Category Archives: Administration Guides

ADVPN with BGP as the routing protocol

ADVPN with BGP as the routing protocol

This recipe provides sample configuration of ADVPN with BGP as the routing protocol. The following options must be enabled for this configuration: l On the hub FortiGate, IPsec phase1-interface net-device disable must be run.

l IBGP must be used between the hub and spoke FortiGates. l bgp neighbor-group/neighbor-range must be rused.

The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:

In the FortiOS CLI, configure hub FortiGate’s WAN, internal interface, and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

end

Configure the hub FortiGate:
Configure the hub FortiGate IPsec phase1-interface and phase2-interface:

config vpn ipsec phase1-interface edit “advpn-hub” set type dynamic set interface “port9” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1

3des-sha1 set add-route disable set dpd on-idle set auto-discovery-sender enable set tunnel-search nexthop set psksecret sample set dpd-retryinterval 5

end

config vpn ipsec phase2-interface edit “advpn-hub” set phase1name “advpn-hub”

set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256

3des-sha256 next

end

Configure the hub FortiGate firewall policy:

config firewall policy edit 1 set name “spoke2hub” set srcintf “advpn-hub” set dstintf “port10” set srcaddr “all” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “spoke2spoke” set srcintf “advpn-hub” set dstintf “advpn-hub” set srcaddr “all” set dstaddr “all”

set action accept set schedule “always” set service “ALL”

end

Configure the hub FortiGate’s IPsec tunnel interface IP address:

config system interface edit “advpn-hub1” set ip 10.10.10.254 255.255.255.255 set remote-ip 10.10.10.253 255.255.255.0

end

Configure the hub FortiGate’s BGP:

config router bgp set as 65412 config neighbor-group edit “advpn” set link-down-failover enable set remote-as 65412 set route-reflector-client enable

end config neighbor-range edit 1 set prefix 10.10.10.0 255.255.255.0 set neighbor-group “advpn”

end config network edit 1 set prefix 172.16.101.0 255.255.255.0

end

Configure the spoke FortiGates:
Configure the spoke FortiGates’ WAN, internal interfaces, and static routes:
Configure Spoke1:

config system interface edit “wan1” set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 12.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

end config router static edit 1

set gateway 12.1.1.1 set device “wan2” set distance 15

next edit 2 set gateway 15.1.1.1 set device “wan1”

end

Configure the Spoke2:

config system interface edit “wan1” set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 17.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

end config router static edit 1 set gateway 17.1.1.1 set device “wan2” set distance 15

next edit 2 set gateway 13.1.1.1 set device “wan1”

end

Configure the spoke FortiGates’ IPsec phase1-interface and phase2-interface:
Configure Spoke1:

config vpn ipsec phase1-interface edit “spoke1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next edit “spoke1_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke1” set psksecret sample set dpd-retryinterval 5

end

config vpn ipsec phase2-interface edit “spoke1” set phase1name “spoke1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

edit “spoke1_backup” set phase1name “spoke1_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

end

Configure Spoke2:

config vpn ipsec phase1-interface edit “spoke2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

edit “spoke2_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke2” set psksecret sample set dpd-retryinterval 5

end

config vpn ipsec phase2-interface edit “spoke2” set phase1name “spoke2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

edit “spoke2_backup” set phase1name “spoke2_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

end

Configure the spoke FortiGates’ firewall policies:
Configure Spoke1:

config firewall policy edit 1 set name “outbound_advpn” set srcintf “internal” set dstintf “spoke1” “spoke1_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2 set name “inbound_advpn” set srcintf “spoke1” “spoke1_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

end

Configure Spoke2:

config firewall policy edit 1 set name “outbound_advpn” set srcintf “internal” set dstintf “spoke2” “spoke2_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2 set name “inbound_advpn” set srcintf “spoke2” “spoke2_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always”

set service “ALL”

end

Configure the spoke FortiGates’ tunnel interface IP addresses:
Configure Spoke1:

config system interface

edit “spoke1”

set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next edit “spoke1_backup”

set ip 10.10.10.2 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

end

Configure Spoke2:

config system interface

edit “spoke2”

set ip 10.10.10.3 255.255.255.255

set remote-ip 10.10.10.254 255.255.255.0

next edit “spoke2_backup”

set ip 10.10.10.4 255.255.255.255

set remote-ip 10.10.10.254 255.255.255.0

end

Configure the spoke FortiGates’ BGP:
Configure Spoke1:

config router bgp set as 65412 config neighbor edit “10.10.10.254”

set advertisement-interval 1 set link-down-failover enable set remote-as 65412

end config network

edit 1 set prefix 10.1.100.0 255.255.255.0

end

Configure Spoke2:

config router bgp set as 65412 config neighbor edit “10.10.10.254”

set advertisement-interval 1 set link-down-failover enable set remote-as 65412

end config network edit 1 set prefix 192.168.4.0 255.255.255.0

end

Run diagnose and get commands to check VPN and BGP states. All following commands should be run on Spoke1:
Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

—-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=1 ad=r/2 stat: rxp=1 txp=160 rxb=16428 txb=8969

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=628 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=6 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=1225/0B replaywin=1024 seqno=a1 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2369/2400

dec: spi=c53a8f5b esp=aes key=16 cbe88682ad896a69290027b6dd8f7162 ah=sha1 key=20 7bb704b388f83783ac76c2ab0b6c9f7dcf78e93b

enc: spi=6e3633fc esp=aes key=16 1a0da3f4deed3d16becc9dda57537355 ah=sha1 key=20 368544044bd9b82592d72476ff93d5055056da8d

dec:pkts/bytes=1/16364, enc:pkts/bytes=160/19168

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

Run the get router info bgp summary command on Spoke1. The system should return the following:

BGP router identifier 7.7.7.7, local AS number 65412

BGP table version is 2

1 BGP AS-PATH entries

0 BGP community entries

Neighbor V AS [[QualityAssurance62/MsgRcvd]] [[QualityAssurance62/MsgSent]] [[QualityAssurance62/TblVer]] InQ OutQ Up/Down State/PfxRcd

10.10.10.254 1. 65412 143 142 1. 1. 1. 00:24:45

Total number of neighbors 1

Run the get router info routing-table bgp command on Spoke1. The system should return the following:

Routing table for VRF=0

B 172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57 B 192.168.4.0/24 [200/0] via 10.10.10.254, spoke1, 00:22:03

Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

—-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=2 olast=2 ad=r/2 stat: rxp=1 txp=268 rxb=16428 txb=31243

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=714 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=6 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=345/0B replaywin=1024 seqno=10d esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2369/2400

dec: spi=c53a8f5b esp=aes key=16 cbe88682ad896a69290027b6dd8f7162 ah=sha1 key=20 7bb704b388f83783ac76c2ab0b6c9f7dcf78e93b

enc: spi=6e3633fc esp=aes key=16 1a0da3f4deed3d16becc9dda57537355 ah=sha1 key=20 368544044bd9b82592d72476ff93d5055056da8d

dec:pkts/bytes=1/16364, enc:pkts/bytes=268/48320

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

—-

name=spoke1_0 ver=1 serial=9 15.1.1.2:4500->13.1.1.2:4500

bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=spoke1 index=0 proxyid_num=1 child_num=0 refcnt=17 ilast=4 olast=4 ad=r/2 stat: rxp=1 txp=100 rxb=112 txb=4686 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=231 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=spoke1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=447/0B replaywin=1024 seqno=65 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2368/2400

dec: spi=c53a8f5c esp=aes key=16 73fd9869547475db78851e6c057ad9b7 ah=sha1 key=20 6ad3a5b1028f6b33c82ba494a370f13c7f462635

enc: spi=79cb0f2b esp=aes key=16 52ab0acdc830d58c00e5956a6484654a ah=sha1 key=20 baa82aba4106dc60618f6fe95570728656799239

dec:pkts/bytes=1/46, enc:pkts/bytes=100/11568

npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=5 dec_npuid=1 enc_npuid=1

Run the get router info routing-tale bgp command. The system should return the following:

Routing table for VRF=0

B 172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57

B 192.168.4.0/24 [200/0] via 10.10.10.3, spoke1_0 , 00:22:03

Dialup VPN Options

1 Reply

Dialup VPN

FortiGate as dialup client

This recipe provides sample configuration of dialup IPsec VPN and the dialup client. In this example, a branch office FortiGate connects via dialup IPsec VPN to the HQ FortiGate.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with FortiGate as the dialup client using the FortiOSGUI or CLI.

To configure IPsec VPN with FortiClient as the dialup client on the GUI:

Configure the dialup VPN server FortiGate:
Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
Enter a proper VPN name.
For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select The remote site is behind NAT.
Click Next.
Configure the following settings for Authentication:
1. For Incoming Interface, select the proper incoming interface.
2. For Authentication Method, select Pre-shared Key. In the Pre-shared Key field, enter your-psk as the key.
3. Click Next.
Configure the following settings for Policy & Routing:
1. From the Local Interface dropdown menu, select the proper local interface.
2. Configure the Local Subnets as 1.100.0/24. iii. Configure the Remote Subnets as 172.16.101.0/24.
3. Click Create.
4. Configure the dialup VPN client FortiGate:
Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select This site is behind NAT.
3. Click Next.
Configure the following settings for Authentication:
1. For IP Address, enter 101.1.1. ii. For Outgoing Interface, enter port13.

iii. For Authentication Method, select Pre-shared Key. iv. In the Pre-shared Key field, enter your-psk as the key.

Click Next.

Configure the following settings for Policy & Routing:
1. From the Local Interface dropdown menu, select the proper local interface. In this example, it is port9.
2. Configure the Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN with FortiClient as the dialup client using the CLI:

In the FortiOS CLI, configure the user, user group, and firewall address by running the following commands. Only the HQ dialup server FortiGate needs this configuration. The address is an IP pool to assign an IP address for the dialup client FortiGate.

config user local edit “vpnuser1” set type password set passwd your-password

end config user group edit “vpngroup” set member”vpnuser1″

end

config firewall address

edit “client_range” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.200

end

Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface:
Configure the HQ FortiGate:

config system interface edit “wan1” set vdom “root” set ip 11.101.1 255.255.255.0

end

config router static edit 1 set gateway 11.101.1.2 set device “wan1”

end

Configure the branch office FortiGate:

config system interface edit “port13” set vdom “root” set ip 173.1.1.1 255.255.255.0

end

config router static edit 1 set gateway 173.1.1.2 set device “port13”

end

Configure the internal interface and protected subnet. The internal interface connects to the internal network.

Traffic from this interface will route out the IPsec VPN tunnel: a. Configure the HQ FortiGate:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

end

config firewall address edit “10.1.100.0” set subnet 10.1.100.0 255.255.255.0

next end

Configure the branch office FortiGate:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

end

config firewall address edit “172.16.101.0” set subnet 172.16.101.0 255.255.255.0

end

Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option:
Configure the HQ FortiGate:

config vpn ipsec phase1-interface edit “for_Branch” set type dynamic set interface “wan1” set mode aggressive set peertype any set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set xauthtype auto set authusrgrp “vpngroup” set net-device enable set assign-ip-from name set dns-mode auto set ipv4-split-include “10.1.100.0” set ipv4-name “client_range” set save-password enable set psksecret sample set dpd-retryinterval 60

end

Configure the branch office FortiGate:

config vpn ipsec phase1-interface edit “to_HQ” set interface “port13” set mode aggressive set peertype any set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set xauthtype client set authusr “vpnuser1” set authpasswd vpnuser1-password set remote-gw 11.101.1.1 set psksecret sample

next end

Configure the IPsec phase2-interface:
1. Configure the HQ FortiGate:

config vpn ipsec phase2-interface edit “for_Branch_p2” set phase1 name “for_Branch”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

Configure the branch office FortiGate:

config vpn ipsec phase2-interface edit “to_HQ_p2” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

Configure the static routes on the branch office FortiGate. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

end

Configure the firewall policy to allow the branch office to HQ network flow over the IPsec tunnel. This configuration only supports traffic from the branch office FortiGate to the HQ FortiGate. Traffic is dropped from the HQ FortiGate to the branch office FortiGate:
Configure the HQ FortiGate:

config firewall policy edit 1 set name “inbound” set srcintf “for_Branch” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Configure the branch office FortiGate:

config firewall policy edit 1 set name “outbound”

set srcintf “port9” set dstintf “to_HQ” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Run diagnose commands. These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
Run the diagnose vpn ike gateway list command on the HQ FortiGate. The system should return the following:

vd: root/0 name: for_Branch_0 version: 1 interface: wan1 5 addr: 11.101.1.1:500 -> 173.1.1.1:500 created: 1972s ago xauth-user: vpnuser1 assigned IPv4 address: 10.10.10.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 184 5b1c59fab2029e43/bf517e686d3943d2 direction: responder status: established 1972-1972s ago = 10ms proposal: aes128-sha256 key: 8046488e92499247-fbbb4f6dfa4952d0 lifetime/rekey: 86400/84157

DPD sent/recv: 00000020/00000000

Run the diagnose vpn tunnel list command on the HQ FortiGate. The system should return the following:

list all ipsec tunnel in vd 0

name=for_Branch_0 ver=1 serial=9 11.101.1.1:0->173.1.1.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/208 options

[00d0]=create_dev no-sysctlrgwy-chg parent=for_Branch index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=8 olast=8 ad=/0 stat: rxp=8 txp=8 rxb=1216 txb=672 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=31 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=for_Branch_p2 proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0

SA: ref=3 options=226 type=00 soft=0 mtu=1438 expire=41297/0B replaywin=2048 seqno=9 esn=0 replaywin_lastseq=00000009 itn=0 life: type=01 bytes=0/0 timeout=43190/43200 dec: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0 ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a enc: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765 ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206 dec:pkts/bytes=8/672, enc:pkts/bytes=8/1216

name=for_Branchver=1 serial=6 11.101.1.1:0->0.0.0.0:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/16 options[0010]=create_ dev proxyid_num=0 child_num=1 refcnt=14 ilast=8523 olast=8523 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0

Run the diagnose vpn ike gateway list command on the branch office FortiGate. The system should return the following: vd: root/0 name: to_HQ

version: 1 interface: port13 42 addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 2016s ago assigned IPv4 address: 10.10.10.1/255.255.255.252 IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 93 5b1c59fab2029e43/bf517e686d3943d2 direction: initiator status: established 2016-2016s ago = 0ms proposal: aes128-sha256 key: 8046488e92499247-fbbb4f6dfa4952d0 lifetime/rekey: 86400/84083

DPD sent/recv: 00000000/00000020

Run the diagnose vpn tunnel list command on the branch office FortiGate. The system should return the following:

list all ipsec tunnel in vd 0

name=to_HQver=1 serial=7 173.1.1.1:0->11.101.1.1:0 bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=18 olast=58 ad=/0 stat: rxp=1 txp=2 rxb=152 txb=168 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41015/0B replaywin=2048 seqno=3 esn=0 replaywin_lastseq=00000002 itn=0 life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765 ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206 enc: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0 ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a dec:pkts/bytes=1/84, enc:pkts/bytes=2/304 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

FortiClient as dialup client

This recipe provides sample configuration of dialup IPsec VPN with FortiClient as the dialup client.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with FortiClient as the dialup client using the FortiOS GUI or CLI.

To configure IPsec VPN with FortiClient as the dialup client on the GUI:

In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Remote Access.
3. For Remote Device Type, select Client-based > FortiClient.
4. Click Next.
Configure the following settings for Authentication:
1. For Incoming Interface, select wan1.
2. For Authentication Method, select Pre-shared Key.
3. In the Pre-shared Key field, enter your-psk as the key.
4. From the UserGroup dropdown list, select vpngroup.
5. Click Next.
Configure the following settings for Policy & Routing:
1. From the Local Interface dropdown menu, select lan.
2. Configure the Local Address as local_network.
3. Configure the Client Address Range as 10.2.1-10.10.2.200.
4. Keep the default values for the Subnet Mask, DNS Server, Enable IPv4 Split tunnel, and Allow Endpoint Registration
5. Click Create.

To configure IPsec VPN with FortiClient as the dialup client using the CLI:

In the FortiOS CLI, configure the user and group by running the following commands:

config user local edit “vpnuser1” set type password set passwd your-password

end config user group edit “vpngroup” set member “vpnuser1”

end

Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate will cause traffic to this network group to go through the IPsec tunnel:

config system interface edit “lan” set vdom “root”

set ip 10.10.111.1 255.255.255.0

end

config firewall address edit “local_subnet_1” set ip 10.10.111.0 255.255.255.0

end

config firewall address edit “local_subnet_2” set ip 10.10.112.0 255.255.255.0

end

config firewall addrgrp edit “local_network” set member “local_subnet_1” “local_subnet_2”

end

Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next end

Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.

config firewall address edit “client_range” set type iprange set comment “VPN client range” set start-ip 10.10.2.1 set end-ip 10.10.2.200

end

Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.

config vpn ipsec phase1-interface edit “for_client” set type dynamic set interface “wan1” set mode aggressive set peertype any set net-device enable set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set xauthtype auto set authusrgrp “vpngroup” set assign-ip-from name set ipv4-name “client_range” set dns-mode auto

set ipv4-split-include “local_network” set save-password enable set psksecret your-psk set dpd-retryinterval 60

end

Configure the IPsec phase2-interface:

config vpn ipsec phase2-interface edit “for_client” set phase1name “for_client”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:

config firewall policy edit 1 set name “inbound” set srcintf “for_client” set dstintf “lan” set srcaddr “client_range” set dstaddr “local_network” set action accept set schedule “always” set service “ALL”

end

Configure FortiClient. In this example, FortiClient (Windows) 6.0.3 build 0155 is used:
1. In FortiClient, go to Remote Access and select Add a new connection.
2. Set the Type to IPsec VPN and the Remote Gateway to the FortiGate IP address.
3. Set the Authentication Method to Pre-Shared Key and enter the key. Click Save.
4. Select the VPN, enter the username and password, then select Connect.
Run diagnose These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
1. Run the diagnose vpn ike gateway list The system should return the following:

vd: root/0 name: for_client_0 version: 1 interface: port1 15 addr: 172.20.120.123:4500 ->172.20.120.254:64916 created: 37s ago xauth-user: vpnuser1 assigned IPv4 address: 10.10.1.1/255.255.255.255 nat: me peer

IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 1 b40a32d878d5e262/8bba553563a498f4 direction: responder status: established 37-37s ago = 10ms proposal: aes256-sha256 key: f4ad7ec3a4fcfd09-787e2e9b7bceb9a7-0dfa183240d838ba-41539863e5378381 lifetime/rekey: 86400/86092

DPD sent/recv: 00000000/00000a0e

Run the diagnose vpn tunnel list The system should return the following:

list all ipsec tunnel in vd 0

= name=for_client_0 ver=1 serial=3 172.20.120.123:4500->172.20.120.254:64916

bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options [03d8]=npucreate_dev no-sysctlrgwy-chgrport-chg frag-rfcaccept_traffic=1 parent=for_client index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=3 olast=3 ad=/0 stat: rxp=1 txp=0 rxb=16402 txb=0 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=for_client proto=0 sa=1 ref=2 serial=1 add-route src: 0:0.0.0.0-255.255.255.255:0 dst: 0:10.10.1.1-10.10.1.1:0

SA: ref=4 options=2a6 type=00 soft=0 mtu=1422 expire=42867/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000001 itn=0 life: type=01 bytes=0/0 timeout=43189/43200 dec: spi=36274d14 esp=aes key=16 e518b84b3c3b667b79f2e61c64a225a6 ah=sha1 key=20 9cceaa544ed042fda800c4fe5d3fd9d8b811984a enc: spi=8b154deb esp=aes key=16 9d50f004b45c122e4e9fb7af085c457c ah=sha1 key=20 f1d90b2a311049e23be34967008239637b50a328 dec:pkts/bytes=1/16330, enc:pkts/bytes=0/0

npu_flag=02 npu_rgwy=172.20.120.254 npu_lgwy=172.20.120.123npu_selid=0 dec_npuid=2 enc_ npuid=0 name=for_clientver=1 serial=2 172.20.120.123:0->0.0.0.0:0

bound_if=15 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/536 options

[0218]=npucreate_dev frag-rfcaccept_traffic=1 proxyid_num=0 child_num=1 refcnt=11 ilast=350 olast=350 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

iOS device as dialup client

This recipe provides sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with an iOS device as the dialup client using the FortiOS GUI or CLI.

To configure IPsec VPN with an iOS device as the dialup client on the GUI:

In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Remote Access.
3. For Remote Device Type, select Native > iOS Native.
4. For NAT Configuration, set No NAT Between Sites.
5. Click Next.
Configure the following settings for Authentication:
1. For Incoming Interface, select wan1.
2. For Authentication Method, select Pre-shared Key.
3. In the Pre-shared Key field, enter your-psk as the key.
4. From the UserGroup dropdown list, select vpngroup.
5. Deselect Require ‘Group Name’ on VPN client.
6. Click Next.
Configure the following settings for Policy & Routing:
1. From the Local Interface dropdown menu, select lan.
2. Configure the Local Address as local_network.
3. Configure the Client Address Range as 10.2.1-10.10.2.200.
4. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel e. Click Create.

To configure IPsec VPN with an iOS device as the dialup client using the CLI:

In the FortiOS CLI, configure the user and group by running the following commands:

config user local edit “vpnuser1” set type password set passwd your-password

end config user group edit “vpngroup”

set member “vpnuser1”

end

Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate will cause traffic to this network group to go through the IPsec tunnel:

config system interface edit “lan” set vdom “root”

set ip 10.10.111.1 255.255.255.0

end

config firewall address edit “local_subnet_1” set ip 10.10.111.0 255.255.255.0

end

config firewall address edit “local_subnet_2” set ip 10.10.112.0 255.255.255.0

end

config firewall addrgrp edit “local_network” set member “local_subnet_1” “local_subnet_2”

end

Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

end

Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.

config firewall address edit “client_range” set type iprange set comment “VPN client range” set start-ip 10.10.2.1 set end-ip 10.10.2.200

end

Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.

config vpn ipsec phase1-interface edit “for_ios_p1” set type dynamic set interface “wan1” set peertype any set net-device enable set mode-cfg enable

set proposal aes256-sha256 aes256-md5 aes256-sha1 set dpd on-idle set dhgrp 14 5 2 set xauthtype auto set authusrgrp “vpngroup” set assign-ip-from name set ipv4-name “client_range” set dns-mode auto

set ipv4-split-include “local_network” set psksecret your-psk set dpd-retryinterval 60

end

Configure the IPsec phase2-interface:

config vpn ipsec phase2-interface edit “for_ios_p2” set phase1name “for_ios_p1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set pfs disable set keepalive enable

end

Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:

config firewall policy edit 1 set name “ios_vpn” set srcintf “for_ios_p1” set dstintf “lan” set srcaddr “ios_range” set dstaddr “local_network” set action accept set schedule “always” set service “ALL”

end

Configure the iOS device:
1. In the iOS device, go to Settings > General > VPN and select Add VPN Configuration.
2. Set the Type to IPsec and enter a Description. Set the Server to the FortiGate’s Internet-facing interface, and enter the username in Account. Enter the user password, the preshared IPsec VPN secret, then select Done.
3. Ensure that the IPsec VPN configuration is highlighted (indicated by a checkmark), and select the Not Connected The IPsec VPN connects with the user’s credentials and secret. The status changes to Connected, and a VPN icon appears at the top of the screen.
Run diagnose These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
1. Run the diagnose vpn ike gateway list The system should return the following:

vd: root/0 name: for_ios_p1_0 version: 1 interface: port1 15 addr: 172.20.120.123:4500 -> 172.20.120.254:64916 created: 17s ago xauth-user: u1 assigned IPv4 address: 10.10.2.1/255.255.255.255 nat: me peer

IKE SA: created 1/1 established 1/1 time 150/150/150 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms

id/spi: 2 3c844e13c75591bf/80c2db92c8d3f602 direction: responder status: established 17-17s ago = 150ms proposal: aes256-sha256 key: 0032ea5ee160d775-51f3bf1f9909101bb89c7b5a77a07784-2c92cf9c921801ac lifetime/rekey: 3600/3312 DPD sent/recv: 00000000/00000000

Run the diagnose vpn tunnel list The system should return the following:

list all ipsec tunnel in vd 0

= = name=for_ios_p1_0 ver=1 serial=172.20.120.123:4500->172.20.120.254:64916

bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=for_ios_p1 index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=for_ios_p1 proto=0 sa=1 ref=2 serial=1 add-route

src: 0:10.10.111.0-10.10.111.255:0 dst: 0:10.10.2.1-10.10.2.1:0 SA: ref=3 options=a7 type=00 soft=0 mtu=1422 expire=3564/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=3587/3600 dec: spi=36274d15 esp=aes key=32

5a599d796f8114c83d6589284f036fc33bdf4456541e2154b4ac2217b6aec869 ah=sha1 key=20 f1efdeb77d6f856a8dd3a30cbc23cb0f8a3e0340 enc: spi=00b0d9ab esp=aes key=32

e9232d7a1c4f390fd09f8409c2d85f80362d940c08c73f245908ab1ac3af322f ah=sha1 key=20 a3890d6c5320756291cad85026d3a78fd42a1b42

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=172.20.120.254 npu_ lgwy=172.20.120.123 npu_selid=1 dec_npuid=0 enc_npuid=0

Redundant hub and spoke VPN

Leave a reply

Redundant hub and spoke VPN

This recipe provides sample configuration of hub and spoke IPsec VPN. The following applies for this scenario:

l The spokes have two WAN interfaces and two IPsec VPN tunnels for redundancy. l The secondary VPN tunnel is up only when the primary tunnel is down by dead peer detection.

The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure redundant hub and spoke VPN using the FortiOS CLI:

Configure the hub:
Configure the WAN, internal interface, and static route:

config system interface edit “port13” set alias “WAN”

set ip 172.16.202.1 255.255.255.0

next edit “port9” set alias “Internal” set ip 172.16.101.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.202.2 set device “port13”

next end

Configure the IPsec phase1-interface and phase2-interface:

config vpn ipsec phase1-interface edit “hub” set type dynamic set interface “port13” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60

end

config vpn ipsec phase2-interface edit “hub” set phase1name “hub”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

end

Configure the firewall policy:

config firewall policy

edit 1 set name “spoke-hub” set srcintf “hub” set dstintf “port9” set srcaddr “all” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “spoke-spoke” set srcintf “hub” set dstintf “hub” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

end

Configure the spokes:
Configure the WAN, internal interface, and static route:
Configure Spoke1:

config system interface edit “port1” set ip 172.16.200.1 255.255.255.0

next edit “wan1”

set mode dhcp set distance 10 set priority 100

next edit “dmz”

ip 10.1.100.1 255.255.255.0

end

config router static

edit 1 set gateway 172.16.200.2 set device “port1”

end

Configure Spoke2:

config system interface edit “wan1” set ip 172.16.200.3 255.255.255.0

next edit “wan2”

set mode dhcp set distance 10 set priority 100

next edit “lan1” set ip 192.168.4.1 255.255.255.0

end

config router static

edit 1 set gateway 172.16.200.2 set device “wan1”

end

Configure IPsec phase1-interface and phase2-interface:
Configure Spoke1:

config vpn ipsec phase1-interface edit “primary” set interface “port1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

edit “secondary” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set monitor “primary” set psksecret sample

end

config vpn ipsec phase2-interface edit “primary” set phase1name “primary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

src-subnet 10.1.100.0 255.255.255.0

edit “secondary” set phase1name “secondary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0

end

Configure Spoke2:

config vpn ipsec phase1-interface edit “primary” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

edit “secondary” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set monitor “primary” set psksecret sample

end

config vpn ipsec phase2-interface edit “primary” set phase1name “primary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

next edit “secondary” set phase1name “secondary”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

end

Configure the firewall policy:
1. Configure Spoke1:

config firewall policy edit 1 set srcintf “dmz” set dstintf “primary” “secondary” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always”

service “ALL”

end

Configure Spoke2:

config firewall policy edit 1 set srcintf “lan1” set dstintf “primary” “secondary” set srcaddr “192.168.4.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

end

Configure the static route:
1. Configure Spoke1:

config router static edit 3 set dst 172.16.101.0 255.255.255.0 set distance 1 set device “primary”

next edit 4 set dst 172.16.101.0 255.255.255.0 set distance 3 set device “secondary”

end

Configure Spoke2:

config router static edit 3 set dst 172.16.101.0 255.255.255.0 set distance 1 set device “primary”

next edit 4 set dst 172.16.101.0 255.255.255.0 set distance 3 set device “secondary”

end

Run diagnose and get commands:
Run the Spoke1 # diagnose vpn tunnel list command. The system should return the following: name=primary ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=15 ilast=0 olast=0 ad=/0 stat: rxp=1879 txp=1881 rxb=225480 txb=112860

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=primary proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41002/0B replaywin=2048 seqno=758 esn=0 replaywin_lastseq=00000758 itn=0

life: type=01 bytes=0/0 timeout=42901/43200 dec: spi=0908732f esp=aes key=16

20770dfe67ea22dd8ec32c44d84ef4d5 ah=sha1 key=20 edc89fc2ec06309ba13de95e7e486f9b795b8707

enc: spi=a1d9eed1 esp=aes key=16 8eeea2526fba062e680d941083c8b5d1 ah=sha1 key=20 f0f5deaf88b2a69046c3154e9f751739b3f411f5

dec:pkts/bytes=1879/112740, enc:pkts/bytes=1879/225480

name=secondary ver=1 serial=2 172.17.200.1:0->172.16.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=10 ilast=1892 olast=1892 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=secondary proto=0 sa=0 ref=2 serial=2 auto-negotiate src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

Run the Spoke1 # get router info routing-table static command. The system should return the following:

Routing table for VRF=0 …………….

S 172.16.101.0/24 [1/0] is directly connected, primary

IPsec aggregate to achieve redundancy and traffic load-balancing

2 Replies

IPsec aggregate to achieve redundancy and traffic load-balancing

The recipe gives a sample configuration of using IPsec aggregate to achieve redundancy and traffic load-balancing:

l Multiple site-to-site IPsec VPN (net-device disable) tunnel interfaces as member of ipsec-aggregate l Four load-balancing algorithms: round-robin (default), L3, L4, redundant The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure IPsec aggregate to achieve redundancy and traffic load-balancing using the CLI:

Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.

The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate: a. Configure HQ1:

config system interface edit “port1” set alias to_ISP1

set ip 172.16.200.1 255.255.255.0

next edit “port2” set alias to_ISP2

set ip 172.17.200.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.200.3 set device “port1”

next edit 2 set gateway 172.17.200.3 set device “port2” set priority 100

end

Configure HQ2:

config system interface edit “port25”

set alias to_ISP1

set ip 172.16.202.1 255.255.255.0

next edit “port26” set alias to_ISP2

set ip 172.17.202.1 255.255.255.0

end

config router static

edit 1 set gateway 172.16.202.2 set device “port25”

next edit 2 set gateway 172.17.202.2 set device “port26” set priority 100

end

Configure the internal (protected subnet) interface:
1. Configure HQ1:

config system interface edit “dmz” set ip 10.1.100.1 255.255.255.0

end

Configure HQ2:

config system interface edit “port9” set ip 172.16.101.1 255.255.255.0

end

Configure the IPsec phase-1 and phase-2 interfaces. On each FortiGate, configure two site-to-site phase-1 interfaces with net-device disable:
1. Configure HQ1:

config vpn ipsec phase1-interface edit “pri_HQ2” set interface “port1” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample1

next edit “sec_HQ2” set interface “port2” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.202.1 set psksecret sample2

next end

config vpn ipsec phase2-interface edit “pri_HQ2”

set phase1name “pri_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next edit “sec_HQ2” set phase1name “sec_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

end

Configure HQ2:

config vpn ipsec phase1-interface edit “pri_HQ1” set interface “port25” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample1

next edit “sec_HQ1” set interface “port26” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.200.1 set psksecret sample2

end

config vpn ipsec phase2-interface edit “pri_HQ1” set phase1name “pri_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next edit “sec_HQ1” set phase1name “sec_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

end

Configure ipsec-aggregate:
1. Configure HQ1:

config system ipsec-aggregate edit “agg_HQ2” set member “pri_HQ2” “sec_HQ2”

end

Configure HQ2:

config system ipsec-aggregate edit “agg_HQ1” set member “pri_HQ” “sec_HQ1”

end

Configure the firewall policy:
1. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “agg_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “agg_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

end

Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “agg_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “port9” set dstintf “agg_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Assign an IP address to the ipsec-aggregate In this example, OSPF runs over the ipsecaggregate interface. No IP address is required for the static route HQ1: a. Configure HQ1:

config system interface edit “agg_HQ2”

set ip 10.10.10.1 255.255.255.255

set remote-ip 10.10.10.2 255.255.255.255

end

Configure HQ2:

config system interface edit “agg_HQ1”

set ip 10.10.10.2 255.255.255.255

set remote-ip 10.10.10.1 255.255.255.255

end

Configure OSPF:
Configure HQ1:

config router ospf set router-id 1.1.1.1 config area edit 0.0.0.0 next

end config network

edit 1 set prefix 10.1.100.0 255.255.255.0

next edit 2 set prefix 10.10.10.0 255.255.255.0

end

Configure HQ2:

config router ospf set router-id 2.2.2.2 config area edit 0.0.0.0 next

end config network

edit 1 set prefix 172.16.101.0 255.255.255.0

next edit 2 set prefix 10.10.10.0 255.255.255.0

end

Run diagnose commands:
Run the diagnose vpn ike gateway list command. The system should return the following:

vd: root/0 name: pri_HQ2 version: 1 interface: port1 11

addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 1520s ago

IKE SA: created 1/2 established 1/1 time 10/10/10 ms

IPsec SA: created 2/2 established 1/1 time 0/0/0 ms id/spi: 173 dcdede154681579b/e32f4c48c4349fc0 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key: d7230a68d7b83def-588b94495cfa9d38 lifetime/rekey: 86400/84631 DPD sent/recv:

0000000d/00000006 vd: root/0 name: sec_HQ2 version: 1 interface: port2 12

addr: 172.17.200.1:500 -> 172.17.202.1:500

created: 1520s ago

IKE SA: created 1/2 established 1/1 time 10/10/10 ms

IPsec SA: created 2/2 established 1/1 time 0/0/0 ms id/spi: 174 a567bd7bf02a04b5/4251b6254660aee2 direction: responder status: established 1498-1498s ago = 10ms proposal: aes128-sha256 key:

9f44f500c28d8de6-febaae9d1e6a164c lifetime/rekey: 86400/84631 DPD sent/recv:

00000008/0000000c

Run the diagnose vpn tunnel list command. The system should return the following:

list all ipsec tunnel in vd 0

name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=7 ilast=5 olast=5 ad=/0 stat: rxp=39 txp=40 rxb=5448 txb=2732

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=15 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41230/0B replaywin=2048

seqno=29 esn=0 replaywin_lastseq=00000028 itn=0

life: type=01 bytes=0/0 timeout=42899/43200 dec: spi=1071b4f9 esp=aes key=16

1f4dbb78bea8e97650b52d8170b5ece7 ah=sha1 key=20 cd9bf2de0f49296cf489dd915d7baf6d78bc8f12

enc: spi=ec89b7ee esp=aes key=16 0546efecd0d1b9ba5944f635896e4404 ah=sha1 key=20 34599bc7dc25e1ce63ac9615bd50928ce0667dc8

dec:pkts/bytes=39/2796, enc:pkts/bytes=40/5456

name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=1 accept_traffic=1

proxyid_num=1 child_num=0 refcnt=5 ilast=15 olast=15 ad=/0 stat: rxp=38 txp=39 rxb=5152 txb=2768

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=20 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=2 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=41231/0B replaywin=2048

seqno=28 esn=0 replaywin_lastseq=00000027 itn=0

life: type=01 bytes=0/0 timeout=42900/43200 dec: spi=1071b4f8 esp=aes key=16

142cce377b3432ba41e64128ade6848c ah=sha1 key=20 20e64947e2397123f561584321adc0e7aa0c342d

enc: spi=ec89b7ed esp=aes key=16 2ec13622fd60dacce3d28ebe5fe7ab14 ah=sha1 key=20 c1787497508a87f40c73c0db0e835c70b3c3f42d

dec:pkts/bytes=38/2568, enc:pkts/bytes=39/5432

Run the diagnose sys ipsec-aggregate list The system should return the following:

agg_HQ2 algo=RR member=2 run_tally=2 members: pri_HQ2 sec_HQ2

Run the get router info ospf neighbor The system should return the following:

OSPF process 0, VRF 0:

Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 1. Full/ – 00:00:34 10.10.10.2 agg1_HQ2

Run the get router info routing-table ospf The system should return the following:

Routing table for VRF=0

O 172.16.101.0/24 [110/20] via 10.10.10.2, agg1_HQ2 , 00:18:43

OSPF with IPsec VPN to achieve network redundancy

Leave a reply

OSPF with IPsec VPN to achieve network redundancy

This recipe provides sample configuration of using OSPF with IPsec VPN to achieve network redundancy. Route selection is based on OSPF cost calculation. It is easy to achieve ECMP or primary/secondary routes by adjusting OSPF path cost.

The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure OSPF with IPsec VPN to achieve network redundancy using the CLI:

Configure the WAN interface and static route. Each FortiGate has two WAN interfaces connected to different ISPs.

The ISP1 link is for the primary FortiGate and the IPS2 link is for the secondary FortiGate: a. Configure HQ1:

config system interface edit “port1” set alias to_ISP1

set ip 172.16.200.1 255.255.255.0

next edit “port2” set alias to_ISP2

set ip 172.17.200.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.200.3 set device “port1”

next edit 2 set gateway 172.17.200.3 set device “port2” set priority 100

end

Configure HQ2:

config system interface edit “port25” set alias to_ISP1

set ip 172.16.202.1 255.255.255.0

next edit “port26” set alias to_ISP2

set ip 172.17.202.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.202.2

set device “port25”

next edit 2 set gateway 172.17.202.2 set device “port26” set priority 100

end

Configure the internal (protected subnet) interface:
1. Configure HQ1:

config system interface edit “dmz” set ip 10.1.100.1 255.255.255.0

end

Configure HQ2:

config system interface edit “port9” set ip 172.16.101.1 255.255.255.0

end

Configure IPsec phase1-interface and phase-2 interface. On each FortiGate, configure two IPsec tunnels: a primary and a secondary: Configure HQ1:

config vpn ipsec phase1-interface edit “pri_HQ2” set interface “port1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample1

next edit “sec_HQ2” set interface “port2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.202.1 set psksecret sample2

next end

config vpn ipsec phase2-interface edit “pri_HQ2” set phase1name “pri_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next edit “sec_HQ2” set phase1name “sec_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next end

Configure HQ2:

config vpn ipsec phase1-interface edit “pri_HQ1” set interface “port25” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample1

next edit “sec_HQ1” set interface “port26” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.17.200.1 set psksecret sample2

end

config vpn ipsec phase2-interface edit “pri_HQ1” set phase1name “pri_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

next edit “sec_HQ1” set phase1name “sec_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

end

Configure an inbound and outbound firewall policy for each IPsec tunnel:
Configure HQ1:

config firewall policy

edit 1 set name “pri_inbound” set srcintf “pri_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “pri_outbound” set srcintf “dmz” set dstintf “pri_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL” next

edit 3

set name “sec_inbound” set srcintf “sec_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 4

set name “sec_outbound” set srcintf “dmz” set dstintf “sec_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

end

Configure HQ2:

config firewall policy edit 1

set name “pri_inbound” set srcintf “pri_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2

set name “pri_outbound” set srcintf “port9” set dstintf “pri_HQ1” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 3

set name “sec_inbound” set srcintf “sec_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 4

set name “sec_outbound” set srcintf “port9” set dstintf “sec_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Assign an IP address to the IPsec tunnel interface:
Configure HQ1:

config system interface

edit “pri_HQ2”

set ip 10.10.10.1 255.255.255.255

set remote-ip 10.10.10.2 255.255.255.255

next edit “sec_HQ2”

set ip 10.10.11.1 255.255.255.255 set remote-ip 10.10.11.2 255.255.255.255

end

Configure HQ2:

config system interface

edit “pri_HQ1”

set ip 10.10.10.2 255.255.255.255

set remote-ip 10.10.10.1 255.255.255.255

edit “sec_HQ1”

set ip 10.10.11.2 255.255.255.255 set remote-ip 10.10.11.1 255.255.255.255

end

Configure OSPF:
Configure HQ1:

config router ospf

set router-id 1.1.1.1 config area

edit 0.0.0.0 next

end config ospf-interface

edit “pri_HQ2” set interface “pri_HQ2” set cost 10 set network-type point-to-point

next edit “sec_HQ2” set interface “sec_HQ2” set cost 20 set network-type point-to-point

end config network

edit 1 set prefix 10.10.10.0 255.255.255.0

next edit 2

set prefix 10.10.11.0 255.255.255.0

next edit 3 set prefix 10.1.100.0 255.255.255.0

end

Configure HQ2:

config router ospf set router-id 2.2.2.2 config area edit 0.0.0.0 next

end

config ospf-interface edit “pri_HQ1” set interface “pri_HQ1”

set cost 10

set network-type point-to-point

next edit “sec_HQ1” set interface “sec_HQ1”

set cost 20

set network-type point-to-point

end config network edit 1 set prefix 10.10.10.0 255.255.255.0

next edit 2 set prefix 10.10.11.0 255.255.255.0

next edit 3 set prefix 172.16.101.0 255.255.255.0

end

Run diagnose/get commands to check VPN and OSPF states:
Run the HQ1 # diagnose vpn ike gateway list command. The system should return the following:

vd: root/0 name: pri_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 virtual-interface-addr: 10.10.10.1 -> 10.10.10.2 created: 1024s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/3 established 1/2 time 0/5/10 ms id/spi: 45 d184777257b4e692/e2432f834aaf5658 direction: responder status:

established 1024-1024s ago = 0ms proposal: aes128-sha256 key: 9ed41fb06c983344189538046f5ad204 lifetime/rekey: 86400/85105 DPD sent/recv: 00000003/00000000 vd: root/0

name: sec_HQ2 version: 1 interface: port2 12 addr: 172.17.200.1:500 -> 172.17.202.1:500 virtual-interface-addr: 10.10.11.1 -> 10.10.11.2 created: 346s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/1 established 1/1 time 0/10/15 ms id/spi: 48 d909ed68636b1ea5/163015e73ea050b8 direction: initiator status:

established 0-0s ago = 0ms proposal: aes128-sha256 key: b9e93c156bdf4562-

29db9fbafa256152 lifetime/rekey: 86400/86099 DPD sent/recv: 00000000/00000000

Run the HQ1 # diagnose vpn tunnel list command. The system should return the following:

list all ipsec tunnel in vd 0

name=pri_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=102 txp=105 rxb=14064 txb=7816

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=3 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=pri_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42254/0B replaywin=2048

seqno=6a esn=0 replaywin_lastseq=00000067 itn=0

life: type=01 bytes=0/0 timeout=42932/43200 dec: spi=1071b4ee esp=aes key=16

032036b24a4ec88da63896b86f3a01db ah=sha1 key=20 3962933e24c8da21c65c13bc2c6345d643199cdf

enc: spi=ec89b7e3 esp=aes key=16 92b1d85ef91faf695fca05843dd91626 ah=sha1 key=20 2de99d1376506313d9f32df6873902cf6c08e454

dec:pkts/bytes=102/7164, enc:pkts/bytes=105/14936

name=sec_HQ2 ver=1 serial=2 172.17.200.1:0->172.17.202.1:0

bound_if=12 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=14 ilast=3 olast=0 ad=/0 stat: rxp=110 txp=114 rxb=15152 txb=8428

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=3 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=sec_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42927/0B replaywin=2048

seqno=2 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=42931/43200 dec: spi=1071b4ef esp=aes key=16 bcdcabdb7d1c7c695d1f2e0f5441700a

ah=sha1 key=20 e7a0034589f82eb1af41efd59d0b2565fef8d5da

enc: spi=ec89b7e4 esp=aes key=16 234240b69e61f6bdee2b4cdec0f33bea ah=sha1 key=20 f9d4744a84d91e5ce05f5984737c2a691a3627e8

dec:pkts/bytes=1/68, enc:pkts/bytes=1/136

Run the HQ1 # get router info ospf neighbor The system should return the following:

OSPF process 0, VRF 0:

Neighbor ID Pri State Dead Time Address Interface

2.2.2.2 1. Full/ – 00:00:37 10.10.10.2 pri_HQ2

2.2.2.2 1. Full/ – 00:00:32 10.10.11.2 sec_HQ2

Run the HQ1 # get router info routing-table ospf The system should return the following:

Routing table for VRF=0

O 172.16.101.0/24 [110/20] via 10.10.10.2, pri_HQ2 , 00:03:21 In case the primary tunnel is down after route convergence.

Run the HQ1 # get router info routing-table ospf The system should return the following:

Routing table for VRF=0

O 172.16.101.0/24 [110/110] via 10.10.11.2, sec_HQ2 , 00:00:01

Basic site-to-site VPN

Leave a reply

Basic site-to-site VPN

IPsec VPN in an HA environment

This recipe provides sample configuration of site-to-site IPsec VPN in an HA environment. You must enable two options to ensure IPsec VPN traffic does not interrupt during an HA failover:

session-pickup under HA settings
ha-sync-esp-seqno under IPsec phase1-interface settings The following shows the sample network topology for this recipe:

You can configure IPsec VPN in an HA environment using the FortiOS GUI or CLI.

In this examples below, the VPN name for HQ1 is “to_HQ2”, and the VPN name for HQ2 is “to_HQ1”.

To configure IPsec VPN in an HA environment on the GUI:

Set up HA as described in the HA topics.
Set up IPsec VPN on HQ1 (the HA cluster):
1. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
  1. Enter a proper VPN name.
  2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, set No NAT Between Sites.
  3. Click Next.
2. Configure the following settings for Authentication:
  1. For Remote Device, select IP Address. In the IP address field, enter 172.16.202.1. iii. In the Outgoing Interface field, enter port1.
  2. For Authentication Method, select Pre-shared Key.
  3. In the Pre-shared Key field, enter an example key.
  4. Click Next.
  5. Configure the following settings for Policy & Routing:
3. From the Local Interface dropdown menu, select the desired local interface.
4. Configure the Local Subnets as 10.1.100.0/24.

Configure the Remote Subnets as 172.16.101.0/24.

Click Create.
Set up IPsec VPN on HQ2:

Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
1. Enter a proper VPN name.
2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, set No NAT Between Sites.
3. Click Next.
Configure the following settings for Authentication:
1. For Remote Device, select IP Address. In the IP address field, enter 172.16.200.1. iii. In the Outgoing Interface field, enter port13.
2. For Authentication Method, select Pre-shared Key.
3. In the Pre-shared Key field, enter an example key.
4. Click Next.
Configure the following settings for Policy & Routing:
1. From the Local Interface dropdown menu, select the desired local interface. In this example, it is port9.
2. Configure the Local Subnets as 172.16.101.0. Configure the Remote Subnets as 10.1.100.0 iv. Click Create.

To configure IPsec VPN in an HA environment using the CLI:

Configure HA. In this example, two FortiGates work in active-passive mode. The HA heartbeat interfaces are WAN1 and WAN2:

config system ha set group-name “FGT-HA” set mode a-p set password sample set hbdev “wan1” 50 “wan2” 50 set session-pickup enable set priority 200 set override-wait-time 10

end

Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.
Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next end config router static edit 1 set gateway 172.16.200.3 set device “port1”

end

Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

end

Configure the internal (protected subnet) interface. The internal interface connects to corporate internal network.

Traffic from this interface routes out the IPsec VPN tunnel. a. Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

end

Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

end

Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any set net-device enable set ha-sync-esp-seqno enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

end

Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any set net-device enable

set ha-sync-esp-seqno enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample

Configure the IPsec phase2-interface:
1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

end

Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ1” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

set auto-negotiate enable

end

Configure static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down. Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

end

Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

end

Configure two firewall policies to allow bi-directional IPsec traffic flow over the IPsec tunnel: a. Configure HQ1:

config firewall policy edit 1 set name “inbound”

set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

end

Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “port9” set dstintf “to_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

end

Run diagnose commands. These diagnose commands are useful to check IPsec phase1/phase2 interface statuses, including the sequence number on the secondary FortiGate. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
Run the HQ1 # diagnose vpn ike gateway list command. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500

created: 5s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 2/2 established 2/2 time 0/0/0 ms

id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024 direction: responder status:

established 5-5s ago = 0ms proposal: aes128-sha256 key: b3efb46d0d385aff-

7bb9ee241362ee8d lifetime/rekey: 86400/86124 DPD sent/recv: 00000000/00000000

Run the HQ1 # diagnose vpn tunnel list command. The system should return the following: list all ipsec tunnel in vd 0

name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=7 olast=87 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42927/0B replaywin=2048

seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16 a2c6584bf654d4f956497b3436f1cfc7

ah=sha1 key=20 82c5e734bce81e6f18418328e2a11aeb7baa021b

enc: spi=791e898e esp=aes key=16 0dbb4588ba2665c6962491e85a4a8d5a ah=sha1 key=20 2054b318d2568a8b12119120f20ecac97ab730b3

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

ESP seqno synced to primary FortiGate every five minutes, and big gap between primary and secondary to ensure that no packet is dropped after HA failover caused by tcp-replay. Check ESP sequence number synced on secondary FortiGate.

Run the HQ1 # execute ha manage 0 admin command:
Run the HQ1-Slave # diagnose vpn tunnel list The system should return the following:

list all ipsec tunnel in vd 0

name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=11 ilast=13 olast=274 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=3 options=27 type=00 soft=0 mtu=1280 expire=42740/0B replaywin=2048

seqno=47868c01 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16 a2c6584bf654d4f956497b3436f1cfc7

ah=sha1 key=20 82c5e734bce81e6f18418328e2a11aeb7baa021b

enc: spi=791e898e esp=aes key=16 0dbb4588ba2665c6962491e85a4a8d5a ah=sha1 key=20 2054b318d2568a8b12119120f20ecac97ab730b3

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

SSL Inspection – Certificate Inspection – Deep Inspection

3 Replies

SSL Inspection

Certificate inspection

FortiGate supports certificate inspection. The default configuration has a built-in certificate-inspection profile which you can use directly. When you use certificate inspection, the FortiGate only inspects the header information of the packets.

If you do not want to deep scan for privacy reasons but you want to control web site access, you can use certificateinspection.

Inspect non-standard HTTPS ports

The built-in certificate-inspection profile is read-only and only listens on port 443. If you want to make changes, you must create a new certificate inspection profile.

If you know the non-standard port that the web server uses, such as port 8443, you can add this port to the HTTPS field.

If you do not know which port is used in the HTTPS web server, you can select Inspect All Ports.

Block untrusted or allow invalid certificate

The default setting in the certificate-inspection profile is to block invalid certificates and allow untrusted certificates.

For example, the server certificate has expired but you still want to access this server until you have a new server certificate. But because certificate inspection cannot do an exemption, you have to allow the invalid certificate in your SSL profile. This means you need to create a new certificate inspection profile using the built-in read-only certificateinspection.

Deep inspection

You typically apply deep inspection to outbound policies where destinations are unknown. You can configure address and web category white lists to bypass SSL deep inspection.

Reasons for using deep inspection

While Hypertext Transfer Protocol Secure (HTTPS) offers protection on the Internet by applying Secure Sockets Layer (SSL) encryption to web traffic, encrypted traffic can be used to get around your network’s normal defenses.

For example, you might download a file containing a virus during an e-commerce session, or you might receive a phishing email containing a seemingly harmless download that, when launched, creates an encrypted session to a command and control (C&C) server and downloads malware onto your computer. Because the sessions in these attacks are encrypted, they might get past your network’s security measures.

When you use deep inspection, the FortiGate impersonates the recipient of the originating SSL session, then decrypts and inspects the content to find threats and block them. It then re-encrypts the content and sends it to the real recipient.

Deep inspection not only protects you from attacks that use HTTPS, it also protects you from other commonly-used SSL-encrypted protocols such as SMTPS, POP3S, IMAPS, and FTPS.

Browser messages when using deep inspection

When FortiGate re-encrypts the content, it uses a certificate stored on the FortiGate such as Fortinet_CA_SSL, Fortinet_CA_Untrusted, or your own CA certificate that you uploaded.

Because there is no Fortinet_CA_SSL in the browser trusted CA list, the browser displays an untrusted certificate warning when it receives a FortiGate re-signed server certificate. To stop the warning messages, trust the FortiGatetrusted CA Fortinet_CA_SSL and import it into your browser.

After importing Fortinet_CA_SSL into your browser, if you still get messages about untrusted certificate, it must be due to Fortinet_CA_Untrusted. Never import the Fortinet_CA_Untrusted certificate into your browser.

To import Fortinet_CA_SSL into your browser:

On the FortiGate, go to Security Profiles > SSL/SSH Inspection and select deep-inspection.
The default CA Certificate is Fortinet_CA_SSL.
Select Download Certificate.
On the client PC, double-click the certificate file and select Open.
Select Install Certificate to launch the Certificate Import Wizard and use the wizard to install the certificate into the Trusted Root Certificate Authorities

If a security warning appears, select Yes to install the certificate.

Exempt web sites from deep inspection

If you do not want to apply deep inspection for privacy or other reasons, you can exempt the session by address, category, or white list.

If you know the address of the server you want to exempt, you can exempt that address. You can exempt specific address type including IP address, IP address range, IP subnet, FQDN, wildcard-FQDN, and geography.

If you want to exempt all bank web sites, an easy way is to exempt the Finance and Banking category which includes all finance and bank web sites identified in FortiGuard.

If you want to exempt commonly trusted web sites, you can bypass the SSL white list in the SSL/SSH profile. The white list includes common web sites trusted by FortiGuard. Simply enable Reputable Websites.

Protecting SSL Server

You typically use the FortiGate Protecting SSL Server profile as an inbound policy for clients on the Internet accessing the server on the internal side of the FortiGate.

Protecting SSL Server uses a server certificate to protect a single server.

If you do not want a client in the Internet accessing your internal server directly and you want FortiGate to simulate your real server, you can use Protecting SSL Server.

To upload a server certificate into FortiGate and use that certificate in the SSL/SSH Inspection Profile:

Go to System > Certificates.
Select Import > Local Certificate and upload the certificate.
Go to Security Profiles > SSL/SSH Inspection and select Protecting SSL Server.

When you apply this Protecting SSL Server profile in a policy, FortiGate will send the server certificate to the client as your server does.

Flow mode inspection use case

Leave a reply

Flow mode inspection use case

It is recommended that flow inspection is applied to policies that prioritize traffic throughput, such as allowing connections to be made towards a streaming or file server.

You have an application server which accepts connections from users for the daily quiz show app, HQ. Each HQ session sees 500,000+ participants, and speed is very important because participants have less than 10 seconds to answer the quiz show questions.

In this scenario, a flow inspection policy is recommended to prioritize throughput. The success of the application depends on providing reliable service for large numbers of concurrent users. We will apply an IPS sensor to this policy to protect the server from external DOS attacks.

Fortinet GURU

FortiGate Guides and MORE!

Category Archives: Administration Guides

ADVPN with BGP as the routing protocol

set remote-ip 10.10.10.254 255.255.255.0

Dialup VPN Options

Redundant hub and spoke VPN

IPsec aggregate to achieve redundancy and traffic load-balancing

OSPF with IPsec VPN to achieve network redundancy

set ip 10.10.10.1 255.255.255.255

set ip 10.10.10.2 255.255.255.255

Basic site-to-site VPN

SSL Inspection – Certificate Inspection – Deep Inspection

Flow mode inspection use case