      3. Click OK.
    4. Configure the firewall policy:
      1. Choose the Incoming Interface, in this example, port10.
      2. Choose the Outgoing Interface, in this example, port9.
      3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
      4. Select the VPN Tunnel, in this example, Branch1/Branch2.
      5. In this example, turn on Allow traffic to be initiated from the remote site.
      6. Click OK.
    5. Configure IPsec VPN at branch 1:
      1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
        • Uncheck Enable IPsec Interface Mode.
        • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
        • Click OK.
      2. Configure the firewall policy:
        1. Choose the Incoming Interface, in this example, internal.
        2. Choose the Outgoing Interface, in this example, wan1.
        3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
        4. Select the VPN Tunnel, in this example, to_HQ.
        5. In this example, turn on Allow traffic to be initiated from the remote site.
        6. Click OK.
      3. Configure IPsec VPN at branch 2:
        1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
          • Uncheck Enable IPsec Interface Mode.
          • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface.
          • In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In other cases, use the default.
          • Click OK.
        2. Configure the firewall policy:
          1. Choose the Incoming Interface, in this example, internal.
          2. Choose the Outgoing Interface, in this example, wan1.
          3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
          4. Select the VPN Tunnel, in this example, to_HQ.
          5. In this example, turn on Allow traffic to be initiated from the remote site.
          6. Click OK.

To configure a policy-based IPsec tunnel using the CLI:

  1. Configure the HQ WAN interface and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0 next

edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure the HQ IPsec phase1 and phase2:

config vpn ipsec phase1 edit “to_branch1” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 15.1.1.2 set psksecret sample

next

edit “to_branch2” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 13.1.1.2 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_branch1” set phase1name “to_branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next edit “to_branch2” set phase1name “to_branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the HQ firewall policy:

config firewall policy edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “10.1.100.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch1” next

edit 2

set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “192.168.4.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch2”

next

end

  1. Configure the HQ concentrator:

config vpn ipsec concentrator

edit “branch”

set member “to_branch1” “to_branch2”

next

end

  1. Configure the branch WAN interface and static route:
  2. Branch1:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “internal”

set ip 10.1.100.1 255.255.255.0

next

end config router static

edit 1

set gateway 15.1.1.1 set device “wan1”

next

end

  1. Branch2:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “internal”

set ip 192.168.4.1 255.255.255.0

next

end config router static

edit 1

set gateway 13.1.1.1 set device “wan1”

next end

  1. Configure the branch IPsec phase1 and phase2:
  2. Branch1:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Branch2:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the branch firewall policy:
    1. Branch1:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “10.1.100.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next end

  1. Branch2:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “192.168.4.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next

end

  1. Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0 stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42932/43200

dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8 ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a

enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1 ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5

dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354

npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2

—-

name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909 ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe

enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259 ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0

  1. Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:

list all ipsec concentrator in vd 0

name=branch              ref=3          tuns=2 flags=0

 

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “Policy-based IPsec tunnel

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.