Work environment
- FortiGate-60E
- version 7.2.3
Steps to configure IPsec VPN
Here, consider configuring IPsec VPN in the following network environment.
Follow the steps below to configure IPsec on FortiGate.
Steps to configure IPsec VPN
- IKE Phase 1 configuration
- IKE Phase 2 configuration
- Firewall policy settings
- Configuring static routes
IKE Phase 1 configuration
The configuration item corresponding to the IKE Phase 1 configuration is config vpn ipsec phase1-interface.
Below is an example config of FortiGate-60E-01.
config vpn ipsec phase1-interface
edit "Tunnel0"
set interface "wan1"
set peertype any
set net-device disable
set proposal aes256-sha512
set dpd disable
set dhgrp 1
set nattraversal disable
set remote-gw 10.10.0.1
set psksecret ENC Dn8EppvXnhP2sIJT3/dRnV2PGq4ab8TFZn/t9WuP/mwwDJNlU5Ifva2OjE/SQ/nwY3FedbZcL1Afmh6wQoPOYuUYjXOcLspYhQd6fBkvuZANQSYptJzSl6llyh8/UrUO/D2W/RJsOIO7Z/PbMnVe9YI6SmezBLo/XpbbV5H7/C6gwSkOGFeQsxLuY6aUhiFkQpyqDg==
next
endThe typical setting items here are as follows.
edit "object-name"- Set any object name.
set interface- Local physical, aggregate, or VLAN outgoing interface.
set proposal- Set the encryption algorithm and hash algorithm.
- The setting value must match the value of the opposite router.
- The values that can be set are as follows.
FortiGate-01 (Tunnel0) # set proposal
des-md5 des-md5
des-sha1 des-sha1
des-sha256 des-sha256
des-sha384 des-sha384
des-sha512 des-sha512
3des-md5 3des-md5
3des-sha1 3des-sha1
3des-sha256 3des-sha256
3des-sha384 3des-sha384
3des-sha512 3des-sha512
aes128-md5 aes128-md5
aes128-sha1 aes128-sha1
aes128-sha256 aes128-sha256
aes128-sha384 aes128-sha384
aes128-sha512 aes128-sha512
aes192-md5 aes192-md5
aes192-sha1 aes192-sha1
aes192-sha256 aes192-sha256
aes192-sha384 aes192-sha384
aes192-sha512 aes192-sha512
aes256-md5 aes256-md5
aes256-sha1 aes256-sha1
aes256-sha256 aes256-sha256
aes256-sha384 aes256-sha384
aes256-sha512 aes256-sha512
aria128-md5 aria128-md5
aria128-sha1 aria128-sha1
aria128-sha256 aria128-sha256
aria128-sha384 aria128-sha384
aria128-sha512 aria128-sha512
aria192-md5 aria192-md5
aria192-sha1 aria192-sha1
aria192-sha256 aria192-sha256
aria192-sha384 aria192-sha384
aria192-sha512 aria192-sha512
aria256-md5 aria256-md5
aria256-sha1 aria256-sha1
aria256-sha256 aria256-sha256
aria256-sha384 aria256-sha384
aria256-sha512 aria256-sha512
seed-md5 seed-md5
seed-sha1 seed-sha1
seed-sha256 seed-sha256
seed-sha384 seed-sha384
seed-sha512 seed-sha512set authmethod- Authentication method. Normally, pre-shared key scheme (
psk) is set.
- Authentication method. Normally, pre-shared key scheme (
FortiGate-01 (Tunnel0) # set authmethod
psk PSK authentication method.
signature Signature authentication method.set dhgrp- Configure a Diffie-Hellman (DH) group.
- The setting value must match the value of the opposite router.
FortiGate-01 (Tunnel0) # set dhgrp
1 DH Group 1.
2 DH Group 2.
5 DH Group 5.
14 DH Group 14.
15 DH Group 15.
16 DH Group 16.
17 DH Group 17.
18 DH Group 18.
19 DH Group 19.
20 DH Group 20.
21 DH Group 21.
27 DH Group 27.
28 DH Group 28.
29 DH Group 29.
30 DH Group 30.
31 DH Group 31.
32 DH Group 32.set keylife- Time to wait in seconds before phase 1 encryption key expires.
FortiGate-01 (Tunnel0) # set keylife
keylife Enter an integer value from <120> to <172800> (default = <86400>).set psksecret- Set a pre-shared key.
- The setting value must match the value of the opposite router.
FortiGate-01 (Tunnel0) # set psksecret
<passwd> please input password valueset dpd- Dead Peer Detection mode.
FortiGate-01 (Tunnel0) # set dpd
disable Disable Dead Peer Detection.
on-idle Trigger Dead Peer Detection when IPsec is idle.
on-demand Trigger Dead Peer Detection when IPsec traffic is sent but no reply is received from the peer.set mode- The ID protection mode used to establish a secure channel.
FortiGate-01 (Tunnel0) # set mode
aggressive Aggressive mode.
main Main mode.set remote-gw- Set the IP address of the peer router.
FortiGate-01 (Tunnel0) # set remote-gw
<class_ip> Class A,B,C ip xxx.xxx.xxx.xxxset nattraversal- Enable/disable NAT traversal. Default is enable.
FortiGate-01 (Tunnel0) # set nattraversal
enable Enable IPsec NAT traversal.
disable Disable IPsec NAT traversal.
forced Force IPsec NAT traversal on.set auto-negotiate- Enable/disable automatic initiation of IKE SA negotiation. Default is enable.
FortiGate-01 (Tunnel0) # set auto-negotiate
enable Enable automatic initiation of IKE SA negotiation.
disable Disable automatic initiation of IKE SA negotiation.Auto-configured tunnel interface
When the above IKE Phase 1 settings are performed, the following configs are automatically set and a tunnel interface is created.
config system interface
edit "Tunnel0"
set vdom "root"
set type tunnel
set snmp-index 17
set interface "wan1"
next
endThe edit name (“Tunnel0”) matches the object name created with config vpn ipsec phase1-interface.
IKE Phase 2 configuration
The configuration item corresponding to the IKE Phase 2 configuration is config vpn ipsec phase2-interface.
Below is an example config of FortiGate-60E-01.
config vpn ipsec phase2-interface
edit "Tunnel0"
set phase1name "Tunnel0"
set proposal aes256-sha512
set pfs disable
set keylifeseconds 3600
set src-subnet 10.10.10.0 255.255.255.0
set dst-subnet 192.168.1.0 255.255.255.0
next
endThe typical setting items here are as follows.
edit "object-name"- Set any object name.
set phase1name- Sets the object name of the associated IKE Phase 1 configuration.
set proposal- Set encryption and authentication algorithms.
- The setting value must match the value of the opposite router.
- The values that can be set are as follows.
FortiGate-01 (Tunnel0) # set proposal
null-md5 null-md5
null-sha1 null-sha1
null-sha256 null-sha256
null-sha384 null-sha384
null-sha512 null-sha512
des-null des-null
des-md5 des-md5
des-sha1 des-sha1
des-sha256 des-sha256
des-sha384 des-sha384
des-sha512 des-sha512
3des-null 3des-null
3des-md5 3des-md5
3des-sha1 3des-sha1
3des-sha256 3des-sha256
3des-sha384 3des-sha384
3des-sha512 3des-sha512
aes128-null aes128-null
aes128-md5 aes128-md5
aes128-sha1 aes128-sha1
aes128-sha256 aes128-sha256
aes128-sha384 aes128-sha384
aes128-sha512 aes128-sha512
aes128gcm aes128gcm
aes192-null aes192-null
aes192-md5 aes192-md5
aes192-sha1 aes192-sha1
aes192-sha256 aes192-sha256
aes192-sha384 aes192-sha384
aes192-sha512 aes192-sha512
aes256-null aes256-null
aes256-md5 aes256-md5
aes256-sha1 aes256-sha1
aes256-sha256 aes256-sha256
aes256-sha384 aes256-sha384
aes256-sha512 aes256-sha512
aes256gcm aes256gcm
chacha20poly1305 chacha20poly1305
aria128-null aria128-null
aria128-md5 aria128-md5
aria128-sha1 aria128-sha1
aria128-sha256 aria128-sha256
aria128-sha384 aria128-sha384
aria128-sha512 aria128-sha512
aria192-null aria192-null
aria192-md5 aria192-md5
aria192-sha1 aria192-sha1
aria192-sha256 aria192-sha256
aria192-sha384 aria192-sha384
aria192-sha512 aria192-sha512
aria256-null aria256-null
aria256-md5 aria256-md5
aria256-sha1 aria256-sha1
aria256-sha256 aria256-sha256
aria256-sha384 aria256-sha384
aria256-sha512 aria256-sha512
seed-null seed-null
seed-md5 seed-md5
seed-sha1 seed-sha1
seed-sha256 seed-sha256
seed-sha384 seed-sha384
seed-sha512 seed-sha512set pfs- Enable/disable PFS feature. Default is enable.
FortiGate-01 (Tunnel0) # set pfs
enable Enable setting.
disable Disable setting.set keylifeseconds- Phase2 key life in time in seconds.
FortiGate-01 (Tunnel0) # set keylifeseconds
keylifeseconds Enter an integer value from <120> to <172800> (default = <43200>).set encapsulation- ESP encapsulation mode. Default is tunnel-mode.
FortiGate-01 (Tunnel0) # set encapsulation
tunnel-mode Use tunnel mode encapsulation.
transport-mode Use transport mode encapsulation.set src-subnet- Communications originating from this address are encrypted.
- Default is 0.0.0.0 0.0.0.0.
set dst-subnet- Communications destined for this address are encrypted.
- Default is 0.0.0.0 0.0.0.0.
set auto-negotiate- Enable/disable IPsec SA auto-negotiation. Default is disable.
FortiGate-01 (Tunnel0) # set auto-negotiate
enable Enable setting.
disable Disable setting.Firewall policy settings
Set a policy that allows communication through the IPsec tunnel.
The example allows all communication between the dmz interface and Tunnel0 (the IPsec tunnel).
The point is to set the tunnel interface to Incoming Interface/Outgoing Interface.
Configuring static routes
Configure a static route to go through the IPsec tunnel if it is destined for a remote site.
The setting commands are as follows. (The edit number can be any unused number.)
config router static
edit 1
set dst 192.168.1.0 255.255.255.0
set device "Tunnel0"
next
endIPsec VPN related commands
Status check commands
get vpn ike gateway
FortiGate-01 # get vpn ike gateway
vd: root/0
name: Tunnel0
version: 1
interface: wan1 5
addr: 10.10.0.2:500 -> 10.10.0.1:500
created: 2683s ago
IKE SA created: 1/1 established: 1/1 time: 0/0/0 ms
IPsec SA created: 1/1 established: 1/1 time: 0/0/0 ms
id/spi: 3 b2bb74280a8c7a7e/610abb9b58e837ff
direction: responder
status: established 2683-2683s ago = 0ms
proposal: aes-256-sha512
key: 80fa0950a001a249-618ddb1f285ce26e-39cadcdc08e86457-3aa2afce48883cca
lifetime/rekey: 86400/83446
DPD sent/recv: 00000000/00000000get vpn ipsec tunnel summary
FortiGate-01 # get vpn ipsec tunnel summary
'Tunnel0' 10.10.0.1:0 selectors(total,up): 1/1 rx(pkt,err): 1/0 tx(pkt,err): 4/1721get vpn ipsec tunnel details
FortiGate-01 # get vpn ipsec tunnel details
gateway
name: 'Tunnel0'
local-gateway: 10.10.0.2:0 (static)
remote-gateway: 10.10.0.1:0 (static)
dpd-link: on
mode: ike-v1
interface: 'wan1' (5)
rx packets: 1 bytes: 60 errors: 0
tx packets: 4 bytes: 240 errors: 1721
dpd: disabled
selectors
name: 'Tunnel0'
auto-negotiate: disable
mode: tunnel
src: 0:10.10.10.0/255.255.255.0:0
dst: 0:192.168.1.0/255.255.255.0:0
SA
lifetime/rekey: 3600/547
mtu: 1422
tx-esp-seq: 5
replay: enabled
qat: 0
inbound
spi: d39dc5a9
enc: aes-cb 2493b11ba0b3f1e671b69db2de1d5a58af3aa417a5de64e8d4672ee4accc83be
auth: sha512 1f1fbafac18511247ab8423b4eed628d4593cb769d58076815111ab28f2cfb4638a84c45785af239fe08071a3c98e2a8de0f79dfe04f2bb192bf4cc46757b56b
outbound
spi: 1ad73e6f
enc: aes-cb 2c3680136317852d50a391e8f8a9daf214e119bc70ad1921fb247f3eff126e0b
auth: sha512 abce8e35fe964fbcf7c70a68cad9516c2ff5103ed196cbfaaa8d40e16bbdad43740f64480dae3c600135d9a438e8a37fea7f5fd9aa31afcd713286c329851b3c
NPU acceleration: encryption(outbound) decryption(inbound)diagnose vpn ike status summary
FortiGate-01 # diagnose vpn ike status summary
connection: 1/3
IKE SA: created 1/4 established 1/4 times 0/12/50 ms
IPsec SA: created 1/2 established 1/2 times 0/0/0 msdiagnose vpn ike status detailed
FortiGate-01 # diagnose vpn ike status detailed
vd: root/0
name: Tunnel0
version: 1
connection: 1/3
IKE SA: created 1/4 established 1/4 times 0/12/50 ms
IPsec SA: created 1/2 established 1/2 times 0/0/0 msdiagnose vpn ipsec status
FortiGate-01 # diagnose vpn ipsec status
All ipsec crypto devices in use:
NP6LITE_0:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0
NPU Host Offloading:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 5 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 5 0
SOC3:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 2 2
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 2 2
SOFTWARE:
Encryption (encrypted/decrypted)
null : 0 0
des : 0 0
3des : 0 0
aes : 0 0
aes-gcm : 0 0
aria : 0 0
seed : 0 0
chacha20poly1305 : 0 0
Integrity (generated/validated)
null : 0 0
md5 : 0 0
sha1 : 0 0
sha256 : 0 0
sha384 : 0 0
sha512 : 0 0 diagnose vpn tunnel list
FortiGate-01 # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Tunnel0 ver=1 serial=1 10.10.0.2:0->10.10.0.1:0 tun_id=10.10.0.1 tun_id6=::10.10.0.1 dst_mtu=1500 dpd-link=on weight=1
bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/520 options[0208]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=3 ilast=372 olast=372 ad=/0
stat: rxp=1 txp=4 rxb=60 txb=240
dpd: mode=off on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=Tunnel0 proto=0 sa=1 ref=2 serial=1
src: 0:10.10.10.0/255.255.255.0:0
dst: 0:192.168.1.0/255.255.255.0:0
SA: ref=6 options=10026 type=00 soft=0 mtu=1422 expire=351/0B replaywin=1024
seqno=5 esn=0 replaywin_lastseq=00000002 qat=0 rekey=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=3300/3600
dec: spi=d39dc5a9 esp=aes key=32 2493b11ba0b3f1e671b69db2de1d5a58af3aa417a5de64e8d4672ee4accc83be
ah=sha512 key=64 1f1fbafac18511247ab8423b4eed628d4593cb769d58076815111ab28f2cfb4638a84c45785af239fe08071a3c98e2a8de0f79dfe04f2bb192bf4cc46757b56b
enc: spi=1ad73e6f esp=aes key=32 2c3680136317852d50a391e8f8a9daf214e119bc70ad1921fb247f3eff126e0b
ah=sha512 key=64 abce8e35fe964fbcf7c70a68cad9516c2ff5103ed196cbfaaa8d40e16bbdad43740f64480dae3c600135d9a438e8a37fea7f5fd9aa31afcd713286c329851b3c
dec:pkts/bytes=2/120, enc:pkts/bytes=8/800
npu_flag=03 npu_rgwy=10.10.0.1 npu_lgwy=10.10.0.2 npu_selid=0 dec_npuid=1 enc_npuid=1
run_tally=0Operation commands
diagnose vpn ike restartdiagnose vpn ike gateway clear
References
config vpn ipsec phase1-interface | CLI Reference
docs.fortinet.com
config vpn ipsec phase2-interface | CLI Reference
docs.fortinet.com
Comments