[FortiGate] How to configure IPsec VPN (ver. 7.2.3)

Firewall (UTM)

Work environment

  • FortiGate-60E
    • version 7.2.3

Steps to configure IPsec VPN

Here, consider configuring IPsec VPN in the following network environment.

Follow the steps below to configure IPsec on FortiGate.

Steps to configure IPsec VPN
  1. IKE Phase 1 configuration
  2. IKE Phase 2 configuration
  3. Firewall policy settings
  4. Configuring static routes

IKE Phase 1 configuration

The configuration item corresponding to the IKE Phase 1 configuration is config vpn ipsec phase1-interface.

Below is an example config of FortiGate-60E-01.

config vpn ipsec phase1-interface
    edit "Tunnel0"
        set interface "wan1"
        set peertype any
        set net-device disable
        set proposal aes256-sha512
        set dpd disable
        set dhgrp 1
        set nattraversal disable
        set remote-gw 10.10.0.1
        set psksecret ENC Dn8EppvXnhP2sIJT3/dRnV2PGq4ab8TFZn/t9WuP/mwwDJNlU5Ifva2OjE/SQ/nwY3FedbZcL1Afmh6wQoPOYuUYjXOcLspYhQd6fBkvuZANQSYptJzSl6llyh8/UrUO/D2W/RJsOIO7Z/PbMnVe9YI6SmezBLo/XpbbV5H7/C6gwSkOGFeQsxLuY6aUhiFkQpyqDg==
    next
end

The typical setting items here are as follows.

  • edit "object-name"
    • Set any object name.
  • set interface
    • Local physical, aggregate, or VLAN outgoing interface.
  • set proposal
    • Set the encryption algorithm and hash algorithm.
    • The setting value must match the value of the opposite router.
    • The values that can be set are as follows.
FortiGate-01 (Tunnel0) # set proposal 
des-md5           des-md5
des-sha1          des-sha1
des-sha256        des-sha256
des-sha384        des-sha384
des-sha512        des-sha512
3des-md5          3des-md5
3des-sha1         3des-sha1
3des-sha256       3des-sha256
3des-sha384       3des-sha384
3des-sha512       3des-sha512
aes128-md5        aes128-md5
aes128-sha1       aes128-sha1
aes128-sha256     aes128-sha256
aes128-sha384     aes128-sha384
aes128-sha512     aes128-sha512
aes192-md5        aes192-md5
aes192-sha1       aes192-sha1
aes192-sha256     aes192-sha256
aes192-sha384     aes192-sha384
aes192-sha512     aes192-sha512
aes256-md5        aes256-md5
aes256-sha1       aes256-sha1
aes256-sha256     aes256-sha256
aes256-sha384     aes256-sha384
aes256-sha512     aes256-sha512
aria128-md5       aria128-md5
aria128-sha1      aria128-sha1
aria128-sha256    aria128-sha256
aria128-sha384    aria128-sha384
aria128-sha512    aria128-sha512
aria192-md5       aria192-md5
aria192-sha1      aria192-sha1
aria192-sha256    aria192-sha256
aria192-sha384    aria192-sha384
aria192-sha512    aria192-sha512
aria256-md5       aria256-md5
aria256-sha1      aria256-sha1
aria256-sha256    aria256-sha256
aria256-sha384    aria256-sha384
aria256-sha512    aria256-sha512
seed-md5          seed-md5
seed-sha1         seed-sha1
seed-sha256       seed-sha256
seed-sha384       seed-sha384
seed-sha512       seed-sha512
  • set authmethod
    • Authentication method. Normally, pre-shared key scheme (psk) is set.
FortiGate-01 (Tunnel0) # set authmethod 
psk          PSK authentication method.
signature    Signature authentication method.
  • set dhgrp
    • Configure a Diffie-Hellman (DH) group.
    • The setting value must match the value of the opposite router.
FortiGate-01 (Tunnel0) # set dhgrp 
1     DH Group 1.
2     DH Group 2.
5     DH Group 5.
14    DH Group 14.
15    DH Group 15.
16    DH Group 16.
17    DH Group 17.
18    DH Group 18.
19    DH Group 19.
20    DH Group 20.
21    DH Group 21.
27    DH Group 27.
28    DH Group 28.
29    DH Group 29.
30    DH Group 30.
31    DH Group 31.
32    DH Group 32.
  • set keylife
    • Time to wait in seconds before phase 1 encryption key expires.
FortiGate-01 (Tunnel0) # set keylife 
keylife    Enter an integer value from <120> to <172800> (default = <86400>).
  • set psksecret
    • Set a pre-shared key.
    • The setting value must match the value of the opposite router.
FortiGate-01 (Tunnel0) # set psksecret 
<passwd>    please input password value
  • set dpd
    • Dead Peer Detection mode.
FortiGate-01 (Tunnel0) # set dpd 
disable      Disable Dead Peer Detection.
on-idle      Trigger Dead Peer Detection when IPsec is idle.
on-demand    Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.
  • set mode
    • The ID protection mode used to establish a secure channel.
FortiGate-01 (Tunnel0) # set mode 
aggressive    Aggressive mode.
main          Main mode.

  • set remote-gw
    • Set the IP address of the peer router.
FortiGate-01 (Tunnel0) # set remote-gw 
<class_ip>    Class A,B,C ip xxx.xxx.xxx.xxx
  • set nattraversal
    • Enable/disable NAT traversal. Default is enable.
FortiGate-01 (Tunnel0) # set nattraversal 
enable     Enable IPsec NAT traversal.
disable    Disable IPsec NAT traversal.
forced     Force IPsec NAT traversal on.
  • set auto-negotiate
    • Enable/disable automatic initiation of IKE SA negotiation. Default is enable.
FortiGate-01 (Tunnel0) # set auto-negotiate 
enable     Enable automatic initiation of IKE SA negotiation.
disable    Disable automatic initiation of IKE SA negotiation.

Auto-configured tunnel interface

When the above IKE Phase 1 settings are performed, the following configs are automatically set and a tunnel interface is created.

config system interface
    edit "Tunnel0"
        set vdom "root"
        set type tunnel
        set snmp-index 17
        set interface "wan1"
    next
end

The edit name (“Tunnel0”) matches the object name created with config vpn ipsec phase1-interface.

IKE Phase 2 configuration

The configuration item corresponding to the IKE Phase 2 configuration is config vpn ipsec phase2-interface.

Below is an example config of FortiGate-60E-01.

config vpn ipsec phase2-interface
    edit "Tunnel0"
        set phase1name "Tunnel0"
        set proposal aes256-sha512
        set pfs disable
        set keylifeseconds 3600
        set src-subnet 10.10.10.0 255.255.255.0
        set dst-subnet 192.168.1.0 255.255.255.0
    next
end

The typical setting items here are as follows.

  • edit "object-name"
    • Set any object name.
  • set phase1name
    • Sets the object name of the associated IKE Phase 1 configuration.
  • set proposal
    • Set encryption and authentication algorithms.
    • The setting value must match the value of the opposite router.
    • The values that can be set are as follows.
FortiGate-01 (Tunnel0) # set proposal 
null-md5            null-md5
null-sha1           null-sha1
null-sha256         null-sha256
null-sha384         null-sha384
null-sha512         null-sha512
des-null            des-null
des-md5             des-md5
des-sha1            des-sha1
des-sha256          des-sha256
des-sha384          des-sha384
des-sha512          des-sha512
3des-null           3des-null
3des-md5            3des-md5
3des-sha1           3des-sha1
3des-sha256         3des-sha256
3des-sha384         3des-sha384
3des-sha512         3des-sha512
aes128-null         aes128-null
aes128-md5          aes128-md5
aes128-sha1         aes128-sha1
aes128-sha256       aes128-sha256
aes128-sha384       aes128-sha384
aes128-sha512       aes128-sha512
aes128gcm           aes128gcm
aes192-null         aes192-null
aes192-md5          aes192-md5
aes192-sha1         aes192-sha1
aes192-sha256       aes192-sha256
aes192-sha384       aes192-sha384
aes192-sha512       aes192-sha512
aes256-null         aes256-null
aes256-md5          aes256-md5
aes256-sha1         aes256-sha1
aes256-sha256       aes256-sha256
aes256-sha384       aes256-sha384
aes256-sha512       aes256-sha512
aes256gcm           aes256gcm
chacha20poly1305    chacha20poly1305
aria128-null        aria128-null
aria128-md5         aria128-md5
aria128-sha1        aria128-sha1
aria128-sha256      aria128-sha256
aria128-sha384      aria128-sha384
aria128-sha512      aria128-sha512
aria192-null        aria192-null
aria192-md5         aria192-md5
aria192-sha1        aria192-sha1
aria192-sha256      aria192-sha256
aria192-sha384      aria192-sha384
aria192-sha512      aria192-sha512
aria256-null        aria256-null
aria256-md5         aria256-md5
aria256-sha1        aria256-sha1
aria256-sha256      aria256-sha256
aria256-sha384      aria256-sha384
aria256-sha512      aria256-sha512
seed-null           seed-null
seed-md5            seed-md5
seed-sha1           seed-sha1
seed-sha256         seed-sha256
seed-sha384         seed-sha384
seed-sha512         seed-sha512

  • set pfs
    • Enable/disable PFS feature. Default is enable.
FortiGate-01 (Tunnel0) # set pfs 
enable     Enable setting.
disable    Disable setting.
  • set keylifeseconds
    • Phase2 key life in time in seconds.
FortiGate-01 (Tunnel0) # set keylifeseconds 
keylifeseconds    Enter an integer value from <120> to <172800> (default = <43200>).
  • set encapsulation
    • ESP encapsulation mode. Default is tunnel-mode.
FortiGate-01 (Tunnel0) # set encapsulation 
tunnel-mode       Use tunnel mode encapsulation.
transport-mode    Use transport mode encapsulation.
  • set src-subnet
    • Communications originating from this address are encrypted.
    • Default is 0.0.0.0 0.0.0.0.
  • set dst-subnet
    • Communications destined for this address are encrypted.
    • Default is 0.0.0.0 0.0.0.0.
  • set auto-negotiate
    • Enable/disable IPsec SA auto-negotiation. Default is disable.
FortiGate-01 (Tunnel0) # set auto-negotiate 
enable     Enable setting.
disable    Disable setting.

Firewall policy settings

Image: Network environment example

Set a policy that allows communication through the IPsec tunnel.

The example allows all communication between the dmz interface and Tunnel0 (the IPsec tunnel).

The point is to set the tunnel interface to Incoming Interface/Outgoing Interface.

Configuring static routes

Configure a static route to go through the IPsec tunnel if it is destined for a remote site.

The setting commands are as follows. (The edit number can be any unused number.)

config router static
    edit 1
        set dst 192.168.1.0 255.255.255.0
        set device "Tunnel0"
    next
end

IPsec VPN related commands

Status check commands

  • get vpn ike gateway
FortiGate-01 # get vpn ike gateway

vd: root/0
name: Tunnel0
version: 1
interface: wan1 5
addr: 10.10.0.2:500 -> 10.10.0.1:500
created: 2683s ago
IKE SA  created: 1/1  established: 1/1  time: 0/0/0 ms
IPsec SA  created: 1/1  established: 1/1  time: 0/0/0 ms

  id/spi: 3 b2bb74280a8c7a7e/610abb9b58e837ff
  direction: responder
  status: established 2683-2683s ago = 0ms
  proposal: aes-256-sha512
  key: 80fa0950a001a249-618ddb1f285ce26e-39cadcdc08e86457-3aa2afce48883cca
  lifetime/rekey: 86400/83446
  DPD sent/recv: 00000000/00000000
  • get vpn ipsec tunnel summary
FortiGate-01 # get vpn ipsec tunnel summary
'Tunnel0' 10.10.0.1:0  selectors(total,up): 1/1  rx(pkt,err): 1/0  tx(pkt,err): 4/1721
  • get vpn ipsec tunnel details
FortiGate-01 # get vpn ipsec tunnel details

gateway
  name: 'Tunnel0'
  local-gateway: 10.10.0.2:0 (static)
  remote-gateway: 10.10.0.1:0 (static)
  dpd-link: on
  mode: ike-v1
  interface: 'wan1' (5)
  rx  packets: 1  bytes: 60  errors: 0
  tx  packets: 4  bytes: 240  errors: 1721
  dpd: disabled
  selectors
    name: 'Tunnel0'
    auto-negotiate: disable
    mode: tunnel
    src: 0:10.10.10.0/255.255.255.0:0
    dst: 0:192.168.1.0/255.255.255.0:0
    SA
      lifetime/rekey: 3600/547   
      mtu: 1422
      tx-esp-seq: 5
      replay: enabled
      qat: 0
      inbound
        spi: d39dc5a9
        enc:  aes-cb  2493b11ba0b3f1e671b69db2de1d5a58af3aa417a5de64e8d4672ee4accc83be
        auth: sha512  1f1fbafac18511247ab8423b4eed628d4593cb769d58076815111ab28f2cfb4638a84c45785af239fe08071a3c98e2a8de0f79dfe04f2bb192bf4cc46757b56b
      outbound
        spi: 1ad73e6f
        enc:  aes-cb  2c3680136317852d50a391e8f8a9daf214e119bc70ad1921fb247f3eff126e0b
        auth: sha512  abce8e35fe964fbcf7c70a68cad9516c2ff5103ed196cbfaaa8d40e16bbdad43740f64480dae3c600135d9a438e8a37fea7f5fd9aa31afcd713286c329851b3c
      NPU acceleration: encryption(outbound) decryption(inbound)

  • diagnose vpn ike status summary
FortiGate-01 # diagnose vpn ike status summary
connection: 1/3
IKE SA: created 1/4  established 1/4  times 0/12/50 ms
IPsec SA: created 1/2  established 1/2  times 0/0/0 ms

  • diagnose vpn ike status detailed
FortiGate-01 # diagnose vpn ike status detailed

vd: root/0
name: Tunnel0
version: 1
connection: 1/3
IKE SA: created 1/4  established 1/4  times 0/12/50 ms
IPsec SA: created 1/2  established 1/2  times 0/0/0 ms
  • diagnose vpn ipsec status
FortiGate-01 # diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6LITE_0:
    Encryption (encrypted/decrypted)
        null             : 0                0               
        des              : 0                0               
        3des             : 0                0               
        aes              : 0                0               
        aes-gcm          : 0                0               
        aria             : 0                0               
        seed             : 0                0               
        chacha20poly1305 : 0                0               
    Integrity (generated/validated)
        null             : 0                0               
        md5              : 0                0               
        sha1             : 0                0               
        sha256           : 0                0               
        sha384           : 0                0               
        sha512           : 0                0               

NPU Host Offloading:
    Encryption (encrypted/decrypted)
        null             : 0                0               
        des              : 0                0               
        3des             : 0                0               
        aes              : 5                0               
        aes-gcm          : 0                0               
        aria             : 0                0               
        seed             : 0                0               
        chacha20poly1305 : 0                0               
    Integrity (generated/validated)
        null             : 0                0               
        md5              : 0                0               
        sha1             : 0                0               
        sha256           : 0                0               
        sha384           : 0                0               
        sha512           : 5                0               

SOC3:
    Encryption (encrypted/decrypted)
        null             : 0                0               
        des              : 0                0               
        3des             : 0                0               
        aes              : 2                2               
        aes-gcm          : 0                0               
        aria             : 0                0               
        seed             : 0                0               
        chacha20poly1305 : 0                0               
    Integrity (generated/validated)
        null             : 0                0               
        md5              : 0                0               
        sha1             : 0                0               
        sha256           : 0                0               
        sha384           : 0                0               
        sha512           : 2                2               

SOFTWARE:
    Encryption (encrypted/decrypted)
        null             : 0                0               
        des              : 0                0               
        3des             : 0                0               
        aes              : 0                0               
        aes-gcm          : 0                0               
        aria             : 0                0               
        seed             : 0                0               
        chacha20poly1305 : 0                0               
    Integrity (generated/validated)
        null             : 0                0               
        md5              : 0                0               
        sha1             : 0                0               
        sha256           : 0                0               
        sha384           : 0                0               
        sha512           : 0                0 
  • diagnose vpn tunnel list
FortiGate-01 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Tunnel0 ver=1 serial=1 10.10.0.2:0->10.10.0.1:0 tun_id=10.10.0.1 tun_id6=::10.10.0.1 dst_mtu=1500 dpd-link=on weight=1
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=3 ilast=372 olast=372 ad=/0
stat: rxp=1 txp=4 rxb=60 txb=240
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=Tunnel0 proto=0 sa=1 ref=2 serial=1
  src: 0:10.10.10.0/255.255.255.0:0
  dst: 0:192.168.1.0/255.255.255.0:0
  SA:  ref=6 options=10026 type=00 soft=0 mtu=1422 expire=351/0B replaywin=1024
       seqno=5 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=3300/3600
  dec: spi=d39dc5a9 esp=aes key=32 2493b11ba0b3f1e671b69db2de1d5a58af3aa417a5de64e8d4672ee4accc83be
       ah=sha512 key=64 1f1fbafac18511247ab8423b4eed628d4593cb769d58076815111ab28f2cfb4638a84c45785af239fe08071a3c98e2a8de0f79dfe04f2bb192bf4cc46757b56b
  enc: spi=1ad73e6f esp=aes key=32 2c3680136317852d50a391e8f8a9daf214e119bc70ad1921fb247f3eff126e0b
       ah=sha512 key=64 abce8e35fe964fbcf7c70a68cad9516c2ff5103ed196cbfaaa8d40e16bbdad43740f64480dae3c600135d9a438e8a37fea7f5fd9aa31afcd713286c329851b3c
  dec:pkts/bytes=2/120, enc:pkts/bytes=8/800
  npu_flag=03 npu_rgwy=10.10.0.1 npu_lgwy=10.10.0.2 npu_selid=0 dec_npuid=1 enc_npuid=1
run_tally=0

Operation commands

  • diagnose vpn ike restart
  • diagnose vpn ike gateway clear

References

config vpn ipsec phase1-interface | CLI Reference
config vpn ipsec phase2-interface | CLI Reference

Comments

Copied title and URL