Hub-Spoke OCVPN with inter-overlay source NAT

This topic provides a sample configuration of Hub-Spoke OCVPN with inter-overlay source NAT. OCVPN isolates traffic between overlays by default. With NAT enabled on Spokes and assign-ip enabled on Hub, you can have interoverlay communication.

Inter-overlay communication means devices from any source addresses and any source interfaces can communicate with any devices in overlays’ subnets when the overlay option assign-ip is enabled.

To enable ‘NAT’, disable ‘auto-discovery’ first.

License

• Free license: Hub-spoke network topology not supported.
• Full License: Maximum of 2 hubs, 10 overlays, 64 subnets per overlay; 512 spokes, 10 overlays, 16 subnets per overlay.

Prerequisites

• All FortiGate devices must be running FortiOS version 6.2.0 or later. l All FortiGate devices must have Internet access. l All FortiGates must be registered on FortiCare by using the same FortiCare account.

Restrictions

• Non-root VDOM does not support OCVPN. l FortiOS 6.2.x is not compatible with FortiOS 6.0.x.

OCVPN device roles

• Primary-hub l Secondary-hub l Spoke (OCVPN default role)

Sample network topology

Sample configuration

You can only configure this feature by using the CLI.

To enable inter-overlay source NAT from CLI:

1. Configure the Primary-Hub, enable overlay QA, and configure assign-ip and IP range:

config vpn ocvpn set status enable set role primary-hub config overlays edit 1 set name “QA” set assign-ip enable set ipv4-start-ip 172.16.101.100 set ipv4-end-ip 172.16.101.200 config subnets edit 1 set subnet 172.16.101.0 255.255.255.0

next

end

next edit 2 set name “PM” set assign-ip enable config subnets edit 1 set subnet 172.16.102.0 255.255.255.0

next

end

next

end

end

2. Configure the Secondary-Hub:

config vpn ocvpn set status enable set role secondary-hub

end

3. Configure Spoke1, and enable NAT on the spoke:

config vpn ocvpn set status enable set auto-discovery disable set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 10.1.100.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 10.2.100.0 255.255.255.0

next

end

next

end

end

4. Configure Spoke2, and enable NAT enabled on the spoke:

config vpn ocvpn set status enable set auto-discovery disable

set nat enable config overlays edit 1 set name “QA” config subnets edit 1 set subnet 192.168.4.0 255.255.255.0

next

end

next edit 2 set name “PM” config subnets edit 1 set subnet 192.168.5.0 255.255.255.0

next

end

next

end

end

A firewall policy with NAT is generated on the spoke:

edit 9 set name “_OCVPN2-1.1_nat” set uuid 3f7a84b8-3d36-51e9-ee97-8f418c91e666

set srcintf “any” set dstintf “_OCVPN2-1.1” set srcaddr “all” set dstaddr “_OCVPN2-1.1_remote_networks”

set action accept set schedule “always” set service “ALL” set comments “Generated by OCVPN Cloud Service.” set nat enable

next

OCVPN troubleshooting

This document includes troubleshooting steps for the following OCVPN network topologies:

• Full mesh. l Hub-spoke with ADVPN shortcut. l Hub-spoke with inter-overlay source NAT.

For OCVPN configurations in different network topologies, please refer to the other OCVPN topics.

Full mesh network topology troubleshooting

• Branch_1 # diagnose vpn ocvpn status

• Branch_1 # diagnose vpn ocvpn show-meta

Topology :: auto

License :: full

Members :: 3

Max-free :: 3

• Branch_1 # diagnose vpn ocvpn show-overlays

QA

PM l Branch_1 # diagnose vpn ocvpn show-members

Member: { “SN”: “FG100D3G15801621”, “IPv4”: “172.16.200.1”, “port”: “500”, “slot”: 1000, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “10.1.100.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“10.2.100.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “FortiGate-100D”, “topology_role”: “spoke” }

Member: { “SN”: “FG900D3915800083”, “IPv4”: “172.16.200.4”, “port”: “500”, “slot”: 1001, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “172.16.101.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“172.16.102.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch3”, “topology_role”: “spoke” }

Member: { “SN”: “FGT51E3U16001314”, “IPv4”: “172.16.200.199”, “port”: “500”, “slot”: 1002, “overlay”: [ { “id”: 0, “name”: “QA”, “subnets”: [ “192.168.4.0\/255.255.255.0” ], “ip_ range”: “0.0.0.0-0.0.0.0” }, { “id”: 1, “name”: “PM”, “subnets”: [

“192.168.5.0\/255.255.255.0” ], “ip_range”: “0.0.0.0-0.0.0.0” } ], “Name”: “Branch2”, “topology_role”: “spoke” } l Branch_1 # dagnose vpn tunnel list

list all ipsec tunnel in vd 0

——————————————————

name=_OCVPN2-3.1 ver=2 serial=4 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=13 ilast=7 olast=0 ad=/0 stat: rxp=0 txp=7 rxb=0 txb=588

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=6 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.1 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:192.168.4.0-192.168.4.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=8 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb752 esp=aes key=16 3c5ceeff3cac1eaa2702b5ccb713ab9b ah=sha1 key=20 5903e358b3d8938ee64f0412887a0fe741ccb105

enc: spi=b5bd4fe1 esp=aes key=16 8ae97a8abe24dae725d614d2a6efdcb0 ah=sha1 key=20 9ec200d9c0cef9e1b7cf76e05dbf344c70f53214

dec:pkts/bytes=0/0, enc:pkts/bytes=7/1064

proxyid=_OCVPN2-3.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.1 ver=2 serial=6 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=19 olast=19 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.1 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.1.100.0-10.1.100.255:0 dst: 0:172.16.101.0-172.16.101.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42911/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=c34bb750 esp=aes key=16 8c9844a8bcd3fda6c7bd8a4f2ec81ef1 ah=sha1 key=20 680c7144346f5b52126cbad9f325821b048c7192

enc: spi=f2d1f2d4 esp=aes key=16 f9625fc8590152829eb39eecab3a3999 ah=sha1 key=20 5df8447416da541fa54dde9fa3e5c35fbfc4723f

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.1 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.1.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-3.2 ver=2 serial=3 172.16.200.1:0->172.16.200.199:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=6 olast=6 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-3.2 proto=0 sa=1 ref=2 serial=8 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:192.168.5.0-192.168.5.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42923/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=c34bb753 esp=aes key=16 58ddfad9a3699f1c49f3a9f369145c28 ah=sha1 key=20 e749c7e6a7aaff119707c792eb73cd975127873b

enc: spi=b5bd4fe2 esp=aes key=16 8f2366e653f5f9ad6587be1ce1905764 ah=sha1 key=20 5347bf24e51219d483c0f7b058eceab202026204

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-3.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

——————————————————

name=_OCVPN2-4.2 ver=2 serial=5 172.16.200.1:0->172.16.200.4:0 dst_mtu=1500 bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1

proxyid_num=2 child_num=0 refcnt=11 ilast=17 olast=17 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=_OCVPN2-4.2 proto=0 sa=1 ref=2 serial=7 auto-negotiate

src: 0:10.2.100.0-10.2.100.255:0 dst: 0:172.16.102.0-172.16.102.255:0

SA: ref=3 options=18627 type=00 soft=0 mtu=1438 expire=42905/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0

life: type=01 bytes=0/0 timeout=42927/43200

dec: spi=c34bb751 esp=aes key=16 41449ee5ea43d3e1f80df05fc632cd44 ah=sha1 key=20 3ca2aea1c8764f35ccf987cdeca7cf6eb54331fb

enc: spi=f2d1f2d5 esp=aes key=16 9010dd57e502c6296b27a4649a45a6ba ah=sha1 key=20 caf86a176ce04464221543f15fc3c63fc573b8ee dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

proxyid=_OCVPN2-4.2 proto=0 sa=0 ref=2 serial=1 auto-negotiate

src: 0:10.2.100.0/255.255.255.0:0 dst: 0:0.0.0.0/0.0.0.0:0

• Branch_1 # get router info routing-table all

S      192.168.5.0/24 [20/0] is directly connected, _OCVPN2-3.2

C      172.16.200.0/24 is directly connected, port1

S      172.16.101.0/24 [20/0] is directly connected, _OCVPN2-4.1

S      172.16.102.0/24 [20/0] is directly connected, _OCVPN2-4.2

S      192.168.4.0/24 [20/0] is directly connected, _OCVPN2-3.1

IPsec VPN authenticating a remote FortiGate peer with a pre-shared key

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a pre-shared key.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

1. Configure the HQ1 FortiGate:
2. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
   1. Enter a proper VPN name.
   2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
   3. Click Next.
3. Configure the following settings for Authentication:
   172. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1. iv. For Authentication Method, select Pre-shared Key.
4. In the Pre-shared Key field, enter sample as the key.
5. Click Next.
6. Configure the following settings for Policy & Routing:
7. From the Local Interface dropdown menu, select the proper local interface.
8. Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
9. Click Create.
10. Configure the HQ2 FortiGate:
11. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
    1. Enter a proper VPN name.
    2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
    3. Click Next.
12. Configure the following settings for Authentication:
    172. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
    173. For Authentication Method, select Pre-shared Key.
    174. In the Pre-shared Key field, enter sample as the key.
    175. Click Next.
13. Configure the following settings for Policy & Routing:
    1. From the Local Interface dropdown menu, select the proper local interface.
    2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.200.3 set device “port1”

next end

1. Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

1. Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

3. Configure the IPsec phase1-interface:
   1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.202.1 set psksecret sample

next

end

1. Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set psksecret sample

next

end

4. Configure the IPsec phase2-interface:
   1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

1. Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

5. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

next

end

1. Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

6. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel: a. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “port9” set dstintf “to_HQ1” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

7. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the PSK failed to match, the following error shows up in the debug output:

ike 0:to_HQ2:15037: parse error ike 0:to_HQ2:15037: probable pre-shared secret mismatch’

The following commands are useful to check IPsec phase1/phase2 interface status.

1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 5s ago

IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 2/2 established 2/2 time 0/0/0 ms id/spi: 12 6e8d0532e7fe8d84/3694ac323138a024 direction: responder status: established 5-5s ago = 0ms proposal: aes128-sha256 key: b3efb46d0d385aff-7bb9ee241362ee8d lifetime/rekey: 86400/86124

DPD sent/recv: 00000000/00000000

1. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=11 ilast=7 olast=87 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0

dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42927/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 life: type=01 bytes=0/0 timeout=42930/43200 dec: spi=ef9ca700 esp=aes key=16 a2c6584bf654d4f956497b3436f1cfc7 ah=sha1 key=20 82c5e734bce81e6f18418328e2a11aeb7baa021b enc: spi=791e898e esp=aes key=16 0dbb4588ba2665c6962491e85a4a8d5a ah=sha1 key=20 2054b318d2568a8b12119120f20ecac97ab730b3 dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

IPsec VPN authenticating a remote FortiGate peer with a certificate

This recipe provides sample configuration of IPsec VPN authenticating a remote FortiGate peer with a certificate. The certificate on one peer is validated by the presence of the CA certificate installed on the other peer.

The following shows the sample network topology for this recipe:

You can configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOSGUI or CLI.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key on the FortiOS GUI:

1. Import the certificate. 2. Configure user peers.
2. Configure the HQ1 FortiGate:
3. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
   1. Enter a proper VPN name.
   2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
   3. Click Next.
4. Configure the following settings for Authentication:
   172. For Remote Device, select IP Address. For the IP address, enter 172.16.202.1. iii. For Outgoing interface, enter port1.
5. For Authentication Method, select Signature.
6. In the Certificate name field, select the imported certificate.
7. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.

• Click Next.

1. Configure the following settings for Policy & Routing:
2. From the Local Interface dropdown menu, select the proper local interface.
3. Configure the Local Subnets as 1.100.0. iii. Configure the Remote Subnets as 172.16.101.0.
4. Click Create.
5. Configure the HQ2 FortiGate:
6. In FortiOS, go to VPN > IPsec Wizard and configure the following settings for VPN Setup:
   1. Enter a proper VPN name.
   2. For Template Type, choose Site to Site. For Remote Device Type, select FortiGate. iv. For NAT Configuration, select No NAT Between Sites.
   3. Click Next.
7. Configure the following settings for Authentication:
   172. For Remote Device, select IP Address. For the IP address, enter 172.16.2001. iii. For Outgoing interface, enter port25.
   173. For Authentication Method, select Signature.
   174. In the Certificate name field, select the imported certificate.
   175. From the PeerCertificate CA dropdown list, select the desired peer CA certificate.

• Click Next.

1. Configure the following settings for Policy & Routing:
   1. From the Local Interface dropdown menu, select the proper local interface.
   2. Configure Local Subnets as 16.101.0. iii. Configure the Remote Subnets as 10.1.100.0. iv. Click Create.

To configure IPsec VPN authenticating a remote FortiGate peer with a pre-shared key using the FortiOS CLI:

1. Configure the WAN interface and default route. The WAN interface is the interface connected to the ISP. The IPsec tunnel is established over the WAN interface: a. Configure HQ1:

config system interface edit “port1” set vdom “root”

set ip 172.16.200.1 255.255.255.0

next

end

config router static edit 1

gateway 172.16.200.3 device “port1”

next

end

1. Configure HQ2:

config system interface edit “port25” set vdom “root”

set ip 172.16.202.1 255.255.255.0

next

end

config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

2. Configure the internal (protected subnet) interface. The internal interface connects to the corporate internal network. Traffic from this interface routes out the IPsec VPN tunnel: Configure HQ1:

config system interface edit “dmz” set vdom “root”

set ip 10.1.100.1 255.255.255.0

next

end

1. Configure HQ2:

config system interface edit “port9” set vdom “root”

set ip 172.16.101.1 255.255.255.0

next

end

3. Configure the import certificate and its CA certificate information. The certificate and its CA certificate must be imported on the remote peer FortiGate and on the primary FortiGate before configuring IPsec VPN tunnels. If the built-in Fortinet_Factory certificate and the Fortinet_CA CA certificate are used for authentication, you can skip this step:
4. Configure HQ1:

config vpn certificate local edit “test1” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next end

1. Configure HQ2:

config vpn certificate local edit “test2” …

set range global

next

end

config vpn certificate ca edit “CA_Cert_1” …

set range global

next

end

4. Configure the peer user. The peer user is used in the IPsec VPN tunnel peer setting to authenticate the remote peer FortiGate.
   1. If not using the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate, do the following: Configure HQ1:

config user peer edit “peer1” set ca “CA_Cert_1”

next

end

1. Configure HQ2:

config user peer edit “peer2” set ca “CA_Cert_1”

next

end

1. If the built-in Fortinet_Factory certificate and Fortinet_CA CA certificate are used for authentication, the peer user must be configured based on Fortinet_CA:
   1. Configure HQ1:

config user peer edit “peer1” set ca “Fortinet_CA”

next

end

1. Configure HQ2:

config user peer edit “peer2” set ca “Fortinet_CA”

next

end

5. Configure the IPsec phase1-interface:
   1. Configure HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set authmethod signature net-device enable

proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set remote-gw 172.16.202.1 set certificate “test1” set peer “peer1”

next

end

1. Configure HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set authmethod signature set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 172.16.200.1 set certificate “test2” set peer “peer2”

next

end

6. Configure the IPsec phase2-interface:
   1. Configure HQ1:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

1. Configure HQ2:

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable

next

end

7. Configure the static routes. Two static routes are added to reach the remote protected subnet. The blackhole route is important to ensure that IPsec traffic does not match the default route when the IPsec tunnel is down: Configure HQ1:

config router static edit 2 set dst 172.16.101.0 255.255.255.0 set device “to_HQ2”

next edit 3 set dst 172.16.101.0 255.255.255.0 set blackhole enable set distance 254

next

end

1. Configure HQ2:

config router static edit 2 set dst 10.1.100.0 255.255.255.0 set device “to_HQ1”

next edit 3 set dst 10.1.100.0 255.255.255.0 set blackhole enable set distance 254

next

end

8. Configure two firewall policies to allow bidirectional IPsec traffic flow over the IPsec VPN tunnel:
9. Configure HQ1:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next

end

1. Configure HQ2:

config firewall policy edit 1 set name “inbound” set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.1.00.0” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL”

next edit 2 set name “outbound” srcintf “port9” dstintf “to_HQ1”

set srcaddr “172.16.101.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

9. Run diagnose commands. The diagnose debug application ike -1 command is the key to figure out why the IPsec tunnel failed to establish. If the remote FortiGate certificate cannot be validated, the following error shows up in the debug output:

ike 0: to_HQ2:15314: certificate validation failed

The following commands are useful to check IPsec phase1/phase2 interface status.

1. Run the diagnose vpn ike gateway list command on HQ1. The system should return the following:

vd: root/0 name: to_HQ2 version: 1 interface: port1 11 addr: 172.16.200.1:500 -> 172.16.202.1:500 created: 7s ago peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

peer-id-auth: yes

IKE SA: created 1/1 established 1/1 time 70/70/70 ms IPsec SA: created 1/1 established 1/1 time 80/80/80 ms

id/spi: 15326 295be407fbddfc13/7a5a52afa56adf14 direction: initiator status: established 7-7s ago = 70ms proposal: aes128-sha256 key: 4aa06dbee359a4c7-

43570710864bcf7b lifetime/rekey: 86400/86092 DPD sent/recv: 00000000/00000000 peer-id: C = CA, ST = BC, L = Burnaby, O = Fortinet, OU = QA, CN = test2

1. Run the diagnose vpn tunnel list command on HQ1. The system should return the following:

list all ipsec tunnel in vd 0 name=to_HQ2 ver=1 serial=1 172.16.200.1:0->172.16.202.1:0

bound_if=11 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_ dev frag-rfcaccept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=19 olast=179 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=vpn-f proto=0 sa=1 ref=2 serial=1 auto-negotiate src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=18227 type=00 soft=0 mtu=1438 expire=42717/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42897/43200 dec: spi=72e87de7 esp=aes key=16 8b2b93e0c149d6f22b1c0b96ea450e6c

ah=sha1 key=20 facc655e5f33beb7c2b12e718a6d55413ce3efa2 enc: spi=5c52c865 esp=aes key=16 8d0c4e4adbf2338beed569b2b3205ece

ah=sha1 key=20 553331628612480ab6d7d563a00e2a967ebabcdd dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

Understanding VPN related logs

This document provides some IPsec log samples:

IPsec phase1 negotiating

logid=”0101037127″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”Progress IPsec phase 1″ msg=”progress IPsec phase 1″ action=”negotiate” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cook-

ies=”e41eeecb2c92b337/0000000000000000″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase1 negotiated

logid=”0101037127″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”Progress IPsec phase 1″ msg=”progress IPsec phase 1″ action=”negotiate” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cook-

ies=”e41eeecb2c92b337/1230131a28eb4e73″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”to_HQ” status=”success” init=”local” mode=”aggressive” dir=”outbound” stage=2 role=”initiator” result=”DONE”

IPsec phase1 tunnel up

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunnelup” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910918 tunneltype=”ipsec” duration=0 sentbyte=0 rcvdbyte=0 nextstat=0 IPsec phase2 negotiate

logid=”0101037129″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”Progress IPsec phase 2″ msg=”progress IPsec phase 2″ action=”negotiate” remip=11.101.1.1

locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” status=”success” init=”local” mode=”quick” dir=”outbound” stage=1 role=”initiator” result=”OK” IPsec phase2 tunnel up

logid=”0101037139″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec phase 2 status changed” msg=”IPsec phase 2 status change” action=”phase2-up” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

phase2_name=”to_HQ” IPsec phase2 sa install

logid=”0101037133″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132604 logdesc=”IPsec SA installed” msg=”install IPsec SA” action=”install_sa” remip=11.101.1.1 locipp=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”5b1c59fab2029e43/bf517e686d3943d2″ userr=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” role=”initiator” in_spi=”ca646448″ out_spi=”747c10c6″ IPsec tunnel statistics

logid=”0101037141″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544131118 logdesc=”IPsec tunnel statistics” msg=”IPsec tunnel statistics” action=”tunnel-stats” remip=10.1.100.15 locip=172.16.200.4 remport=500 locport=500 outintf=”mgmt1″ cookies=”3539884dbd8f3567/c32e4c1beca91b36″ user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=N/A vpntunnel=”L2tpoIPsec_ 0″ tunnelip=10.1.100.15 tunnelid=1530910802 tunneltype=”ipsec” duration=6231 sentbyte=57343 rcvdbyte=142640 nextstat=60 IPsec phase2 tunnel down

logid=”0101037138″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec connection status changed” msg=”IPsec connection status change” action=”tunneldown” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ” tunnelip=N/A tunnelid=1530910786 tunneltype=”ipsec” duration=6425 sentbyte=504 rcvdbyte=152 nextstat=0 IPsec phase1 sa deleted

logid=”0101037134″ type=”event” subtype=”vpn” level=”notice” vd=”root” eventtime=1544132571 logdesc=”IPsec phase 1 SA deleted” msg=”delete IPsec phase 1 SA” action=”delete_phase1_sa” remip=11.101.1.1 locip=173.1.1.1 remport=500 locport=500 outintf=”port13″ cookies=”30820aa390687e39/886e72bf5461fb8d” user=”N/A” group=”N/A” xauthuser=”N/A” xauthgroup=”N/A” assignip=11.11.11.1 vpntunnel=”to_HQ”

IPsec related diagnose command

This document provides IPsec related diagnose commands.

1. Daemon IKE summary information list: diagnose vpn ike status

connection: 2/50

IKE SA: created 2/51 established 2/9 times 0/13/40 ms

IPsec SA: created 1/13 established 1/7 times 0/8/30 ms

2. IPsec phase1 interface status: diagnose vpn ike gateway list

vd: root/0 name: tofgtc version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 172.16.200.3:500

created: 4313s ago

IKE SA: created 1/1 established 1/1 time 10/10/10 ms

IPsec SA: created 0/0

id/spi: 92 5639f7f8a5dc54c0/809a6c9bbd266a4b direction: initiator

status: established 4313-4313s ago = 10ms proposal: aes128-sha256

key: 74aa3d63d88e10ea-8a1c73b296b06578 lifetime/rekey: 86400/81786

DPD sent/recv: 00000000/00000000

vd: root/0 name: to_HQ version: 1 interface: port13 42

addr: 173.1.1.1:500 -> 11.101.1.1:500 created: 1013s ago assigned IPv4 address: 11.11.11.1/255.255.255.252

IKE SA: created 1/1 established 1/1 time 0/0/0 ms

IPsec SA: created 1/1 established 1/1 time 0/0/0 ms

id/spi: 95 255791bd30c749f4/c2505db65210258b direction: initiator

status: established 1013-1013s ago = 0ms proposal: aes128-sha256

key: bb101b9127ed5844-1582fd614d5a8a33 lifetime/rekey: 86400/85086 DPD sent/recv: 00000000/00000010

3. IPsec phase2 tunnel status: diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

nname=L2tpoIPsec ver=1 serial=6 172.16.200.4:0->0.0.0.0:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/24 options[0018]=npu create_ dev

proxyid_num=0 child_num=0 refcnt=10 ilast=13544 olast=13544 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 run_tally=0 —-

name=to_HQ ver=1 serial=7 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=13 ilast=10 olast=1112 ad=/0 stat: rxp=1 txp=4 rxb=152 txb=336

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=5 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=41773/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000002 itn=0

life: type=01 bytes=0/0 timeout=42900/43200

dec: spi=ca64644a esp=aes key=16 6cc873fdef91337a6cf9b6948972c90f ah=sha1 key=20 e576dbe3ff92605931e5670ad57763c50c7dc73a

enc: spi=747c10c8 esp=aes key=16 5060ad8d0da6824204e3596c0bd762f4 ah=sha1 key=20 52965cbd5b6ad95212fc825929d26c0401948abe

dec:pkts/bytes=1/84, enc:pkts/bytes=4/608

npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=5 dec_npuid=2 enc_npuid=2

4. Packets encrypted/decrypted counter: diagnose vpn ipsec status

All ipsec crypto devices in use: NP6_0:

NP6_1:

SOFTWARE:

Encryption (encrypted/decrypted)

5. diagnose debug application ike -1 l diagnose vpn ike log-filter dst-addr4 11.101.1.1 l diagnose vpn ike log-filter src-addr4 173.1.1.1

# ike 0:to_HQ:101: initiator: aggressive mode is sending 1st message… ike 0:to_HQ:101: cookie dff03f1d4820222a/0000000000000000

ike 0:to_HQ:101: sent IKE msg (agg_i1send): 173.1.1.1:500->11.101.1.1:500, len=912, id=dff03f1d4820222a/0000000000000000 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Aggressive id=dff03f1d4820222a/6c2caf4dcf5bab75 len=624 ike 0:to_HQ:101: initiator: aggressive mode get 1st response… ike 0:to_HQ:101: VID RFC 3947 4A131C81070358455C5728F20E95452F ike 0:to_HQ:101: VID DPD AFCAD71368A1F1C96B8696FC77570100 ike 0:to_HQ:101: DPD negotiated

ike 0:to_HQ:101: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712 ike 0:to_HQ:101: VID CISCO-UNITY 12F5F28C457168A9702D9FE274CC0204 ike 0:to_HQ:101: peer supports UNITY

ike 0:to_HQ:101: VID FORTIGATE 8299031757A36082C6A621DE00000000 ike 0:to_HQ:101: peer is [[QualityAssurance62/FortiGate]]/FortiOS (v0 b0) ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3 ike 0:to_HQ:101: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D3C0000000 ike 0:to_HQ:101: peer identifier IPV4_ADDR 11.101.1.1 ike 0:to_HQ:101: negotiation result ike 0:to_HQ:101: proposal id = 1: ike 0:to_HQ:101: protocol id = ISAKMP: ike 0:to_HQ:101: trans_id = KEY_IKE. ike 0:to_HQ:101: encapsulation = IKE/none ike 0:to_HQ:101:      type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:to_HQ:101:      type=OAKLEY_HASH_ALG, val=SHA2_256.

ike 0:to_HQ:101:    type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I. ike 0:to_HQ:101: type=OAKLEY_GROUP, val=MODP2048.

ike 0:to_HQ:101: ISAKMP SA lifetime=86400 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: received NAT-D payload type 20 ike 0:to_HQ:101: selected NAT-T version: RFC 3947 ike 0:to_HQ:101: NAT not detected

ike 0:to_HQ:101: ISAKMP SA dff03f1d4820222a/6c2caf4dcf5bab75 key

16:D81CAE6B2500435BFF195491E80148F3 ike 0:to_HQ:101: PSK authentication succeeded ike 0:to_HQ:101: authentication OK

ike 0:to_HQ:101: add INITIAL-CONTACT

ike 0:to_HQ:101: sent IKE msg (agg_i2send): 173.1.1.1:500->11.101.1.1:500, len=172, id=dff03f1d4820222a/6c2caf4dcf5bab75 ike 0:to_HQ:101: established IKE SA dff03f1d4820222a/6c2caf4dcf5bab75 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 len=92 ike 0:to_HQ:101: mode-cfg type 16521 request 0: ike 0:to_HQ:101: mode-cfg type 16522 request 0: ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=108, id=dff03f1d4820222a/6c2caf4dcf5bab75:97d88fb4 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 len=92 ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=92, id=dff03f1d4820222a/6c2caf4dcf5bab75:3724f295 ike 0:to_HQ:101: initiating mode-cfg pull from peer ike 0:to_HQ:101: mode-cfg request APPLICATION_VERSION ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:to_HQ:101: mode-cfg request INTERNAL_IP4_NETMASK ike 0:to_HQ:101: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:to_HQ:101: mode-cfg request UNITY_PFS

ike 0:to_HQ:101: sent IKE msg (cfg_send): 173.1.1.1:500->11.101.1.1:500, len=140, id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Mode config id=dff03f1d4820222a/6c2caf4dcf5bab75:3bca961f len=172 ike 0:to_HQ:101: mode-cfg type 1 response 4:0B0B0B01 ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_ADDRESS 11.11.11.1 ike 0:to_HQ:101: mode-cfg type 2 response 4:FFFFFFFC

ike 0:to_HQ:101: mode-cfg received INTERNAL_IP4_NETMASK 255.255.255.252 ike 0:to_HQ:101: mode-cfg received UNITY_PFS 1 ike 0:to_HQ:101: mode-cfg type 28676 response

28:0A016400FFFFFF000000000000000A016500FFFFFF00000000000000

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.100.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received UNITY_SPLIT_INCLUDE 0 10.1.101.0/255.255.255.0:0 local port 0

ike 0:to_HQ:101: mode-cfg received APPLICATION_VERSION ‘FortiGate-100D v6.0.3,build0200,181009 (GA)’

ike 0:to_HQ: mode-cfg add 11.11.11.1/255.255.255.252 to ‘to_HQ’/58 ike 0:to_HQ: set oper up ike 0:to_HQ: schedule auto-negotiate ike 0:to_HQ:101: no pending Quick-Mode negotiations

ike shrank heap by 159744 bytes

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:0 ike 0:to_HQ:to_HQ: using existing connection

# ike 0:to_HQ:to_HQ: config found

ike 0:to_HQ:to_HQ: IPsec SA connect 42 173.1.1.1->11.101.1.1:500 negotiating ike 0:to_HQ:101: cookie dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0:to_HQ:101:to_HQ:259: initiator selectors 0 0:0.0.0.0/0.0.0.0:0:0-

>0:0.0.0.0/0.0.0.0:0:0

ike 0:to_HQ:101: sent IKE msg (quick_i1send): 173.1.1.1:500->11.101.1.1:500, len=620, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 ike 0: comes 11.101.1.1:500->173.1.1.1:500,ifindex=42…. ike 0: IKEv1 exchange=Quick id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01 len=444 ike 0:to_HQ:101:to_HQ:259: responder selectors 0:0.0.0.0/0.0.0.0:0->0:0.0.0.0/0.0.0.0:0 ike 0:to_HQ:101:to_HQ:259: my proposal: ike 0:to_HQ:101:to_HQ:259: proposal id = 1:

16:D5C60F1A3951B288CE4DEC7E04D2119D auth 20:F872A7A26964208A9AA368A31AEFA3DB3F3780BC ike 0:to_HQ:101:to_HQ:259: IPsec SA enc spi 747c10c9 key

16:97952E1594F718128D9D7B09400856EA auth 20:4D5E5BC45A9D5A9A4631E911932F5650A4639A37 ike 0:to_HQ:101:to_HQ:259: added IPsec SA: SPIs=ca64644b/747c10c9 ike 0:to_HQ:101:to_HQ:259: sending SNMP tunnel UP trap

ike 0:to_HQ:101: sent IKE msg (quick_i2send): 173.1.1.1:500->11.101.1.1:500, len=76, id=dff03f1d4820222a/6c2caf4dcf5bab75:32f4cc01

Tunneled Internet Browsing

This recipe provides an example configuration of tunneled internet browsing using a dialup VPN. To centralize network management and control, all branch office traffic is tunneling to HQ, including Internet browsing.

The following shows the sample network topology for this example:

To configure a dialup VPN to tunnel Internet browsing using the GUI:

1. Configure the dialup VPN server FortiGate at HQ:
   1. Go to VPN > IPsec Wizard, enter a VPN name (HQ in this example), make the following selections, and then click Next:
      • Site to Site to Template Type l FortiGate to Remote Device Type
      • The remote side is behind NAT to NAT Configuration
   2. Make the following selections, and then click Next:
      • Incoming Interface to port9 l Authentication Method to Pre-Shared Key l Pre-shared Key to sample
   3. Make the following selections, and then click Create:
      • Local Interface to port10 l Local Subnets to 16.101.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Share Local l Shared WAN to port9
   4. Configure the dialup VPN client FortiGate at a branch:
   5. Go to VPN > IPsec Wizard, enter a VPN name (Branch1 or Branch2 in this example), make the following selections, then click Next:
      • Site to Site to Template Type l FortiGate to Remote Device Type l This side is behind NAT to NAT Configuration
   6. Make the following selections, and then click Next:
      • IP Address to Remote Device, then enter the IP address: 22.1.1.1 l Outgoing Interface to wan1 l Authentication Method to Pre-shared Key l Pre-shared Key to sample
   7. Make the following selections, and then click Create: l Local Interface to internal l Local Subnets to 1.100.0/192.1684.0 l Remote Subnets to 0.0.0.0/0 l Internet Access to Use Remote l Local Gateway to 15.1.1.1/13.1.1.1

To configure a dialup VPN to tunnel Internet browsing using the CLI:

1. Configure the WAN interface and static route on the FortiGate at HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

2. Configure IPsec phase1-interface and phase2-interface configuration at HQ:

config vpn ipsec phase1-interface edit “HQ” set type dynamic set interface “port9” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set psksecret sample set dpd-retryinterval 60 next

end

config vpn ipsec phase2-interface edit “HQ” set phase1name “HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

3. Configure the firewall policy at HQ:

config firewall policy edit 1 set srcintf “HQ” set dstintf “port9” “port10” set srcaddr “10.1.100.0” “192.168.4.0” set dstaddr “all” set action accept set schedule “always” set service “ALL” set nat enable

next

end

4. Configure the WAN interface and static route on the FortiGate at the branches:
5. Branch1:

config system interface edit “wan1” set ip 15.1.1.2 255.255.255.0

next edit “internal” set ip 10.1.100.1 255.255.255.0

next

end

config router static edit 1 set gateway 15.1.1.1 set device “wan1”

next

end

1. Branch2:

config system interface edit “wan1” set ip 13.1.1.2 255.255.255.0

next edit “internal” set ip 192.168.4.1 255.255.255.0

next

end

config router static edit 1 set gateway 13.1.1.1 set device “wan1”

next end

5. Configure IPsec phase1-interface and phase2-interface configuration at the branches: a. Branch1:

config vpn ipsec phase1-interface edit “branch1” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “branch1” set phase1name “branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 10.1.100.0 255.255.255.0

next

end

1. Branch2:

config vpn ipsec phase1-interface edit “branch2” set interface “wan1” set peertype any set net-device enable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set remote-gw 22.1.1.1 set psksecret sample set dpd-retryinterval 5

next

end

config vpn ipsec phase2-interface edit “branch2” set phase1name “branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 set auto-negotiate enable set src-subnet 192.168.4.0 255.255.255.0

next

end

6. Configure the firewall policy at the branches:
7. Branch1:

config firewall policy edit 1 set name “outbound” set srcintf “internal” set dstintf “branch1” set srcaddr “all”

set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch1” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

1. Branch2:

config firewall policy edit 1

set name “outbound” set srcintf “internal” set dstintf “branch2” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next edit 2

set name “inbound” set srcintf “branch2” set dstintf “internal” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “ALL”

next

end

7. Configure the static routes at the branches:
8. Branch1:

config router static

edit 2

set dst 22.1.1.1/32 set gateway 15.1.1.1 set device “wan1” set distance 1

next edit 3

set device “branch1” set distance 5

next end

1. Branch2:

config router static edit 2 set dst 22.1.1.1/32 set gateway 13.1.1.1 set device “wan1” set distance 1

next edit 3 set device “branch2” set distance 5

next

end

8. Optionally, view the VPN tunnel list on a branch with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=branch1 ver=1 serial=2 15.1.1.2:0->22.1.1.1:0

bound_if=7 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/536 options[0218]=npu create_dev frag-rfc accept_traffic=1

proxyid_num=1 child_num=1 refcnt=19 ilast=0 olast=0 ad=r/2 stat: rxp=1 txp=1661 rxb=65470 txb=167314

dpd: mode=on-idle on=1 idle=5000ms retry=3 count=0 seqno=2986 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=branch1 proto=0 sa=1 ref=5 serial=1 auto-negotiate adr

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=1a227 type=00 soft=0 mtu=1438 expire=697/0B replaywin=1024 seqno=13a esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=2368/2400

dec: spi=c53a8f7e esp=aes key=16 ecee0cd48664d903d3d6822b1f902fd2 ah=sha1 key=20 2440a189126c222093ca9acd8b37127285f1f8a7

enc: spi=6e3636fe esp=aes key=16 fdaa20bcc96f74ae9885e824d3efa29d ah=sha1 key=20 70c0891c769ad8007ea1f31a39978ffbc73242d0

dec:pkts/bytes=0/16348, enc:pkts/bytes=313/55962

npu_flag=03 npu_rgwy=22.1.1.1 npu_lgwy=15.1.1.2 npu_selid=1 dec_npuid=1 enc_npuid=1

9. Optionally, view static routing table on a branch with the get router info routing-table static command:

Routing table for VRF=0

S*     0.0.0.0/0 [5/0] is directly connected, branch1

S*      22.1.1.1/32 [1/0] via 15.1.1.1, wan1

VPN and ASIC offload

1. Check the device ASIC information. For example, a FortiGate 900D has an NP6 and a CP8.

# get hardware status

Model name: [[QualityAssurance62/FortiGate]]-900D

ASIC version: CP8

ASIC SRAM: 64M

CPU: Intel(R) Xeon(R) CPU E3-1225 v3 @ 3.20GHz

Number of CPUs: 4

RAM: 16065 MB

Compact Flash: 1925 MB /dev/sda

Hard disk: 244198 MB /dev/sdb

USB Flash: not available

Network Card chipset: [[QualityAssurance62/FortiASIC]] NP6 Adapter (rev.)

2. Check port to NPU mapping.

—-

3. Configure the option in IPsec phase1 settings to control NPU encrypt/decrypt IPsec packets (enabled by default).

config vpn ipsec phase1/phase1-interface edit “vpn_name” set npu-offload enable/disable

next

end

4. Check NPU offloading. The NPU encrypted/decrypted counter should tick. The npu_flag 03 flag means that the traffic processed by the NPU is bi-directional.

# diagnose vpn tunnel list

list all ipsec tunnel in vd 0

—-

name=test ver=2 serial=1 173.1.1.1:0->11.101.1.1:0

bound_if=42 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=14 ilast=2 olast=2 ad=/0 stat: rxp=12231 txp=12617 rxb=1316052 txb=674314 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=test proto=0 sa=1 ref=4 serial=7

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10626 type=00 soft=0 mtu=1438 expire=42921/0B replaywin=2048 seqno=802 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42930/43200

dec: spi=e313ac46 esp=aes key=16 0dcb52642eed18b852b5c65a7dc62958 ah=md5 key=16 c61d9fe60242b9a30e60b1d01da77660

enc: spi=706ffe03 esp=aes key=16 6ad98c204fa70545dbf3d2e33fb7b529 ah=md5 key=16 dcc3b866da155ef73c0aba15ec530e2e

dec:pkts/bytes=1665/16352, enc:pkts/bytes=2051/16826 npu_flag=03 npu_rgwy=11.101.1.1 npu_lgwy=173.1.1.1 npu_selid=6 dec_npuid=2 enc_npuid=2

FGT_900D # diagnose vpn ipsec st All ipsec crypto devices in use: NP6_0:

SOFTWARE:

5. If traffic cannot be offloaded by the NPU, the CP will try to encrypt/decrypt the IPsec packets.

Disable automatic ASIC offloading

When auto-asic-offload is set to disable in the firewall policy, traffic is nt offloaded and the NPU hosting counter is ticked.

# diagnose vpn ipsec status All ipsec crypto devices in use:

NP6_0:

Encryption (encrypted/decrypted)

LT2P over IPsec

This recipe provides an example configuration of LT2P over IPsec. A locally defined user is used for authentication, a Windows PC or Android tablet is acting as the client, and net-device is set to enable in the phase1-interface settings. If net-device is set to disable, only one device can establish an L2TP over IPsec tunnel behind the same NAT device.

The following shows the network topology for this example:

To configure LT2P over an IPsec tunnel using the CLI:

1. Configure the WAN interface and static route on HQ:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0

next edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next end

2. Configure IPsec phase1-interface and phase2-interface on HQ:

config vpn ipsec phase1-interface edit “L2tpoIPsec” set type dynamic set interface “port9” set peertype any

set proposal aes256-md5 3des-sha1 aes192-sha1 set dpd on-idle set dhgrp 2 set net-device enable set psksecret sample set dpd-retryinterval 60

next

end

config vpn ipsec phase2-interface edit “L2tpoIPsec” set phase1name “L2tpoIPsec”

set proposal aes256-md5 3des-sha1 aes192-sha1 set pfs disable

set encapsulation transport-mode

set l2tp enable

next

end

3. Configure a user and user group on HQ:

config user local edit “usera” set type password set passwd usera

next

end config user group edit “L2tpusergroup” set member “usera”

next

end

4. Configure L2TP on HQ:

config vpn l2tp set status enable set eip 10.10.10.100 set sip 10.10.10.1 set usrgrp “L2tpusergroup”

end

5. Configure a firewall address, that is applied in L2TP settings to assign IP addresses to clients once the L2TP tunnel is established:

config firewall address edit “L2TPclients” set type iprange set start-ip 10.10.10.1 set end-ip 10.10.10.100

next end

6. Configure a firewall policy:

config firewall policy edit 1 set name “Bridge_IPsec_port9_for_l2tp negotiation” set srcintf “L2tpoIPsec” set dstintf “port9” set srcaddr “all” set dstaddr “all” set action accept set schedule “always” set service “L2TP”

next edit 2 set srcintf “L2tpoIPsec” set dstintf “port10” set srcaddr “L2TPclients” set dstaddr “172.16.101.0” set action accept set schedule “always” set service “ALL” set nat enable

next

end

7. Optionally, view the VPN tunnel list on HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=L2tpoIPsec_0 ver=1 serial=8 22.1.1.1:0->10.1.100.15:0

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/216 options[00d8]=npu create_dev no-sysctl rgwy-chg

parent=L2tpoIPsec index=0

proxyid_num=1 child_num=0 refcnt=13 ilast=0 olast=0 ad=/0 stat: rxp=470 txp=267 rxb=57192 txb=12679

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0

proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:10.1.100.15-10.1.100.15:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1470 expire=2339/0B replaywin=2048 seqno=10c esn=0 replaywin_lastseq=000001d6 itn=0

life: type=01 bytes=0/0 timeout=3585/3600

dec: spi=ca646443 esp=3des key=24 af62a0fffe85d3d534b5bfba29307aafc8bfda5c3f4650dc ah=sha1 key=20 89b4b67688bed9be49fb86449bb83f8c8d8d7432

enc: spi=700d28a0 esp=3des key=24 5f68906eca8d37d853814188b9e29ac4913420a9c87362c9 ah=sha1 key=20 d37f901ffd0e6ee1e4fdccebc7fdcc7ad44f0a0a

dec:pkts/bytes=470/31698, enc:pkts/bytes=267/21744

npu_flag=00 npu_rgwy=10.1.100.15 npu_lgwy=22.1.1.1 npu_selid=6 dec_npuid=0 enc_npuid=0

—-

name=L2tpoIPsec_1 ver=1 serial=a 22.1.1.1:4500->22.1.1.2:64916

bound_if=4 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/472 options[01d8]=npu create_dev no-sysctl rgwy-chg rport-chg

parent=L2tpoIPsec index=1

proxyid_num=1 child_num=0 refcnt=17 ilast=2 olast=2 ad=/0 stat: rxp=5 txp=4 rxb=592 txb=249

dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=0

natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=L2tpoIPsec proto=17 sa=1 ref=3 serial=1 transport-mode add-route

src: 17:22.1.1.1-22.1.1.1:1701 dst: 17:22.1.1.2-22.1.1.2:0

SA: ref=3 options=1a6 type=00 soft=0 mtu=1454 expire=28786/0B replaywin=2048 seqno=5 esn=0 replaywin_lastseq=00000005 itn=0

life: type=01 bytes=0/0 timeout=28790/28800 dec: spi=ca646446 esp=aes key=32

ea60dfbad709b3c63917c3b7299520ff7606756ca15d2eb7cbff349b6562172e ah=md5 key=16 2f2acfff0b556935d0aab8fc5725c8ec

enc: spi=0b514df2 esp=aes key=32

a8a92c2ed0e1fd7b6e405d8a6b9eb3be5eff573d80be3f830ce694917d634196 ah=md5 key=16 e426c33a7fe9041bdc5ce802760e8a3d

dec:pkts/bytes=5/245, enc:pkts/bytes=4/464

npu_flag=00 npu_rgwy=22.1.1.2 npu_lgwy=22.1.1.1 npu_selid=8 dec_npuid=0 enc_npuid=0

8. Optionally, view the L2TP VPN status, by enabling debug (diagnose debug enable), then using the diagnose vpn l2tp status command:

—-

—-

HQ # Num of tunnels: 2

—-

Tunnel ID = 1 (local id), 42 (remote id) to 10.1.100.15:1701 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 1 (local id), 1 (remote id), serno = 0, dev=ppp1, assigned ip = 10.10.10.2 data_seq_num = 0,

tx = 152 bytes (2), rx= 21179 bytes (205)

Tunnel ID = 3 (local id), 34183 (remote id) to 22.1.1.2:58825 control_seq_num = 2, control_rec_seq_num = 4,

last recv pkt = 2

Call ID = 3 (local id), 18820 (remote id), serno = 2032472593, dev=ppp2, assigned ip = 10.10.10.3 data_seq_num = 0,

tx = 152 bytes (2), rx= 0 bytes (0)

—-

–VD 0: Startip = 10.10.10.1, Endip = 10.10.10.100 enforece-ipsec = false

—-

To configure LT2P over an IPsec tunnel using the GUI:

1. Go to VPN > IPsec Wizard.
2. Enter a name for the VPN in the Name In this example L2tpoIPsec is used.
3. Set the following, then click Next: l Template Type to Remote Access l Remote Device Type to Native and Windows Native
4. Set the following, then click Next:
   • Incoming Interface to port9 l Authentication Method to Pre-shared Key l Pre-shared Key to your-psk l UserGroup to L2tpusergroup
5. Set the following, then click Create: l Local Interface as port10 l Local Address as 16.101.0
   • Client Address Range as 10.10.1-10.10.10.100 l Subnet Mask is left as its default value.

VxLAN over IPsec tunnel

This recipe provides an example configuration of VxLAN over IPsec tunnel. VxLAN encapsulation is used in the phase1-interface setting and virtual-switch is used to bridge the internal with VxLAN over IPsec tunnel.

The following shows the network topology for this example:

To configure GRE over an IPsec tunnel:

1. Configure the WAN interface and default route:
2. HQ1:

config system interface edit “port1” set ip 172.16.200.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.200.3 set device “port1”

next

end

1. HQ2:

config system interface edit “port25” set ip 172.16.202.1 255.255.255.0

next

end config router static edit 1 set gateway 172.16.202.2 set device “port25”

next

end

2. Configure IPsec phase1-interface:
3. HQ1:

config vpn ipsec phase1-interface edit “to_HQ2” set interface “port1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan

set encapsulation-address ipv4 set encap-local-gw4 172.16.200.1 set encap-remote-gw4 172.16.202.1 set remote-gw 172.16.202.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ2” set phase1name “to_HQ2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

1. HQ2:

config vpn ipsec phase1-interface edit “to_HQ1” set interface “port25” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 172.16.202.1 set encap-remote-gw4 172.16.200.1 set remote-gw 172.16.200.1 set psksecret sample

next

end

config vpn ipsec phase2-interface edit “to_HQ1” set phase1name “to_HQ1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

3. Configure the firewall policy:
4. HQ1:

config firewall policy edit 1 set srcintf “dmz” set dstintf “to_HQ2” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ2” set dstintf “dmz” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept

set schedule “always” set service “ALL”

next

end

1. HQ2:

config firewall policy edit 1 set srcintf “port9” set dstintf “to_HQ1” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next edit 2 set srcintf “to_HQ1” set dstintf “port9” set srcaddr “10.1.100.0” set dstaddr “10.1.100.0” set action accept set schedule “always” set service “ALL”

next

end

4. Configure the virtual switch:
   1. HQ1:

config system switch-interface edit “vxlan-HQ2” set member “dmz” “to_HQ2” set intra-switch-policy explicit

next

end

1. HQ2:

config system switch-interface edit “vxlan-HQ1” set member “port9” “to_HQ1” set intra-switch-policy explicit

next

end

5. Optionally, view the VPN tunnel list on HQ1 with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_HQ2 ver=1 serial=2 172.16.200.1:0->172.16.202.1:0

bound_if=5 lgwy=static/1 tun=intf/0 mode=auto/1 encap=VXLAN/2 options[0002]= encap-addr: 172.16.200.1->172.16.202.1

proxyid_num=1 child_num=0 refcnt=11 ilast=8 olast=0 ad=/0 stat: rxp=13 txp=3693 rxb=5512 txb=224900

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=45 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_HQ2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1390 expire=41944/0B replaywin=2048 seqno=e6e esn=0 replaywin_lastseq=0000000e itn=0

life: type=01 bytes=0/0 timeout=42901/43200

dec: spi=635e9bb1 esp=aes key=16 c8a374905ef9156e66504195f46a650c ah=sha1 key=20 a09265de7d3b0620b45441fb5af44dab125f2afe

enc: spi=a4d0cd1e esp=aes key=16 e9d0f3f0bb7e15a833f80c42615a3b91 ah=sha1 key=20 609a315c385471b8909b771c76e4fa7214996e50

dec:pkts/bytes=13/4640, enc:pkts/bytes=3693/623240

6. Optionally, view the bridge control interface on HQ1 with the diagnose netlink brctl name host vxlan-HQ1 command:

show bridge control interface vxlan-HQ1 host.

fdb: size=2048, used=17, num=17, depth=1 Bridge vxlan-a host table

port no device devname mac addr                ttl     attributes

1      1.       dmz     00:0c:29:4e:33:c9        1.        Hit(1)

1      1.       dmz     00:0c:29:a8:c3:ea       105      Hit(105)

1      1.       dmz     90:6c:ac:53:76:29       18       Hit(18)

1      1.       dmz     08:5b:0e:dd:69:cb        1.       Local Static

1      1.       dmz     90:6c:ac:84:3e:5d        1.        Hit(5)

• dmz    00:0b:fd:eb:21:d6   1.     Hit(0)
• 38 to_HQ2 56:45:c3:3f:57:b4        Local Static
• dmz    00:0c:29:d2:66:40   78     Hit(78)
• 38 to_HQ2 90:6c:ac:5b:a6:eb   124    Hit(124)

1      1.       dmz     00:0c:29:a6:bc:e6       19       Hit(19)

1      1.       dmz     00:0c:29:f0:a2:e7        1.        Hit(0)

1      1.       dmz     00:0c:29:d6:c4:66       164      Hit(164)

1      1.       dmz     00:0c:29:e7:68:19        1.        Hit(0)

1      1.       dmz     00:0c:29:bf:79:30       19       Hit(19)

1      1.       dmz     00:0c:29:e0:64:7d        1.        Hit(0)

1      1.       dmz     36:ea:c7:30:c0:f1       25       Hit(25)

1      1.       dmz     36:ea:c7:30:cc:71        1.        Hit(0)

Encryption algorithms

IKEv1 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

• des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

• 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

• aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

• aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256

aria256-sha384 aria256-sha512

SEED is a symmetric-key algorithm. FortiGate supports:

• seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

• suite-b-gcm-128 l suite-b-gcm-256

IKEv1 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

• null-md5 l null-sha1 l null-sha256 l null-sha384 l null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

• des-null l des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

• 3des-null l 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

• aes128-null l aes128-md5 l aes128-sha1 aes128-sha256 aes128-sha384 l aes128-sha512 l aes192-null l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-null l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

• aes128gcm l aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

• chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

• aria128-null l aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-null l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-null l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

• seed-null l seed-md5 l seed-sha1 seed-sha256 seed-sha384 l seed-sha512

IKEv2 phase1 encryption algorithm

The default encryption algorithm is:

aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256

DES is a symmetric-key algorithm which means the same key is used for encrypting and decrypting data. FortiGate supports:

• des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

3DES apply DES algorithm three times to each data. FortiGate supports:

• 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

AES is a symmetric-key algorithm with different key length: 128, 192, and 256 bits. FortiGate supports:

• aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes128gcm-prfsha1 l aes128gcm-prfsha256 l aes128gcm-prfsha384 l aes128gcm-prfsha512 l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512 l aes256gcm-prfsha1 l aes256gcm-prfsha256 aes256gcm-prfsha384 aes256gcm-prfsha512

The ARIA algorithm is based on AES with different key length: 128, 192, and 256 bits. FortiGate supports:

• aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In chacha20poly1305 encryption algorithm, FortiGate supports:

• chacha20poly1305-prfsha1 l chacha20poly1305-prfsha256 l chacha20poly1305-prfsha384 l chacha20poly1305-prfsha512

SEED is a symmetric-key algorithm. FortiGate supports:

• seed128-md5 l seed128-sha1 l seed128-sha256 l seed128-sha384 l seed128-sha512

Suite-B is a set of encryption algorithm, AES encryption with ICV in GCM mode. FortiGate supports Suite-B on new kernel platforms only. IPsec traffic cannot offload to NPU. CP9 supports Suite-B offloading, otherwise packets are encrypted and decrypted by software. FortiGate supports:

• suite-b-gcm-128 l suite-b-gcm-256

IKEv2 phase2 encryption algorithm

The default encryption algorithm is:

aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 In null encryption, IPsec traffic can offload NPU/CP. FortiGate supports:

• null-md5 l null-sha1 l null-sha256 null-sha384 null-sha512

In DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

• des-null l des-md5 l des-sha1 l des-sha256 l des-sha384 l des-sha512

In 3DES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

• 3des-null l 3des-md5 l 3des-sha1 l 3des-sha256 l 3des-sha384 l 3des-sha512

In AES encryption algorithm, IPsec traffic can offload NPU/CP. FortiGate supports:

• aes128-null l aes128-md5 l aes128-sha1 l aes128-sha256 l aes128-sha384 l aes128-sha512 l aes192-null l aes192-md5 l aes192-sha1 l aes192-sha256 l aes192-sha384 l aes192-sha512 l aes256-null l aes256-md5 l aes256-sha1 l aes256-sha256 l aes256-sha384 l aes256-sha512

In AESGCM encryption algorithm, IPsec traffic cannot offload NPU. CP9 supports AESGCM offloading. FortiGate supports:

• aes128gcm l aes256gcm

In chacha20poly1305 encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

• chacha20poly1305

In ARIA encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

• aria128-null l aria128-md5 l aria128-sha1 l aria128-sha256 l aria128-sha384 l aria128-sha512 l aria192-null l aria192-md5 l aria192-sha1 l aria192-sha256 l aria192-sha384 l aria192-sha512 l aria256-null l aria256-md5 l aria256-sha1 l aria256-sha256 l aria256-sha384 l aria256-sha512

In SEED encryption algorithm, IPsec traffic cannot offload NPU/CP. FortiGate supports:

• seed-null l seed-md5 l seed-sha1 l seed-sha256 l seed-sha384 l seed-sha512

Policy-based IPsec tunnel

This recipe provides an example configuration of policy-based IPsec tunnel. Site-to-site VPN between branch and HQ is used and HQ is the IPsec concentrator.

The following shows the network topology for this example:

To configure a policy-based IPsec tunnel using the GUI:

1. Configure the IPsec VPN at HQ:
   1. Go to VPN > IPsec Wizard, enter a VPN name (to_branch1 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
   2. Go to VPN > IPsec Wizard, enter a VPN name (to_branch2 in this example), choose Custom, and then click Next:
      • Uncheck Enable IPsec Interface Mode.
      • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.2. l Choose port9 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
      • Click OK.
   3. Configure the IPsec concentrator at HQ:
      1. Go to VPN > IPsec Concentrator, enter a name, in this example, branch.
      2. Add to_branch1 and to_branch2 as Members.
      3. Click OK.
   4. Configure the firewall policy:
      10. Choose the Incoming Interface, in this example, port10.
      11. Choose the Outgoing Interface, in this example, port9.
      12. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
      13. Select the VPN Tunnel, in this example, Branch1/Branch2.
      14. In this example, turn on Allow traffic to be initiated from the remote site.
      15. Click OK.
   5. Configure IPsec VPN at branch 1:
      1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
         • Uncheck Enable IPsec Interface Mode.
         • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface. l In this example, set Authentication Method to Pre-shared Key. In other cases, use the default.
         • Click OK.
      2. Configure the firewall policy:
         1. Choose the Incoming Interface, in this example, internal.
         2. Choose the Outgoing Interface, in this example, wan1.
         3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
         4. Select the VPN Tunnel, in this example, to_HQ.
         5. In this example, turn on Allow traffic to be initiated from the remote site.
         6. Click OK.
      3. Configure IPsec VPN at branch 2:
         1. Go to VPN > IPsec Wizard, enter a VPN name, (to_HQ in this example) choose Custom and then click Next.
            • Uncheck Enable IPsec Interface Mode.
            • Choose Static IP Address as Remote Gateway. l Enter IP address, in this example, 1.1.1. l Choose wan1 as interface.
            • In this example, set Authentication Method to Pre-shared Key and the Pre-shared Key is sample. In other cases, use the default.
            • Click OK.
         2. Configure the firewall policy:
            1. Choose the Incoming Interface, in this example, internal.
            2. Choose the Outgoing Interface, in this example, wan1.
            3. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
            4. Select the VPN Tunnel, in this example, to_HQ.
            5. In this example, turn on Allow traffic to be initiated from the remote site.
            6. Click OK.

To configure a policy-based IPsec tunnel using the CLI:

1. Configure the HQ WAN interface and static route:

config system interface edit “port9” set alias “WAN” set ip 22.1.1.1 255.255.255.0 next

edit “port10” set alias “Internal” set ip 172.16.101.1 255.255.255.0

next

end

config router static edit 1 set gateway 22.1.1.2 set device “port9”

next

end

2. Configure the HQ IPsec phase1 and phase2:

config vpn ipsec phase1 edit “to_branch1” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 15.1.1.2 set psksecret sample

next

edit “to_branch2” set interface “port9” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 13.1.1.2 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_branch1” set phase1name “to_branch1”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next edit “to_branch2” set phase1name “to_branch2”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

3. Configure the HQ firewall policy:

config firewall policy edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “10.1.100.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch1” next

edit 2

set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “192.168.4.0” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_branch2”

next

end

4. Configure the HQ concentrator:

config vpn ipsec concentrator

edit “branch”

set member “to_branch1” “to_branch2”

next

end

5. Configure the branch WAN interface and static route:
6. Branch1:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 15.1.1.2 255.255.255.0

next edit “internal”

set ip 10.1.100.1 255.255.255.0

next

end config router static

edit 1

set gateway 15.1.1.1 set device “wan1”

next

end

1. Branch2:

config system interface

edit “wan1”

set alias “primary_WAN” set ip 13.1.1.2 255.255.255.0

next edit “internal”

set ip 192.168.4.1 255.255.255.0

next

end config router static

edit 1

set gateway 13.1.1.1 set device “wan1”

next end

6. Configure the branch IPsec phase1 and phase2:
7. Branch1:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

1. Branch2:

config vpn ipsec phase1 edit “to_HQ” set interface “wan1” set peertype any

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set remote-gw 22.1.1.1 set psksecret sample

next

end

config vpn ipsec phase2 edit “to_HQ” set phase1name “to_HQ”

set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm

aes256gcm chacha20poly1305 next

end

7. Configure the branch firewall policy:
   1. Branch1:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “10.1.100.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next end

1. Branch2:

config firewall policy edit 1 set srcintf “internal” set dstintf “wan1” set srcaddr “192.168.4.0” set dstaddr “all” set action ipsec set schedule “always” set service “ALL” set inbound enable set vpntunnel “to_HQ”

next

end

8. Optionally, view the IPsec VPN tunnel list at HQ with the diagnose vpn tunnel list command:

list all ipsec tunnel in vd 0

—-

name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0 stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000680 itn=0

life: type=01 bytes=0/0 timeout=42932/43200

dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8 ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a

enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1 ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5

dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354

npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2

—-

name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0

bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1

src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0

SA: ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048 seqno=1 esn=0 replaywin_lastseq=00000000 itn=0

life: type=01 bytes=0/0 timeout=42931/43200

dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909 ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe

enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259 ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16

dec:pkts/bytes=0/0, enc:pkts/bytes=0/0

npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0

9. Optionally, view the IPsec VPN concentrator at HQ with the diagnose vpn concentrator list command:

list all ipsec concentrator in vd 0

name=branch              ref=3          tuns=2 flags=0

SSL VPN web mode for remote user

This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by web mode using a web browser.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0. d. Click OK.
   4. Go to Firewall & Objects > Address and create address for internet subnet 192.168.1.0.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
3. Configure SSL VPN web portal.
4. Go to VPN > SSL-VPN Portals to create a web mode only portal my-web-portal.
5. Set Predefined Bookmarks forWindows server to type RDP.
6. Configure SSL VPN settings.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   5. Under Authentication/Portal Mapping, set default Portal Web-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-Web-portal.
7. Configure SSL VPN firewall policy.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn web mode access.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Choose an Outgoing Interface. In this example: port1.
   5. Set the Source to all and group to sslvpngroup.
   6. In this example, the destination is the internal protected subnet 168.1.0.
   7. Set Schedule to always, service to ALL, and Action to Accept.
   8. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet192.168.1.0 255.255.255.0

next end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal and predefine RDP bookmark for windows server.

config vpn ssl web portal edit “my-web-portal” set web-mode enable config bookmark-group edit “gui-bookmarks” config bookmarks edit “Windows Server” set apptype rdp set host “192.168.1.114” set port 3389

set logon-user “your-windows-server-user-name” set logon-password your-windows-server-password

next

end

next

end

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-web-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1

set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

1. Open browser and log into the portal https://172.20.120.123:10443 using the credentials you’ve set up.
2. In the portal with the predefined bookmark, select the bookmark to begin an RDP session.
3. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
4. Go to Log & Report > Traffic Log > Forward Traffic to view the details for the SSL entry.

SSL VPN full tunnel for remote user

This topic provides a sample configuration of remote users accessing the corporate network and internet through an SSL VPN by tunnel mode using FortiClient.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
3. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-full-tunnel-portal. Disable Split Tunneling.
4. SSL VPN settings configuration.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   5. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-full-tunnel-portal.
5. SSL VPN firewall policy configuration.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn full tunnel access.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Choose an Outgoing Interface. In this example: port1.
   5. Set the source to all and group to sslvpngroup.
   6. In this example, the destination is all.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1”

set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal and predefine RDP bookmark for windows server.

config vpn ssl web portal edit “my-full-tunnel-portal” set tunnel-mode enable set split-tunneling disable set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-full-tunnel-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “all” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.
4. Set VPN Type to SSL VPN, set Remote Gateway to the IP of the listening FortiGate interface, in this example: 20.120.123.
5. Select Customize Port and set it to 10443.
6. Save your settings.
7. Use the credentials you’ve set up to connect to the SSL VPN tunnel.
8. After connection, all traffic except the local subnet will go through the tunnel FGT.
9. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
10. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN split tunnel for remote user

This topic provides a sample configuration of remote users accessing the corporate network and internet through an SSL VPN by tunnel mode using FortiClient but accessing the Internet without going through the SSL VPN tunnel.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address.

Port1 interface connects to the internal network.

1. Go to Network > Interface and edit the wan1
2. Set IP/Network Mask to 20.120.123/255.255.255.0.
3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
4. Click OK.
5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
6. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
7. Configure SSL VPN web portal.
   1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal. Enable Split Tunneling.
   2. Select Routing Address. 4. Configure SSL VPN settings.
   3. Go to VPN > SSL-VPN Settings.
   4. Choose proper Listen on Interface, in this example, wan1.
   5. Listen on Port 10443.
   6. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   7. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
   8. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
   9. Configure SSL VPN firewall policy.
8. Go to Policy & Objects > IPv4 Policy.
9. Fill in the firewall policy name. In this example: sslvpn split tunnel access.
10. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
11. Choose an Outgoing Interface. In this example: port1.
12. Set the source to all and group to sslvpngroup.
13. In this example, the destination is all.
14. Set schedule to always, service to ALL, and Action to Accept.
15. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0

next

end

config firewall address edit “192.168.1.0” set subnet 192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “my-split-tunnel-portal” set tunnel-mode enable set split-tunneling enable

set split-tunneling-routing-address “192.168.1.0” set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-split-tunnel-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

To see the results:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Use the credentials you’ve set up to connect to the SSL VPN tunnel.
7. After connection, traffic to 168.1.0 goes through the tunnel. Other traffic goes through local gateway.
8. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN tunnel mode host check

This topic provides a sample configuration of remote users accessing the corporate network through an SSL VPN by tunnel mode using FortiClient with AV host check.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0.
   4. Click OK.
   5. Go to Firewall & Objects > Address and create an address for internet subnet 168.1.0.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create a local user sslvpnuser1.
   2. Go to User& Device > UserGroups to create a group sslvpngroup with the member sslvpnuser1.
3. SSL VPN web portal configuration.
   1. Go to VPN > SSL-VPN Portals to create a tunnel mode only portal my-split-tunnel-portal. Enable Split Tunneling.
   2. Select Routing Address.
4. SSL VPN settings configuration.
   1. Go to VPN > SSL-VPN Settings.
   2. Choose proper Listen on Interface, in this example, wan1.
   3. Listen on Port 10443.
   4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
   5. Under Authentication/Portal Mapping, set default Portal tunnel-access for All OtherUsers/Groups.
   6. Create new Authentication/Portal Mapping for group sslvpngroup mapping portal my-split-tunnel-portal.
5. SSL VPN firewall policy configuration.
   1. Go to Policy & Objects > IPv4 Policy.
   2. Fill in the firewall policy name. In this example: sslvpn tunnel access with av check.
   3. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
   4. Choose an Outgoing Interface. In this example: port1.
   5. Set the source to all and group to sslvpngroup.
   6. In this example, the destination is all.
   7. Set schedule to always, service to ALL, and Action to Accept.
   8. Click OK.
6. Configure SSL VPN web portal to enable AV host-check.
   1. Open the CLI Console at the top right of the screen.
   2. Enter the following commands to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av end

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root” set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root” set ip 192.168.1.99 255.255.255.0

next

endconfig firewall address edit “192.168.1.0” set subnet 192.168.1.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “sslvpnuser1” set type password set passwd your-password

next

end config user group edit “sslvpngroup” set member”vpnuser1″

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “my-split-tunnel-portal” set tunnel-mode enable set split-tunneling enable

set split-tunneling-routing-address “192.168.1.0” set ip-pools “SSLVPN_TUNNEL_ADDR1”

next

end

4. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all”

set default-portal “full-access” config authentication-rule edit 1 set groups “sslvpngroup” set portal “my-split-tunnel-portal”

next

end

5. Configure SSL VPN firewall policy.

Configure one firewall policy to allow remote user to access the internal network. Traffic is dropped from internal to remote client.

config firewall policy edit 1 set name “sslvpn web mode access”

set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “192.168.1.0” set groups “sslvpngroup” set action accept set schedule “always” set service “ALL”

next

end

6. Configure SSL VPN web portal to enable AV host-check.

Configure SSL VPN web portal to enable the host to check for compliant AntiVirus software on the user’s computer:

config vpn ssl web portal

edit my-split-tunnel-access

set host-check av

end

To see the results:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to the IP of the listening FortiGate interface, in this example: 172.20.120.123.

4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the user’s computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a compliance warning.

7. After connection, traffic to 168.1.0 goes through the tunnel. Other traffic goes through local gateway.
8. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details for the SSL entry.

SSL VPN multi-realm

This sample recipe shows how to create a multi-realm SSL VPN that provides different portals for different user groups.

Sample network topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:

1. Configure the interface and firewall address. Port1 interface connects to the internal network.
   1. Go to Network > Interface and edit the wan1
   2. Set IP/Network Mask to 20.120.123/255.255.255.0.
   3. Edit port1 interface and set IP/Network Mask to 168.1.99/255.255.255.0. d. Click OK.
   4. Go to Firewall & Objects > Address and create an address for internet QA_subnet with subnet 192.168.1.0/24 and HR_subnet with subnet 10.1.100.0/24.
2. Configure user and user group.
   1. Go to User& Device > UserDefinition to create local users qa-user1 and hr-user1.
   2. Go to User& Device > UserGroups to create separate user groups for web-only and full-access portals:
      • QA_group with member qa-user1.
      • HR_group with the member hr-user1.
   3. SSL VPN web portal configuration.
      1. Go to VPN > SSL-VPN Portals to create portal qa-tunnel.
      2. Enable tunnel-mode.
      3. Create a portal hr-web with web-mode enabled.
   4. SSL VPN realms configuration.
      1. Go to System > Feature Visibility to enable SSL-VPN Realms.
      2. Go to VPN > SSL-VPN Realms to create realms for qa and hr.
   5. SSL VPN settings configuration.
      1. Go to VPN > SSL-VPN Settings.
      2. Choose proper Listen on Interface, in this example, wan1.
      3. Listen on Port 10443.
      4. Choose a certificate for ServerCertificate. The default is Fortinet_Factory.
      5. Under Authentication/Portal Mapping, set default Portal Web-access for All OtherUsers/Groups.
      6. Create new Authentication/Portal Mapping for group QA_group mapping portal qa-tunnel.
      7. Specify realm with qa.
      8. Add another entry for group HR_group mapping portal hr-web.
      9. Specify realm with hr.
   6. SSL VPN firewall policy configuration.
      1. Go to Policy & Objects > IPv4 Policy.
      2. Create a firewall policy for QA access.
      3. Fill in the firewall policy name. In this example: QA sslvpn tunnel mode access.
      4. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
      5. Choose an Outgoing Interface. In this example: port1.
      6. Set the source to all and group to QA_group.
      7. In this example, the destination is the internal protected subnet QA_subnet.
      8. Set schedule to always, service to ALL, and Action to Accept.
      9. Click OK.
      10. Create a firewall policy for HR access.
      11. Fill in the firewall policy name. In this example: HR sslvpn web mode access.
      12. Incoming interface must be SSL-VPN tunnel interface(ssl.root).
      13. Choose an Outgoing Interface. In this example: port1.
      14. Set the source to all and group to HR_group.
      15. In this example, the destination is the internal protected subnet HR_subnet.
      16. Set schedule to always, service to ALL, and Action to Accept.
      17. Click OK.

To configure SSL VPN using the CLI:

1. Configure the interface and firewall address.

config system interface edit “wan1” set vdom “root”

set ip 172.20.120.123 255.255.255.0

next

end

Configure internal interface and protected subnet. Connect Port1 interface to internal network.

config system interface edit “port1” set vdom “root”

set ip 192.168.1.99 255.255.255.0 next

end config firewall address edit “QA_subnet” set subnet 192.168.1.0 255.255.255.0

next edit “HR_subnet” set subnet 10.1.100.0 255.255.255.0

next

end

2. Configure user and user group.

config user local edit “qa_user1” set type password set passwd your-password

next

end config user group edit “QA_group” set member “qa_user1”

next

end config user local edit “hr_user1” set type password set passwd your-password

next

end config user group edit “HR_group” set member “hr_user1”

next

end

3. Configure SSL VPN web portal.

config vpn ssl web portal edit “qa-tunnel” set tunnel-mode enable set ip-pools “SSLVPN_TUNNEL_ADDR1” set split-tunneling enable set split-tunneling-routing-address “QA_subnet”

next

end config vpn ssl web portal edit “hr-web” set web-mode enable

next

end

4. Configure SSL VPN realms.

Using the GUI is the easiest way to configure SSL VPN realms.

1. Go to System > Feature Visibility to enable SSL-VPN Realms.
2. Go to VPN > SSL-VPN Realms to create realms for qa and hr.

5. Configure SSL VPN settings.

config vpn ssl settings set servercert “Fortinet_Factory” set tunnel-ip-pools “SSLVPN_TUNNEL_ADDR1” set tunnel-ipv6-pools “SSLVPN_TUNNEL_IPv6_ADDR1” set source-interface “wan1” set source-address “all” set source-address6 “all” set default-portal “full-access” config authentication-rule edit 1 set groups “QA_group” set portal “qa-tunnel” set realm qa

next edit 2 set groups “HR_group” set portal “hr-web” set realm hr

next

end

6. Configure SSL VPN firewall policy.

Configure two firewall policies to allow remote QA user to access internal QA network and HR user to access HR network.

config firewall policy edit 1 set name “QA sslvnpn tunnel access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “QA_subnet” set groups “QA_group” set action accept set schedule “always” set service “ALL”

next edit 2 set name “HR sslvpn web access” set srcintf “ssl.root” set dstintf “port1” set srcaddr “all” set dstaddr “HR_subnet” set groups “HR_group” set action accept set schedule “always” set service “ALL”

next

end

To see the results for QA user:

1. Download FortiClient from forticlient.com.
2. Open the FortiClient Console and go to Remote Access.
3. Add a new connection.

l Set VPN Type to SSL VPN. l Set Remote Gateway to https://172.20.120.123:10443/qa..

4. Select Customize Port and set it to 10443.
5. Save your settings.
6. Use the credentials you’ve set up to connect to the SSL VPN tunnel.

If the user’s computer has AntiVirus software installed, a connection is established; otherwise FortiClient shows a compliance warning.

7. After connection, traffic to subnet 168.1.0 goes through the tunnel.
8. In FGT, go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
9. In FGT, go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.

To see the results for HR user:

1. In a web browser, log into the portal https://172.20.120.123:10443/hr using the credentials you’ve set up to connect to the SSL VPN tunnel.
2. Go to VPN > Monitor> SSL-VPN Monitor to verify the list of SSL users.
3. Go to Log & Report > Traffic Log > Forward Traffic and view the details of the traffic.