OCVPN troubleshooting

OCVPN troubleshooting

This document includes troubleshooting steps for the following OCVPN network topologies:

  • Full mesh. l Hub-spoke with ADVPN shortcut. l Hub-spoke with inter-overlay source NAT.

For OCVPN configurations in different network topologies, please refer to the other OCVPN topics.

Full mesh network topology troubleshooting

  • Branch_1 # diagnose vpn ocvpn status
Current State : Registered
Topology : Full-Mesh
Role : Spoke
Server Status : Up
Registration time : Thu Feb 28 18:42:25 2019
Update time : Thu Feb 28 15:57:18 2019
Poll time : Fri Mar 1 15:02:28 2019
  • Branch_1 # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 3

Max-free :: 3

  • Branch_1 # diagnose vpn ocvpn show-overlays

QA

PM l Branch_1 # diagnose vpn ocvpn show-members

Member: { “SN”: “FG100D3G15801621”, “IPv4”: “172.16.200.1”, “port”: “500”, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “FortiGate-100D”, “topology_role”: “spoke” }

Member: { “SN”: “FG900D3915800083”, “IPv4”: “172.16.200.4”, “port”: “500”, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch3”, “topology_role”: “spoke” }

Member: { “SN”: “FGT51E3U16001314”, “IPv4”: “172.16.200.199”, “port”: “500”, “slot”: 1002, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch2”, “topology_role”: “spoke” } l Branch_1 # dagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-3.1 ver=2 serial=4 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=13 ilast=7 olast=0 ad=/0 stat: rxp=0 txp=7 rxb=0 txb=588

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=6 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.1 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb752 esp=aes key=16 3c5ceeff3cac1eaa2702b5ccb713ab9b ah=sha1 key=20 5903e358b3d8938ee64f0412887a0fe741ccb105

enc: spi=b5bd4fe1 esp=aes key=16 8ae97a8abe24dae725d614d2a6efdcb0 ah=sha1 key=20 9ec200d9c0cef9e1b7cf76e05dbf344c70f53214

dec:pkts/bytes=0/0, enc:pkts/bytes=7/1064

proxyid=_OCVPN2-3.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.1 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.1 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:172.16.101.0-172.16.101.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42911/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb750 esp=aes key=16 8c9844a8bcd3fda6c7bd8a4f2ec81ef1 ah=sha1 key=20 680c7144346f5b52126cbad9f325821b048c7192

enc: spi=f2d1f2d4 esp=aes key=16 f9625fc8590152829eb39eecab3a3999 ah=sha1 key=20 5df8447416da541fa54dde9fa3e5c35fbfc4723f

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-3.2 ver=2 serial=3 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=6 olast=6 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.2 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:192.168.5.0-192.168.5.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=c34bb753 esp=aes key=16 58ddfad9a3699f1c49f3a9f369145c28 ah=sha1 key=20 e749c7e6a7aaff119707c792eb73cd975127873b

enc: spi=b5bd4fe2 esp=aes key=16 8f2366e653f5f9ad6587be1ce1905764 ah=sha1 key=20 5347bf24e51219d483c0f7b058eceab202026204

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-3.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.2 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.2 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:172.16.102.0-172.16.102.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42905/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42927/43200

dec: spi=c34bb751 esp=aes key=16 41449ee5ea43d3e1f80df05fc632cd44 ah=sha1 key=20 3ca2aea1c8764f35ccf987cdeca7cf6eb54331fb

enc: spi=f2d1f2d5 esp=aes key=16 9010dd57e502c6296b27a4649a45a6ba ah=sha1 key=20 caf86a176ce04464221543f15fc3c63fc573b8ee dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

  • Branch_1 # get router info routing-table all
Routing table for VRF=0

Codes: K – kernel, C – connected, S – static, R – RIP, B – BGP

  O – OSPF, IA – OSPF inter area

N1 – OSPF NSSA external type 1, N2 – OSPF NSSA external type 2 E1 – OSPF external type 1, E2 – OSPF external type 2

i – IS-IS, L1 – IS-IS level-1, L2 – IS-IS level-2, ia – IS-IS inter area * – candidate default

S* 0.0.0.0/0 [10/0] via 172.16.200.254, port1
C 10.1.100.0/24 is directly connected, dmz
C 10.2.100.0/24 is directly connected, loop
C 11.101.1.0/24 is directly connected, wan1
C 11.102.1.0/24 is directly connected, wan2

S      192.168.5.0/24 [20/0] is directly connected, _OCVPN2-3.2

C      172.16.200.0/24 is directly connected, port1

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-4.1

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-4.2

S      192.168.4.0/24 [20/0] is directly connected, _OCVPN2-3.1

Hub-Spoke OCVPN with inter-overlay source NAT

Hub-Spoke OCVPN with inter-overlay source NAT

This topic provides a sample configuration of Hub-Spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on Spokes and assign-ip enabled on Hub, you can have interoverlay communication.

Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays’ subnets when the overlay option assign-ip is enabled.

To enable ‘NAT’, disable ‘auto-discovery’ first.

License

  • Free license: Hub-spoke network topology not supported.
  • Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGate devices must be running FortiOS version 6.2.0 or later. l All FortiGate devices must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

  • Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary-hub l Secondary-hub l Spoke (OCVPN default role)

Sample network topology

Sample configuration

You can only configure this feature by using the CLI.

To enable inter-overlay source NAT from CLI:

  1. Configure the Primary-Hub, enable overlay QA, and configure assign-ip and IP range:

config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” set assign-ip enable set ipv4-start-ip 172.16.101.100 set ipv4-end-ip 172.16.101.200 config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 2 set name “PM” set assign-ip enable config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

  1. Configure the Secondary-Hub:

config vpn ocvpn set status enable set role secondary-hub

end

  1. Configure Spoke1, and enable NAT on the spoke:

config vpn ocvpn set status enable set auto-discovery disable set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next

end

end

  1. Configure Spoke2, and enable NAT enabled on the spoke:

config vpn ocvpn set status enable set auto-discovery disable

set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0

next

end

next

end

end

A firewall policy with NAT is generated on the spoke:

edit 9 set name “_OCVPN2-1.1_nat” set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666

set srcintf “any” set dstintf “_OCVPN2-1.1” set srcaddr “all” set dstaddr “_OCVPN2-1.1_remote_networks”

set action accept set schedule “always” set service “ALL” set comments “Generated by OCVPN Cloud Service.” set nat enable

next

Hub-spoke OCVPN with ADVPN shortcut

Hub-spoke OCVPN with ADVPN shortcut

This topic provides a sample configuration of a hub-spoke One-Click VPN (OCVPN) with an Auto Discovery VPN (ADVPN) shortcut. OCVPN automatically detects the network topology based on members’ information. To form a hubspoke OCVPN, at least one device must announce its role as the primary hub, another device can work as the secondary hub (for redundancy), while others function as spokes.

License

  • Free license: Hub-spoke network topology not supported.
  • Full license: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates are on FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

  • Non-root VDOM doesn’t support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

  • Primary hub l Secondary hub l Spoke (OCVPN default role)

Sample topology

Sample Configuration

The steps below use the following overlays and subnets for the sample configuration:

  • Primary hub:
  • Overlay name: QA. Local subnets: 16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 l Secondary hub: l Overlays are synced from primary hub. l Spoke1:
  • Overlay name: QA. Local subnets: 1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
  • Spoke2:
  • Overlay name: QA. Local interfaces lan1 l Overlay name: PM. Local interfaces lan2

Before you begin, ensure all FortiGates are registered on FortiCare.

To register FortiGates on FortiCare:

  1. Go to System > Fortiguard > License Information > FortiCare Support.
  2. Select either Register or Launch Portal to register.
  3. Complete the options to register FortiGate on FortiCare.

To enable hub-spoke OCVPN through the GUI:

  1. Configure the OCVPN primary hub:
    1. Go to VPN > Overlay ControllerVPN.
    2. Enable Overlay ControllerVPN and select Primary Hub as the role.
    3. In the Overlays section, select Create New to create a network overlay.
    4. Enter a name and the subnets and/or internal interfaces, then select OK.
    5. Select Apply to commit the configuration.
  2. Configure the OCVPN secondary hub:

Overlays are synced from the primary hub and cannot be defined in the secondary hub. a. Go to VPN > Overlay ControllerVPN.

  1. Enable Overlay ControllerVPN and select Secondary Hub as the role.
  2. Select Apply to commit the configuration.
  1. Configure the OCVPN spokes:
    1. Go to VPN > Overlay ControllerVPN.
    2. Enable Overlay ControllerVPN and select Spoke as the role.
    3. In the Overlays section, select Create New to create a network overlay.
    4. Enter a name and the subnets and/or internal interfaces, then select OK.

The local subnet must be routable and the interface must have an IP address assigned, otherwise an error message appears.

  1. Select Apply to commit the configuration.

To enable hub-spoke OCVPN through the CLI:

  1. Configure the OCVPN primary hub:

config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

  1. Configure the OCVPN secondary hub:

config vpn ocvpn set status enable set role secondary-hub

end

  1. Configure the OCVPN spoke1:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next

end

end

  1. Configure the OCVPN spoke2:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0

next

end

next

end

end

Full mesh OCVPN

Full mesh OCVPN

This topic provides an example configuration of full mesh Overlay Controller VPN (OCVPN).

OCVPN is a cloud based solution to simplify IPsec VPN setup. When Overlay Controller VPN is enabled, IPsec phase1interfaces, phase2-interfaces, static routes, and firewall policies are generated automatically on all FortiGates that belong to the same community network. A community network is defined as all FortiGates registered to FortiCare by using the same FortiCare account.

If the network topology changes on any FortiGates in the community (such as changing a public IP address in DHCP mode, adding or removing protected subnets, failing over in dual WAN), the IPsec-related configuration for all devices is updated with Cloud assistance in self-learning mode. No intervention is required.

Full mesh IPsec tunnels are established between all FortiGates.

License

  • Free license: Three devices full mesh, 10 overlays, 16 subnets per overlay. l Full License: Maximum of 16 devices, 10 overlays, 16 subnets per overlay.

Prerequisites

  • All FortiGates must be running FortiOS version 6.2.0 or later. l All FortiGates must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

  • Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

Terminology

Poll-interval Used to define how often FortiGate tries to fetch OCVPN-related data from OCVPN Cloud.
Role Used to specify the device OCVPN role of spoke, primary-hub, or secondary-hub.
Overlay Used to define network overlays and bind to subnets.
Subnet Internal network subnet (IPsec protected subnet). Traffic source from or destination to this subnet will enter IPsec tunnel encrypted by IPsec SA.

Sample Topology

The following shows an example of three FortiGate units registered on FortiCare by using the same FortiCare account. Each FortiGate unit has one internal subnet, and no NAT exists between these three FortiGate units.

Sample configuration

The steps below use the following overlays and subnets for the sample configuration:

  • Branch1:
  • Overlay name: QA. Local subnets: 10.1.100.0/24 l Overlay name: PM. Local subnets: 10.2.100.0/24
  • Branch2:
  • Overlay name: QA. Local interfaces: lan1 l Overlay name: PM. Local interfaces: lan2
  • Branch3:
  • Overlay name: QA. Local subnets: 172.16.101.0/24 l Overlay name: PM. Local subnets: 172.16.102.0/24 Before you begin, ensure all FortiGates are registered on FortiCare.

To register FortiGates on FortiCare:

  1. Go to System > Fortiguard > License Information > FortiCare Support.
  2. Select Register or Launch Portal to register.
  3. Complete the options to register FortiGate on FortiCare.

To enable OCVPN using the GUI:

  1. Go to VPN > Overlay ControllerVPN.
  2. Create the first overlay by setting the following options and clicking OK:
    1. Beside Status, click Enabled.
    2. Beside Role, click Spoke.
    3. In the Overlays section, click Create New to create a network overlay.
    4. In the Name box, type a name, and input the subnets and/or choose internal interfaces.

The local subnet must be routable, and interfaces must have assigned IP addresses. Otherwise an error message displays.

  1. Repeat this procedure until you create all the needed overlays.

To enable OCVPN using the CLI:

  1. Ensure all FortiGates are registered on FortiCare.
  2. Configure Branch1:

config vpn ocvpn set status enable config overlays

edit 1

set name “QA” config subnets

edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2

set name “PM” config subnets

edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next end end

  1. Configure Branch2:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set type interface set interface “lan1”

next

end

next edit 2 set name “PM” config subnets edit 1 set type interface set interface “lan2”

next

end

next

end

end

  1. Configure Branch3:

config vpn ocvpn set status enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 1 set name “OM” config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

ADVPN with RIP as the routing protocol

ADVPN with RIP as the routing protocol

This recipe provides sample configuration of ADVPN with RIP as routing protocol. The following options must be enabled for this configuration: l On the hub FortiGate, IPsec phase1-interface net-device disable must be run. l RIP must be used between the hub and spoke FortiGates.

l split-horizon-status enable must be run on the hub FortiGate.

The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:

  1. In the FortiOS CLI, configure hub FortiGate’s WAN, internal interface, and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0 next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure the hub FortiGate:
  2. Configure the hub FortiGate IPsec phase1-interface and phase2-interface:

config vpn ipsec phase1-interface edit “advpn-hub” set type dynamic set interface “port9” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1

3des-sha1 set add-route disable set dpd on-idle set auto-discovery-sender enable set tunnel-search nexthop set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “advpn-hub” set phase1name “advpn-hub”

set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256

3des-sha256 next

end

  1. Configure the hub FortiGate firewall policy:

config firewall policy edit 1 set name “spoke2hub” set srcintf “advpn-hub” set dstintf “port10” set srcaddr “all” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “spoke2spoke” set srcintf “advpn-hub” set dstintf “advpn-hub” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the hub FortiGate’s IPsec tunnel interface IP address:

config system interface edit “advpn-hub1” set ip 10.10.10.254 255.255.255.255 set remote-ip 10.10.10.253 255.255.255.0

next

end

  1. Configure the hub FortiGate’s RIP:

config router rip set default-information-originate enable config network edit 1 set prefix 10.10.10.0 255.255.255.0

next edit 2 set prefix 172.16.101.0 255.255.255.0

next

end config interface edit “advpn-hub” set split-horizon-status disable

next

end

end

  1. Configure the spoke FortiGates:
  2. Configure the spoke FortiGates’ WAN, internal interfaces, and static routes:
  3. Configure Spoke1:

config system interface edit “wan1” set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 12.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

next

end config router static edit 1 set gateway 12.1.1.1 set device “wan2” set distance 15

next edit 2 set gateway 15.1.1.1 set device “wan1”

next

end

  1. Configure the Spoke2:

config system interface edit “wan1” set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 17.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

next

end config router static edit 1 set gateway 17.1.1.1 set device “wan2” set distance 15

next edit 2 set gateway 13.1.1.1 set device “wan1”

next

end

  1. Configure the spoke FortiGates’ IPsec phase1-interface and phase2-interface:
  2. Configure Spoke1:

config vpn ipsec phase1-interface edit “spoke1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next edit “spoke1_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke1” set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “spoke1” set phase1name “spoke1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

edit “spoke1_backup” set phase1name “spoke1_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure Spoke2:

config vpn ipsec phase1-interface edit “spoke2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

edit “spoke2_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke2” set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “spoke2” set phase1name “spoke2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

edit “spoke2_backup” set phase1name “spoke2_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305

set auto-negotiate enable

next

end

  1. Configure the spoke FortiGates’ firewall policies:
  2. Configure Spoke1:

config firewall policy

edit 1

set name “outbound_advpn” set srcintf “internal” set dstintf “spoke1” “spoke1_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound_advpn” set srcintf “spoke1” “spoke1_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure Spoke2:

config firewall policy

edit 1

set name “outbound_advpn” set srcintf “internal” set dstintf “spoke2” “spoke2_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound_advpn” set srcintf “spoke2” “spoke2_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next end

  1. Configure the spoke FortiGates’ tunnel interface IP addresses:
    1. Configure Spoke1:

config system interface edit “spoke1” set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next

edit “spoke1_backup” set ip 10.10.10.2 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next

end

  1. Configure Spoke2:

config system interface edit “spoke2” set ip 10.10.10.3 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next

edit “spoke2_backup” set ip 10.10.10.4 255.255.255.255

set remote-ip 10.10.10.254 255.255.255.0

next

end

  1. Configure the spoke FortiGates’ RIP:
    1. Configure Spoke1:

config router rip config network edit 1 set prefix 10.10.10.0 255.255.255.0

next edit 2 set prefix 10.1.100.0 255.255.255.0

next

end

end

  1. Configure Spoke2:

config router rip config network edit 1 set prefix 10.10.10.0 255.255.255.0

next edit 2 set prefix 192.168.4.0 255.255.255.0

next

end

end

  1. Run diagnose and get commands. All following commands should be run on Spoke1:
  2. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

—-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=17 ilast=2 olast=2 ad=r/2 stat: rxp=1 txp=87 rxb=200 txb=6208

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=1040 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=4 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=7 options=1a227 type=00 soft=0 mtu=1438 expire=1793/0B replaywin=1024 seqno=57 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2370/2400

dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14 ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f

enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267

dec:pkts/bytes=1/132, enc:pkts/bytes=86/11696

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

  1. Run the get router info rip database command on Spoke1. The system should return the following:

Codes: R – RIP, Rc – RIP connected, Rs – RIP static, K – Kernel, C – Connected, S – Static, O – OSPF, I – IS-IS, B – BGP

Network            Next Hop         Metric From            If     Time

Rc 10.1.100.0/24 1.     internal Rc 10.10.10.2/32  1.     spoke1

  • 16.101.0/24 10.10.10.254 1. 10.10.10.254     spoke1 02:28

R 192.168.4.0/24      10.10.10.254              1. 10.10.10.254       spoke1 02:44

  1. Run the get router info routing-table rip command on Spoke1. The system should return the following:

Routing table for VRF=0

  • 16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:08:38 R 192.168.4.0/24 [120/3] via 10.10.10.254, spoke1, 00:08:38
  1. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

—-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=0 refcnt=19 ilast=3 olast=3 ad=r/2 stat: rxp=1 txp=78 rxb=200 txb=5546

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=1039 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=7 options=1a227 type=00 soft=0 mtu=1438 expire=1807/0B replaywin=1024 seqno=4e esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2370/2400

dec: spi=c53a8f60 esp=aes key=16 6b54e32d54d039196a74d96e96d1cf14 ah=sha1 key=20 e4903474614eafc96eda6400a3a5e88bbcb26a7f

enc: spi=6e36349d esp=aes key=16 914a40a7993eda75c4dea2f42905f27d ah=sha1 key=20 8040eb08342edea2dae5eee058fd054a46688267

dec:pkts/bytes=1/132, enc:pkts/bytes=77/10456

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=20 olast=20 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

—-

name=spoke1_0 ver=1 serial=a 15.1.1.2:4500->13.1.1.2:4500

bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=spoke1 index=0

proxyid_num=1 child_num=0 refcnt=20 ilast=2 olast=0 ad=r/2 stat: rxp=1 txp=7 rxb=112 txb=480 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=spoke1 proto=0 sa=1 ref=8 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=2358/0B replaywin=1024 seqno=8 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2367/2400

dec: spi=c53a8f61 esp=aes key=16 c66aa7ae9657068108ed47c048ff56b6 ah=sha1 key=20 60661c68e20bbc913c2564ade85e01ea3769e703

enc: spi=79cb0f30 esp=aes key=16 bf6c898c2e1c64baaa679ed5d79c3b58 ah=sha1 key=20 146ca78be6c34eedb9cd66cc328216e08682ecb1

dec:pkts/bytes=1/46, enc:pkts/bytes=7/992

npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=6 dec_npuid=1 enc_npuid=1

  1. Run the get router info routing-tale rip command. The system should return the following:

Routing table for VRF=0

R      172.16.101.0/24 [120/2] via 10.10.10.254, spoke1, 00:09:04

R      192.168.4.0/24 [120/2] via 10.10.10.3, spoke1_0, 00:00:02

ADVPN with OSPF as the routing protocol

ADVPN with OSPF as the routing protocol

This recipe provides sample configuration of ADVPN with OSPF as the routing protocol. The following options must be enabled for this configuration: l On the hub FortiGate, IPsec phase1-interface net-device enable must be run. l OSPF must be used between the hub and spoke FortiGates.

The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:

  1. In the FortiOS CLI, configure hub FortiGate’s WAN, internal interface, and static route:

config system interface edit “port9”

set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure the hub FortiGate:
  2. Configure the hub FortiGate IPsec phase1-interface and phase2-interface:

config vpn ipsec phase1-interface edit “advpn-hub” set type dynamic set interface “port9” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1

3des-sha1 set add-route disable set dpd on-idle set auto-discovery-sender enable set tunnel-search nexthop set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “advpn-hub” set phase1name “advpn-hub”

set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256

3des-sha256 next

end

  1. Configure the hub FortiGate firewall policy:

config firewall policy edit 1 set name “spoke2hub” set srcintf “advpn-hub” set dstintf “port10” set srcaddr “all” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “spoke2spoke”

set srcintf “advpn-hub” set dstintf “advpn-hub” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the hub FortiGate’s IPsec tunnel interface IP address:

config system interface edit “advpn-hub1” set ip 10.10.10.254 255.255.255.255 set remote-ip 10.10.10.253 255.255.255.0

next

end

  1. Configure the hub FortiGate’s OSPF:

config router ospf set router-id 1.1.1.1 config area edit 0.0.0.0 next

end config network edit 1 set prefix 10.10.10.0 255.255.255.0

next edit 2 set prefix 172.16.101.0 255.255.255.0

next

end

end

  1. Configure the spoke FortiGates:
  2. Configure the spoke FortiGates’ WAN, internal interfaces, and static routes:
  3. Configure Spoke1:

config system interface edit “wan1” set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 12.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

next

end config router static edit 1 set gateway 12.1.1.1 set device “wan2”

set distance 15

next edit 2 set gateway 15.1.1.1 set device “wan1”

next

end

  1. Configure the Spoke2:

config system interface edit “wan1” set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 17.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

next

end config router static edit 1 set gateway 17.1.1.1 set device “wan2” set distance 15

next edit 2 set gateway 13.1.1.1 set device “wan1”

next

end

  1. Configure the spoke FortiGates’ IPsec phase1-interface and phase2-interface:
  2. Configure Spoke1:

config vpn ipsec phase1-interface edit “spoke1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next edit “spoke1_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke1” set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “spoke1” set phase1name “spoke1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

edit “spoke1_backup” set phase1name “spoke1_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure Spoke2:

config vpn ipsec phase1-interface edit “spoke2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

edit “spoke2_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke2” set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “spoke2” set phase1name “spoke2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

edit “spoke2_backup” set phase1name “spoke2_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure the spoke FortiGates’ firewall policies:
  2. Configure Spoke1:

config firewall policy edit 1 set name “outbound_advpn” set srcintf “internal” set dstintf “spoke1” “spoke1_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2 set name “inbound_advpn” set srcintf “spoke1” “spoke1_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure Spoke2:

config firewall policy edit 1 set name “outbound_advpn” set srcintf “internal” set dstintf “spoke2” “spoke2_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2 set name “inbound_advpn” set srcintf “spoke2” “spoke2_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the spoke FortiGates’ tunnel interface IP addresses:
  2. Configure Spoke1:

config system interface

edit “spoke1”

set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next edit “spoke1_backup”

set ip 10.10.10.2 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next

end

  1. Configure Spoke2:

config system interface

edit “spoke2”

set ip 10.10.10.3 255.255.255.255

set remote-ip 10.10.10.254 255.255.255.0

next edit “spoke2_backup”

set ip 10.10.10.4 255.255.255.255

set remote-ip 10.10.10.254 255.255.255.0

next

end

  1. Configure the spoke FortiGates’ OSPF:
  2. Configure Spoke1:

config router ospf set router-id 7.7.7.7 config area edit 0.0.0.0 next

end config network

edit 1 set prefix 10.10.10.0 255.255.255.0

next edit 2 set prefix 10.1.100.0 255.255.255.0

next

end

end

  1. Configure Spoke2:

config router ospf set router-id 8.8.8.8 config area edit 0.0.0.0 next

end config network edit 1

set prefix 10.10.10.0 255.255.255.0

next edit 2 set prefix 192.168.4.0 255.255.255.0

next

end

end

  1. Run diagnose and get commands to check VPN and OSPF states. All following commands should be run on Spoke1:
  2. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

—-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=5 olast=2 ad=r/2 stat: rxp=1 txp=263 rxb=16452 txb=32854

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2283 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=1057/0B replaywin=1024 seqno=108 esn=0 replaywin_lastseq=00000003 itn=0

life: type=01 bytes=0/0 timeout=2371/2400

dec: spi=c53a8f78 esp=aes key=16 7cc50c5c9df1751f6497a4ad764c5e9a ah=sha1 key=20 269292ddbf7309a6fc05871e63ed8a5297b5c9a1

enc: spi=6e363612 esp=aes key=16 42bd49bced1e85cf74a24d97f10eb601 ah=sha1 key=20 13964f166aad48790c2e551d6df165d7489f524b

dec:pkts/bytes=1/16394, enc:pkts/bytes=263/50096

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

  1. Run the get router info ospf neighbor command on Spoke1. The system should return the following:

OSPF process 0, VRF 0: Neighbor ID Pri State Dead Time Address Interface 8.8.8.8 1.

Full/ – 00:00:35 10.10.10.254 spoke1 1.1.1.1 1. Full/ – 00:00:35 10.10.10.254 spoke1

  1. Run the get router info routing-table ospf command on Spoke1. The system should return the following:

Routing table for VRF=0

O      172.16.101.0/24 [110/110] via 10.10.10.254, spoke1, 00:23:23

O       192.168.4.0/24 [110/110] via 10.10.10.254, spoke1, 00:22:35

  1. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

——-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=2 olast=2 ad=r/2 stat: rxp=1 txp=313 rxb=16452 txb=35912

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2303 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=3 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=782/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000003 itn=0

life: type=01 bytes=0/0 timeout=2371/2400

dec: spi=c53a8f78 esp=aes key=16 7cc50c5c9df1751f6497a4ad764c5e9a ah=sha1 key=20 269292ddbf7309a6fc05871e63ed8a5297b5c9a1

enc: spi=6e363612 esp=aes key=16 42bd49bced1e85cf74a24d97f10eb601 ah=sha1 key=20 13964f166aad48790c2e551d6df165d7489f524b

dec:pkts/bytes=1/16394, enc:pkts/bytes=313/56432

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=13 olast=13 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

—-

name=spoke1_0 ver=1 serial=e 15.1.1.2:4500->13.1.1.2:4500

bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=spoke1 index=0

proxyid_num=1 child_num=0 refcnt=19 ilast=4 olast=2 ad=r/2 stat: rxp=641 txp=1254 rxb=278648 txb=161536 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=184 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=spoke1_backup proto=0 sa=1 ref=10 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=922/0B replaywin=1024 seqno=452 esn=0 replaywin_lastseq=00000280 itn=0

life: type=01 bytes=0/0 timeout=2370/2400

dec: spi=c53a8f79 esp=aes key=16 324f8cf840ba6722cc7abbba46b34e0e ah=sha1 key=20 a40e9aac596b95c4cd83a7f6372916a5ef5aa505

enc: spi=ef3327b5 esp=aes key=16 5909d6066b303de4520d2b5ae2db1b61 ah=sha1 key=20 1a42f5625b5a335d8d5282fe83b5d6c6ff26b2a4

dec:pkts/bytes=641/278568, enc:pkts/bytes=1254/178586

npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=a dec_npuid=1 enc_npuid=1 e. Run the get router info routing-tale ospf command. The system should return the following:

Routing table for VRF=0

O      172.16.101.0/24 [110/110] via 10.10.10.254, spoke1, 00:27:14

O       192.168.4.0/24 [110/110] via 10.10.10.3, spoke1_0, 00:26:26

ADVPN with BGP as the routing protocol

ADVPN with BGP as the routing protocol

This recipe provides sample configuration of ADVPN with BGP as the routing protocol. The following options must be enabled for this configuration: l On the hub FortiGate, IPsec phase1-interface net-device disable must be run.

l IBGP must be used between the hub and spoke FortiGates. l bgp neighbor-group/neighbor-range must be rused.

The following shows the sample network topology for this recipe:

As only partial configuration can be completed from the GUI, it is recommended to achieve this configuration via the CLI commands as shown below.

To configure ADVPN with RIP as the routing protocol using the FortiOS CLI:

  1. In the FortiOS CLI, configure hub FortiGate’s WAN, internal interface, and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

  1. Configure the hub FortiGate:
  2. Configure the hub FortiGate IPsec phase1-interface and phase2-interface:

config vpn ipsec phase1-interface edit “advpn-hub” set type dynamic set interface “port9” set peertype any set net-device disable

set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1

3des-sha1 set add-route disable set dpd on-idle set auto-discovery-sender enable set tunnel-search nexthop set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “advpn-hub” set phase1name “advpn-hub”

set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256

3des-sha256 next

end

  1. Configure the hub FortiGate firewall policy:

config firewall policy edit 1 set name “spoke2hub” set srcintf “advpn-hub” set dstintf “port10” set srcaddr “all” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “spoke2spoke” set srcintf “advpn-hub” set dstintf “advpn-hub” set srcaddr “all” set dstaddr “all”

set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the hub FortiGate’s IPsec tunnel interface IP address:

config system interface edit “advpn-hub1” set ip 10.10.10.254 255.255.255.255 set remote-ip 10.10.10.253 255.255.255.0

next

end

  1. Configure the hub FortiGate’s BGP:

config router bgp set as 65412 config neighbor-group edit “advpn” set link-down-failover enable set remote-as 65412 set route-reflector-client enable

next

end config neighbor-range edit 1 set prefix 10.10.10.0 255.255.255.0 set neighbor-group “advpn”

next

end config network edit 1 set prefix 172.16.101.0 255.255.255.0

next

end

end

  1. Configure the spoke FortiGates:
  2. Configure the spoke FortiGates’ WAN, internal interfaces, and static routes:
  3. Configure Spoke1:

config system interface edit “wan1” set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 12.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

next

end config router static edit 1

set gateway 12.1.1.1 set device “wan2” set distance 15

next edit 2 set gateway 15.1.1.1 set device “wan1”

next

end

  1. Configure the Spoke2:

config system interface edit “wan1” set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “wan2” set alias “secondary_WAN” set ip 17.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

next

end config router static edit 1 set gateway 17.1.1.1 set device “wan2” set distance 15

next edit 2 set gateway 13.1.1.1 set device “wan1”

next

end

  1. Configure the spoke FortiGates’ IPsec phase1-interface and phase2-interface:
  2. Configure Spoke1:

config vpn ipsec phase1-interface edit “spoke1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next edit “spoke1_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke1” set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “spoke1” set phase1name “spoke1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

edit “spoke1_backup” set phase1name “spoke1_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure Spoke2:

config vpn ipsec phase1-interface edit “spoke2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

edit “spoke2_backup” set interface “wan2” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle

set auto-discovery-receiver enable set remote-gw 22.1.1.1 set monitor “spoke2” set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “spoke2” set phase1name “spoke2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

edit “spoke2_backup” set phase1name “spoke2_backup”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

  1. Configure the spoke FortiGates’ firewall policies:
  2. Configure Spoke1:

config firewall policy edit 1 set name “outbound_advpn” set srcintf “internal” set dstintf “spoke1” “spoke1_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2 set name “inbound_advpn” set srcintf “spoke1” “spoke1_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure Spoke2:

config firewall policy edit 1 set name “outbound_advpn” set srcintf “internal” set dstintf “spoke2” “spoke2_backup” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2 set name “inbound_advpn” set srcintf “spoke2” “spoke2_backup” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always”

set service “ALL”

next

end

  1. Configure the spoke FortiGates’ tunnel interface IP addresses:
  2. Configure Spoke1:

config system interface

edit “spoke1”

set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next edit “spoke1_backup”

set ip 10.10.10.2 255.255.255.255 set remote-ip 10.10.10.254 255.255.255.0

next

end

  1. Configure Spoke2:

config system interface

edit “spoke2”

set ip 10.10.10.3 255.255.255.255

set remote-ip 10.10.10.254 255.255.255.0

next edit “spoke2_backup”

set ip 10.10.10.4 255.255.255.255

set remote-ip 10.10.10.254 255.255.255.0

next

end

  1. Configure the spoke FortiGates’ BGP:
  2. Configure Spoke1:

config router bgp set as 65412 config neighbor edit “10.10.10.254”

set advertisement-interval 1 set link-down-failover enable set remote-as 65412

next

end config network

edit 1 set prefix 10.1.100.0 255.255.255.0

next

end

end

  1. Configure Spoke2:

config router bgp set as 65412 config neighbor edit “10.10.10.254”

set advertisement-interval 1 set link-down-failover enable set remote-as 65412

next

end config network edit 1 set prefix 192.168.4.0 255.255.255.0

next

end

end

  1. Run diagnose and get commands to check VPN and BGP states. All following commands should be run on Spoke1:
  2. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

—-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=1 olast=1 ad=r/2 stat: rxp=1 txp=160 rxb=16428 txb=8969

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=628 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=6 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=1225/0B replaywin=1024 seqno=a1 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2369/2400

dec: spi=c53a8f5b esp=aes key=16 cbe88682ad896a69290027b6dd8f7162 ah=sha1 key=20 7bb704b388f83783ac76c2ab0b6c9f7dcf78e93b

enc: spi=6e3633fc esp=aes key=16 1a0da3f4deed3d16becc9dda57537355 ah=sha1 key=20 368544044bd9b82592d72476ff93d5055056da8d

dec:pkts/bytes=1/16364, enc:pkts/bytes=160/19168

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=0 olast=0 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

  1. Run the get router info bgp summary command on Spoke1. The system should return the following:

BGP router identifier 7.7.7.7, local AS number 65412

BGP table version is 2

1 BGP AS-PATH entries

0 BGP community entries

Neighbor  V      AS [[QualityAssurance62/MsgRcvd]] [[QualityAssurance62/MsgSent]] [[QualityAssurance62/TblVer]] InQ OutQ Up/Down State/PfxRcd

10.10.10.254       1.          65412     143     142         1.     1.     1. 00:24:45

2

Total number of neighbors 1

  1. Run the get router info routing-table bgp command on Spoke1. The system should return the following:

Routing table for VRF=0

B  172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57 B   192.168.4.0/24 [200/0] via 10.10.10.254, spoke1, 00:22:03

  1. Generate traffic between the spokes, then check the shortcut tunnel and routing table. Run the diagnose vpn tunnel list command on Spoke1. The system should return the following:

list all ipsec tunnel in vd 0

—-

name=spoke1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=2 olast=2 ad=r/2 stat: rxp=1 txp=268 rxb=16428 txb=31243

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=714 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=spoke1 proto=0 sa=1 ref=6 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=345/0B replaywin=1024 seqno=10d esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2369/2400

dec: spi=c53a8f5b esp=aes key=16 cbe88682ad896a69290027b6dd8f7162 ah=sha1 key=20 7bb704b388f83783ac76c2ab0b6c9f7dcf78e93b

enc: spi=6e3633fc esp=aes key=16 1a0da3f4deed3d16becc9dda57537355 ah=sha1 key=20 368544044bd9b82592d72476ff93d5055056da8d

dec:pkts/bytes=1/16364, enc:pkts/bytes=268/48320

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

—-

name=spoke1_backup ver=1 serial=1 12.1.1.2:0->22.1.1.1:0

bound_if=6 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=0

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=8 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=5000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=spoke1_backup proto=0 sa=0 ref=2 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

—-

name=spoke1_0 ver=1 serial=9 15.1.1.2:4500->13.1.1.2:4500

bound_if=7 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/728 options[02d8]=npu create_dev no-sysctl rgwy-chg frag-rfc accept_traffic=1

parent=spoke1 index=0 proxyid_num=1 child_num=0 refcnt=17 ilast=4 olast=4 ad=r/2 stat: rxp=1 txp=100 rxb=112 txb=4686 dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=231 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=spoke1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1422 expire=447/0B replaywin=1024 seqno=65 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=2368/2400

dec: spi=c53a8f5c esp=aes key=16 73fd9869547475db78851e6c057ad9b7 ah=sha1 key=20 6ad3a5b1028f6b33c82ba494a370f13c7f462635

enc: spi=79cb0f2b esp=aes key=16 52ab0acdc830d58c00e5956a6484654a ah=sha1 key=20 baa82aba4106dc60618f6fe95570728656799239

dec:pkts/bytes=1/46, enc:pkts/bytes=100/11568

npu_flag=03 npu_rgwy=13.1.1.2 npu_lgwy=15.1.1.2 npu_selid=5 dec_npuid=1 enc_npuid=1

  1. Run the get router info routing-tale bgp command. The system should return the following:

Routing table for VRF=0

B      172.16.101.0/24 [200/0] via 10.10.10.254, spoke1, 00:23:57

B      192.168.4.0/24 [200/0] via 10.10.10.3, spoke1_0 , 00:22:03

Dialup VPN Options

Dialup VPN

FortiGate as dialup client

This recipe provides sample configuration of dialup IPsec VPN and the dialup client. In this example, a branch office FortiGate connects via dialup IPsec VPN to the HQ FortiGate.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with FortiGate as the dialup client using the FortiOSGUI or CLI.

To configure IPsec VPN with FortiClient as the dialup client on the GUI:

  1. Configure the dialup VPN server FortiGate:
  2. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
  3. Enter a proper VPN name.
  4. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select The remote site is behind NAT.
  5. Click Next.
  6. Configure the following settings for Authentication:
    1. For Incoming Interface, select the proper incoming interface.
    2. For Authentication Method, select Pre-shared Key. In the Pre-shared Key field, enter your-psk as the key.
    3. Click Next.
  7. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface.
    2. Configure the Local Subnets as 1.100.0/24. iii. Configure the Remote Subnets as 172.16.101.0/24.
    3. Click Create.
    4. Configure the dialup VPN client FortiGate:
  8. Go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select This site is behind NAT.
    3. Click Next.
  9. Configure the following settings for Authentication:
    1. For IP Address, enter 101.1.1. ii. For Outgoing Interface, enter port13.

iii. For Authentication Method, select Pre-shared Key. iv. In the Pre-shared Key field, enter your-psk as the key.

  1. Click Next.
  1. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface. In this example, it is port9.
    2. Configure the Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN with FortiClient as the dialup client using the CLI:

  1. In the FortiOS CLI, configure the user, user group, and firewall address by running the following commands. Only the HQ dialup server FortiGate needs this configuration. The address is an IP pool to assign an IP address for the dialup client FortiGate.

config user local edit “vpnuser1” set type password set passwd your-password

next

end config user group edit “vpngroup” set member”vpnuser1″

next

end

config firewall address

edit “client_range” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.200

next

end

  1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface:
  2. Configure the HQ FortiGate:

config system interface edit “wan1” set vdom “root” set ip 11.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 11.101.1.2 set device “wan1”

next

end

  1. Configure the branch office FortiGate:

config system interface edit “port13” set vdom “root” set ip 173.1.1.1 255.255.255.0

next

end

config router static edit 1 set gateway 173.1.1.2 set device “port13”

next

end

  1. Configure the internal interface and protected subnet. The internal interface connects to the internal network.

Traffic from this interface will route out the IPsec VPN tunnel: a. Configure the HQ FortiGate:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

config firewall address edit “10.1.100.0” set subnet 10.1.100.0 255.255.255.0

next end

  1. Configure the branch office FortiGate:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

config firewall address edit “172.16.101.0” set subnet 172.16.101.0 255.255.255.0

next

end

  1. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option:
  2. Configure the HQ FortiGate:

config vpn ipsec phase1-interface edit “for_Branch” set type dynamic set interface “wan1” set mode aggressive set peertype any set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set dpd on-idle set xauthtype auto set authusrgrp “vpngroup” set net-device enable set assign-ip-from name set dns-mode auto set ipv4-split-include “10.1.100.0” set ipv4-name “client_range” set save-password enable set psksecret sample set dpd-retryinterval 60

next

end

  1. Configure the branch office FortiGate:

config vpn ipsec phase1-interface edit “to_HQ” set interface “port13” set mode aggressive set peertype any set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set add-route disable set xauthtype client set authusr “vpnuser1” set authpasswd vpnuser1-password set remote-gw 11.101.1.1 set psksecret sample

next end

  1. Configure the IPsec phase2-interface:
    1. Configure the HQ FortiGate:

config vpn ipsec phase2-interface edit “for_Branch_p2” set phase1 name “for_Branch”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the branch office FortiGate:

config vpn ipsec phase2-interface edit “to_HQ_p2” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the static routes on the branch office FortiGate. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

  1. Configure the firewall policy to allow the branch office to HQ network flow over the IPsec tunnel. This configuration only supports traffic from the branch office FortiGate to the HQ FortiGate. Traffic is dropped from the HQ FortiGate to the branch office FortiGate:
  2. Configure the HQ FortiGate:

config firewall policy edit 1 set name “inbound” set srcintf “for_Branch” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the branch office FortiGate:

config firewall policy edit 1 set name “outbound”

set srcintf “port9” set dstintf “to_HQ” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

  1. Run diagnose commands. These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
  2. Run the diagnose vpn ike gateway list command on the HQ FortiGate. The system should return the following:

vd: root/0 name: for_Branch_0 version: 1 interface: wan1 5 addr: 11.101.1.1:500 -> 173.1.1.1:500 created: 1972s ago xauth-user: vpnuser1 assigned IPv4 address: 10.10.10.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 184 5b1c59fab2029e43/bf517e686d3943d2 direction: responder status: established 1972-1972s ago = 10ms proposal: aes128-sha256 key: 8046488e92499247-fbbb4f6dfa4952d0 lifetime/rekey: 86400/84157

DPD sent/recv: 00000020/00000000

  1. Run the diagnose vpn tunnel list command on the HQ FortiGate. The system should return the following:

list all ipsec tunnel in vd 0

name=for_Branch_0 ver=1 serial=9 11.101.1.1:0->173.1.1.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/208 options

[00d0]=create_dev no-sysctlrgwy-chg parent=for_Branch index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=8 olast=8 ad=/0 stat: rxp=8 txp=8 rxb=1216 txb=672 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=31 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=for_Branch_p2 proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0-255.255.255.255:0 dst: 0:0.0.0.0-255.255.255.255:0

SA: ref=3 options=226 type=00 soft=0 mtu=1438 expire=41297/0B replaywin=2048 seqno=9 esn=0 replaywin_lastseq=00000009 itn=0 life: type=01 bytes=0/0 timeout=43190/43200 dec: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0 ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a enc: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765 ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206 dec:pkts/bytes=8/672, enc:pkts/bytes=8/1216

name=for_Branchver=1 serial=6 11.101.1.1:0->0.0.0.0:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/16 options[0010]=create_ dev proxyid_num=0 child_num=1 refcnt=14 ilast=8523 olast=8523 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0

  1. Run the diagnose vpn ike gateway list command on the branch office FortiGate. The system should return the following: vd: root/0 name: to_HQ

version: 1 interface: port13 42 addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 2016s ago assigned IPv4 address: 10.10.10.1/255.255.255.252 IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 93 5b1c59fab2029e43/bf517e686d3943d2 direction: initiator status: established 2016-2016s ago = 0ms proposal: aes128-sha256 key: 8046488e92499247-fbbb4f6dfa4952d0 lifetime/rekey: 86400/84083

DPD sent/recv: 00000000/00000020

  1. Run the diagnose vpn tunnel list command on the branch office FortiGate. The system should return the following:

list all ipsec tunnel in vd 0

name=to_HQver=1 serial=7 173.1.1.1:0->11.101.1.1:0 bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=18 olast=58 ad=/0 stat: rxp=1 txp=2 rxb=152 txb=168 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41015/0B replaywin=2048 seqno=3 esn=0 replaywin_lastseq=00000002 itn=0 life: type=01 bytes=0/0 timeout=42898/43200

dec: spi=ca646448 esp=aes key=16 b7801d125804e3610a556da7caefd765 ah=sha1 key=20 a70164c3094327058bd84c1a0c954ca439709206 enc: spi=747c10c6 esp=aes key=16 278c2430e09e74f1e229108f906603b0 ah=sha1 key=20 21dad76b008d1e8b8e53148a2fcbd013a277974a dec:pkts/bytes=1/84, enc:pkts/bytes=2/304 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

FortiClient as dialup client

This recipe provides sample configuration of dialup IPsec VPN with FortiClient as the dialup client.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with FortiClient as the dialup client using the FortiOS GUI or CLI.

To configure IPsec VPN with FortiClient as the dialup client on the GUI:

  1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Remote Access.
    3. For Remote Device Type, select Client-based > FortiClient.
    4. Click Next.
  2. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the UserGroup dropdown list, select vpngroup.
    5. Click Next.
  3. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, Enable IPv4 Split tunnel, and Allow Endpoint Registration
    5. Click Create.

To configure IPsec VPN with FortiClient as the dialup client using the CLI:

  1. In the FortiOS CLI, configure the user and group by running the following commands:

config user local edit “vpnuser1” set type password set passwd your-password

next

end config user group edit “vpngroup” set member “vpnuser1”

next

end

  1. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate will cause traffic to this network group to go through the IPsec tunnel:

config system interface edit “lan” set vdom “root”

set ip 10.10.111.1 255.255.255.0

next

end

config firewall address edit “local_subnet_1” set ip 10.10.111.0 255.255.255.0

next

end

config firewall address edit “local_subnet_2” set ip 10.10.112.0 255.255.255.0

next

end

config firewall addrgrp edit “local_network” set member “local_subnet_1” “local_subnet_2”

next

end

  1. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next end

  1. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.

config firewall address edit “client_range” set type iprange set comment “VPN client range” set start-ip 10.10.2.1 set end-ip 10.10.2.200

next

end

  1. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.

config vpn ipsec phase1-interface edit “for_client” set type dynamic set interface “wan1” set mode aggressive set peertype any set net-device enable set mode-cfg enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set xauthtype auto set authusrgrp “vpngroup” set assign-ip-from name set ipv4-name “client_range” set dns-mode auto

set ipv4-split-include “local_network” set save-password enable set psksecret your-psk set dpd-retryinterval 60

next

end

  1. Configure the IPsec phase2-interface:

config vpn ipsec phase2-interface edit “for_client” set phase1name “for_client”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

  1. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:

config firewall policy edit 1 set name “inbound” set srcintf “for_client” set dstintf “lan” set srcaddr “client_range” set dstaddr “local_network” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure FortiClient. In this example, FortiClient (Windows) 6.0.3 build 0155 is used:
    1. In FortiClient, go to Remote Access and select Add a new connection.
    2. Set the Type to IPsec VPN and the Remote Gateway to the FortiGate IP address.
    3. Set the Authentication Method to Pre-Shared Key and enter the key. Click Save.
    4. Select the VPN, enter the username and password, then select Connect.
  2. Run diagnose These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list The system should return the following:

vd: root/0 name: for_client_0 version: 1 interface: port1 15 addr: 172.20.120.123:4500 ->172.20.120.254:64916 created: 37s ago xauth-user: vpnuser1 assigned IPv4 address: 10.10.1.1/255.255.255.255 nat: me peer

IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 1 b40a32d878d5e262/8bba553563a498f4 direction: responder status: established 37-37s ago = 10ms proposal: aes256-sha256 key: f4ad7ec3a4fcfd09-787e2e9b7bceb9a7-0dfa183240d838ba-41539863e5378381 lifetime/rekey: 86400/86092

DPD sent/recv: 00000000/00000a0e

  1. Run the diagnose vpn tunnel list The system should return the following:

list all ipsec tunnel in vd 0

=

= name=for_client_0 ver=1 serial=3 172.20.120.123:4500->172.20.120.254:64916

bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options [03d8]=npucreate_dev no-sysctlrgwy-chgrport-chg frag-rfcaccept_traffic=1 parent=for_client index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=3 olast=3 ad=/0 stat: rxp=1 txp=0 rxb=16402 txb=0 dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=for_client proto=0 sa=1 ref=2 serial=1 add-route src: 0:0.0.0.0-255.255.255.255:0 dst: 0:10.10.1.1-10.10.1.1:0

SA: ref=4 options=2a6 type=00 soft=0 mtu=1422 expire=42867/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000001 itn=0 life: type=01 bytes=0/0 timeout=43189/43200 dec: spi=36274d14 esp=aes key=16 e518b84b3c3b667b79f2e61c64a225a6 ah=sha1 key=20 9cceaa544ed042fda800c4fe5d3fd9d8b811984a enc: spi=8b154deb esp=aes key=16 9d50f004b45c122e4e9fb7af085c457c ah=sha1 key=20 f1d90b2a311049e23be34967008239637b50a328 dec:pkts/bytes=1/16330, enc:pkts/bytes=0/0

npu_flag=02 npu_rgwy=172.20.120.254 npu_lgwy=172.20.120.123npu_selid=0 dec_npuid=2 enc_ npuid=0 name=for_clientver=1 serial=2 172.20.120.123:0->0.0.0.0:0

bound_if=15 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/536 options

[0218]=npucreate_dev frag-rfcaccept_traffic=1 proxyid_num=0 child_num=1 refcnt=11 ilast=350 olast=350 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

iOS device as dialup client

This recipe provides sample configuration of dialup IPsec VPN with an iPhone or iPad as the dialup client.

The following shows the sample network topology for this recipe:

You can configure dialup IPsec VPN with an iOS device as the dialup client using the FortiOS GUI or CLI.

To configure IPsec VPN with an iOS device as the dialup client on the GUI:

  1. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Remote Access.
    3. For Remote Device Type, select Native > iOS Native.
    4. For NAT Configuration, set No NAT Between Sites.
    5. Click Next.
  2. Configure the following settings for Authentication:
    1. For Incoming Interface, select wan1.
    2. For Authentication Method, select Pre-shared Key.
    3. In the Pre-shared Key field, enter your-psk as the key.
    4. From the UserGroup dropdown list, select vpngroup.
    5. Deselect Require ‘Group Name’ on VPN client.
    6. Click Next.
  3. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select lan.
    2. Configure the Local Address as local_network.
    3. Configure the Client Address Range as 10.2.1-10.10.2.200.
    4. Keep the default values for the Subnet Mask, DNS Server, and Enable IPv4 Split tunnel e. Click Create.

To configure IPsec VPN with an iOS device as the dialup client using the CLI:

  1. In the FortiOS CLI, configure the user and group by running the following commands:

config user local edit “vpnuser1” set type password set passwd your-password

next

end config user group edit “vpngroup”

set member “vpnuser1”

next

end

  1. Configure the internal interface. The LAN interface connects to the corporate internal network. Traffic from this interface will route out the IPsec VPN tunnel. Creating an address group for the protected network behind this FortiGate will cause traffic to this network group to go through the IPsec tunnel:

config system interface edit “lan” set vdom “root”

set ip 10.10.111.1 255.255.255.0

next

end

config firewall address edit “local_subnet_1” set ip 10.10.111.0 255.255.255.0

next

end

config firewall address edit “local_subnet_2” set ip 10.10.112.0 255.255.255.0

next

end

config firewall addrgrp edit “local_network” set member “local_subnet_1” “local_subnet_2”

next

end

  1. Configure the WAN interface. The WAN interface is the interface connected to the ISP. It can work in static mode (as shown in the example), DHCP, or PPPoE mode. The IPsec tunnel is established over the WAN interface.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

  1. Configure the client address pool. You must create a firewall address to assign an IP address to a client from the address pool.

config firewall address edit “client_range” set type iprange set comment “VPN client range” set start-ip 10.10.2.1 set end-ip 10.10.2.200

next

end

  1. Configure the IPsec phase1-interface. In this example, PSK is used as the authentication method. Signature authentication is also an option.

config vpn ipsec phase1-interface edit “for_ios_p1” set type dynamic set interface “wan1” set peertype any set net-device enable set mode-cfg enable

set proposal aes256-sha256 aes256-md5 aes256-sha1 set dpd on-idle set dhgrp 14 5 2 set xauthtype auto set authusrgrp “vpngroup” set assign-ip-from name set ipv4-name “client_range” set dns-mode auto

set ipv4-split-include “local_network” set psksecret your-psk set dpd-retryinterval 60

next

end

  1. Configure the IPsec phase2-interface:

config vpn ipsec phase2-interface edit “for_ios_p2” set phase1name “for_ios_p1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set pfs disable set keepalive enable

next

end

  1. Configure the firewall policy to allow client traffic flow over the IPsec VPN tunnel:

config firewall policy edit 1 set name “ios_vpn” set srcintf “for_ios_p1” set dstintf “lan” set srcaddr “ios_range” set dstaddr “local_network” set action accept set schedule “always” set service “ALL”

next

end

  1. Configure the iOS device:
    1. In the iOS device, go to Settings > General > VPN and select Add VPN Configuration.
    2. Set the Type to IPsec and enter a Description. Set the Server to the FortiGate’s Internet-facing interface, and enter the username in Account. Enter the user password, the preshared IPsec VPN secret, then select Done.
    3. Ensure that the IPsec VPN configuration is highlighted (indicated by a checkmark), and select the Not Connected The IPsec VPN connects with the user’s credentials and secret. The status changes to Connected, and a VPN icon appears at the top of the screen.
  2. Run diagnose These diagnose commands are useful to check the IPsec phase1/phase2 interface status. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish.
    1. Run the diagnose vpn ike gateway list The system should return the following:

vd: root/0 name: for_ios_p1_0 version: 1 interface: port1 15 addr: 172.20.120.123:4500 -> 172.20.120.254:64916 created: 17s ago xauth-user: u1 assigned IPv4 address: 10.10.2.1/255.255.255.255 nat: me peer

IKE SA: created 1/1 established 1/1 time 150/150/150 ms IPsec SA: created 1/1 established 1/1 time 10/10/10 ms

id/spi: 2 3c844e13c75591bf/80c2db92c8d3f602 direction: responder status: established 17-17s ago = 150ms proposal: aes256-sha256 key: 0032ea5ee160d775-51f3bf1f9909101bb89c7b5a77a07784-2c92cf9c921801ac lifetime/rekey: 3600/3312 DPD sent/recv: 00000000/00000000

  1. Run the diagnose vpn tunnel list The system should return the following:

list all ipsec tunnel in vd 0

= = name=for_ios_p1_0 ver=1 serial=172.20.120.123:4500->172.20.120.254:64916

bound_if=15 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/984 options[03d8]=npu create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=for_ios_p1 index=0 proxyid_num=1 child_num=0 refcnt=12 ilast=23 olast=23 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=for_ios_p1 proto=0 sa=1 ref=2 serial=1 add-route

src: 0:10.10.111.0-10.10.111.255:0 dst: 0:10.10.2.1-10.10.2.1:0 SA: ref=3 options=a7 type=00 soft=0 mtu=1422 expire=3564/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=3587/3600 dec: spi=36274d15 esp=aes key=32

5a599d796f8114c83d6589284f036fc33bdf4456541e2154b4ac2217b6aec869 ah=sha1 key=20 f1efdeb77d6f856a8dd3a30cbc23cb0f8a3e0340 enc: spi=00b0d9ab esp=aes key=32

e9232d7a1c4f390fd09f8409c2d85f80362d940c08c73f245908ab1ac3af322f ah=sha1 key=20 a3890d6c5320756291cad85026d3a78fd42a1b42

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0 npu_flag=00 npu_rgwy=172.20.120.254 npu_ lgwy=172.20.120.123 npu_selid=1 dec_npuid=0 enc_npuid=0