IPsec VPN support for traffic going through FortiADC
IPsec VPN can support traffic that first goes through FortiADC. Only IKEv2 tunnels support this feature.
The example uses the following product versions:
Product |
Version |
---|---|
FortiClient |
7.2.4 |
FortiClient EMS |
|
FortiGate |
7.4.3 |
FortiADC |
6.1.3 |
In this example use case, an organization has implemented a comprehensive security strategy that includes the use of IPsec (Internet Protocol Security) for securing communications between its network resources. By combining the secure communication that IPsec provides with the traffic optimization capabilities of FortiADC, the company can achieve a robust, secure, and high-performance network infrastructure for interconnecting branch offices with the central data center. Also, this setup enables efficient data exchange while maintaining the confidentiality and integrity of the transmitted information.
The following illustrates the flow in the diagram:
- FortiClient sends a request to IKE port 4500 with the SNI information from EMS.
- FortiADC sends the SNI to the API server and receives the real server (RS) IP address.
- FortiADC sends a packet to the RS IP address:port and response.
- VPN is setup and an IKE UDP 4500 packet is sent automatically.
The following assumes that you already have an SNI API server configured with Go service running on port 3001.
To configure FortiADC:
- Configure a load balance profile for IKE traffic:
config load-balance profile edit "IKERESOURCE" set type udp set inner-protocol ike next end
- Configure the SNI API server. In this example, 10.152.35.156 is the SNI API server IP address, and 3001 is the port used:
config load-balance sniproxy-domain set url http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1 set url-udp http://10.152.35.156:3001/api/v1/system/sni-resolvers?region=region1 end
- Configure the RS pool and add members (the FortiOS firewall IP address) to the pool:
config load-balance pool edit "FGT-POOL" set health-check-list LB_HLTHCK_ICMP LB_HLTHCK_HTTPS LB_HLTHCK_TCP_ECHO LB_HLTHCK_HTTP set real-server-ssl-profile NONE config pool_member edit 1 set pool_member_service_port 0 set pool_member_cookie rs1 set real-server FGT2 next end next end
- Configure a virtual server. FortiClient will initiate an IPsec connection to 192.168.1.7, the remote gateway and FortiADC interface IP address, on port 4500:
config load-balance virtual-server edit "INTERNALIPSEC" set interface port1 set ip 192.168.1.7 set port 4500 set load-balance-profile IKERESOURCE set load-balance-method LB_METHOD_SNIPROXY set load-balance-pool FGT-POOL set traffic-log enable set traffic-group default set fortiview enable next end
To create an IPsec VPN IKEv2 tunnel in FortiOS:
config vpn ipsec phase1-interface edit "ADC Tunnel" set type dynamic set interface "port2" set ike-version 2 set peertype any set net-device disable set mode-cfg enable set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256 set comments "VPN: ADC Tunnel (Created by VPN wizard)" set eap enable set eap-identity send-request set authusrgrp "IPSEC" set ipv4-start-ip 20.21.21.1 set ipv4-end-ip 20.21.21.250 set dns-mode auto set save-password enable set client-auto-negotiate enable set client-keep-alive enable set psksecret ENC FzFV1gODmlxtAzxGdBQgxyAs7EvbfThS6hbrqFrBWgAQ3LAaxZ8i7V2XsjFSOJ0D5xp/cWODWxPyUBxL/j5ItiT/DG9Hl6l28uA7gMeAzagGs+avmaauE4vu3/TX+wTQ2cAD19zpiBu7I33l0EMM8hnmKTgwG3stznB/A4oKfEG72nQvrxk4TyXMRmjKdoQIvOz2SA== next end
To configure EMS:
- In EMS, go to Endpoint Profiles > Remote Access.
- Create a new profile or edit an existing one.
- Under VPN Tunnels, click Add Tunnel.
- Select Manual.
- Configure Basic Settings:
- In the Name field, configure the desired tunnel name.
- For Type, select IPsec VPN.
- In the Remote Gateway field, enter the remote gateway, which is the same as the FortiADC IP address. In this example it is 192.168.1.7
- From the Authentication Method dropdown list, select Pre Shared Key.
- In the Pre-Shared Key field, enter the same key that you configured in FortiOS.
- Configure other fields as desired, and save.
- Click XML, then Edit.
- Under
<ike_settings>
, set<sase_mode>
to1
. This sets the IPsec port to 4500. The following shows the XML configuration:<forticlient_configuration> <vpn> <enabled>1</enabled> <sslvpn> <connections/> <options> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <use_gui_saml_auth>0</use_gui_saml_auth> <no_dns_registration>0</no_dns_registration> <preferred_dtls_tunnel>0</preferred_dtls_tunnel> <negative_split_tunnel_metric/> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <dnscache_service_control>0</dnscache_service_control> <prefer_sslvpn_dns>1</prefer_sslvpn_dns> <enabled>1</enabled> </options> </sslvpn> <ipsecvpn> <connections> <connection> <name>IPSECV2-ADC - internal</name> <uid>650F4D40-6942-4E25-B927-7EE6C5D99878</uid> <machine>0</machine> <keep_running>0</keep_running> <disclaimer_msg/> <sso_enabled>0</sso_enabled> <single_user_mode>0</single_user_mode> <type>manual</type> <ui> <show_remember_password>1</show_remember_password> <show_alwaysup>1</show_alwaysup> <show_autoconnect>1</show_autoconnect> <show_passcode>0</show_passcode> <save_username>0</save_username> </ui> <redundant_sort_method>0</redundant_sort_method> <tags> <allowed/> <prohibited/> </tags> <host_check_fail_warning/> <ike_settings> <server>192.168.1.7</server> <authentication_method>Preshared Key</authentication_method> <fgt>1</fgt> <prompt_certificate>1</prompt_certificate> <xauth> <use_otp>0</use_otp> <enabled>1</enabled> <prompt_username>1</prompt_username> </xauth> <version>2</version> <mode>aggressive</mode> <key_life>86400</key_life> <localid/> <implied_SPDO>0</implied_SPDO> <implied_SPDO_timeout>0</implied_SPDO_timeout> <nat_traversal>1</nat_traversal> <sase_mode>1</sase_mode> <nat_alive_freq>5</nat_alive_freq> <enable_local_lan>1</enable_local_lan> <enable_ike_fragmentation>0</enable_ike_fragmentation> <mode_config>1</mode_config> <dpd>1</dpd> <run_fcauth_system>0</run_fcauth_system> <sso_enabled>0</sso_enabled> <ike_saml_port>443</ike_saml_port> <dpd_retry_count>3</dpd_retry_count> <dpd_retry_interval>5</dpd_retry_interval> <xauth_timeout>120</xauth_timeout> <auth_data> <preshared_key>Enc 7de9d08db7716deba8e66e5526eac5d952c1afb46e2edd5d51646228a1a2</preshared_key> </auth_data> <dhgroup>5</dhgroup> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ike_settings> <ipsec_settings> <remote_networks> <network> <addr>0.0.0.0</addr> <mask>0.0.0.0</mask> </network> <network> <addr>::/0</addr> <mask>::/0</mask> </network> </remote_networks> <dhgroup>5</dhgroup> <key_life_type>seconds</key_life_type> <key_life_seconds>43200</key_life_seconds> <key_life_Kbytes>5200</key_life_Kbytes> <replay_detection>1</replay_detection> <pfs>1</pfs> <use_vip>1</use_vip> <virtualip> <type>modeconfig</type> <ip>0.0.0.0</ip> <mask>0.0.0.0</mask> <dnsserver>0.0.0.0</dnsserver> <winserver>0.0.0.0</winserver> </virtualip> <proposals> <proposal>AES128|SHA1</proposal> <proposal>AES256|SHA256</proposal> </proposals> </ipsec_settings> <android_cert_path/> <warn_invalid_server_certificate>1</warn_invalid_server_certificate> <on_connect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_connect> <on_disconnect> <script> <os>windows</os> <script/> </script> <script> <os>MacOSX</os> <script/> </script> <script> <os>linux</os> <script/> </script> </on_disconnect> <traffic_control> <enabled>0</enabled> <mode>1</mode> </traffic_control> </connection> </connections> <options> <usewincert>1</usewincert> <disallow_invalid_server_certificate>0</disallow_invalid_server_certificate> <uselocalcert>0</uselocalcert> <beep_if_error>0</beep_if_error> <check_for_cert_private_key>0</check_for_cert_private_key> <no_dns_registration>0</no_dns_registration> <enhanced_key_usage_mandatory>0</enhanced_key_usage_mandatory> <disable_default_route>0</disable_default_route> <use_win_current_user_cert>1</use_win_current_user_cert> <enable_udp_checksum>0</enable_udp_checksum> <show_auth_cert_only>0</show_auth_cert_only> <usesmcardcert>1</usesmcardcert> <block_ipv6>1</block_ipv6> <use_win_local_computer_cert>1</use_win_local_computer_cert> <enabled>1</enabled> </options> </ipsecvpn> <lockdown> <grace_period>120</grace_period> <max_attempts>3</max_attempts> <exceptions> <apps/> <ips/> </exceptions> <enabled>0</enabled> </lockdown> <options> <suppress_vpn_notification>0</suppress_vpn_notification> <secure_remote_access>0</secure_remote_access> <keep_running_max_tries>0</keep_running_max_tries> <use_windows_credentials>0</use_windows_credentials> <allow_personal_vpns>1</allow_personal_vpns> <show_vpn_before_logon>0</show_vpn_before_logon> <use_legacy_vpn_before_logon>0</use_legacy_vpn_before_logon> <on_os_start_connect/> <disable_connect_disconnect>0</disable_connect_disconnect> <show_negotiation_wnd>0</show_negotiation_wnd> <on_os_start_connect_has_priority>0</on_os_start_connect_has_priority> <autoconnect_on_install>0</autoconnect_on_install> <autoconnect_only_when_offnet>0</autoconnect_only_when_offnet> <minimize_window_on_connect>1</minimize_window_on_connect> </options> </vpn> <endpoint_control> <ui> <display_vpn>1</display_vpn> </ui> </endpoint_control> </forticlient_configuration>
- Save. After FortiClient receives the profile changes from EMS, it can connect to an IPsec VPN tunnel pushed from FortiADC.
To verify this configuration:
- In FortiOS, go to Dashboard > Network.
- Expand the IPsec widget.
- Verify that the IPsec VPN tunnel is up.
- If desired, you can enable and view FortiOS:
FGVMULTM12345 # diagnose debug enable FGVMULTM212345 # diagnose debug application ike -1 Debug messages will be on for 30 minutes. FGVMULTM12345 # ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=508.... ike V=root:0: IKEv2 exchange=SA_INIT id=fd23616068ea787b/0000000000000000 len=504 ike 0: in FD23616068EA787B00000000000000002120220800000000000001F82200005C0200002C010100040300000C0100000C800E00800300000802000002030000080300000200000008040000050000002C020100040300000C0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000002985CB0E49090C90FF1B01C95C5CBE283C13C57C98C796D1AB5301AB30E5D5BD3C3B438A41F95CFDD8C2FC1086DCD18F6B3A6EAAF8AF9E54022F8FA0B4FC16BAAF42AA3F4DDB5CC2846F09CD0CDA74B513851EAB6F9A8EAB128B0DB8D5B4F819EA4C775B037A77BD35813230C0708077C34EB02BD3F8A71613B84365F5FCE93528C2C54FF72ADA276E7C4B37DF6C6A9AAAE2CA0370957B4385345ED403118D6A0D68A49834069CC7543F0597AD83FA75FE90967A40A31F3F8CE28ABFBDE25822B000014BDDC4BD20AF71BA16FFE6AA24508B0162B0000144C53427B6D465D1B337BB755A37A7FEF2B000014B4F01CA951E9DA8D0BAFBBD34AD3044E29000014C1DC4350476B98A429B91781914CA43E290000180100F103464354454D5338383234303930333135290000180100F103464354454D53383832343039303331352900001C0000400408C1FCB91852BE008BC80B00D5AD2667C42A04940000001C000040053DDAE5A62679ABFBD748AFCB830BBB25F2195192 Ike V=root:0:fd23616068ea787b/0000000000000000:897: responder received SA_INIT msg ike V=root:0:fd23616068ea787b/0000000000000000:897: VID forticlient connect license 4C53427B6D465D1B337BB755A37A7FEF ike V=root:0:fd23616068ea787b/0000000000000000:897: VID Fortinet Endpoint Control B4F01CA951E9DA8D0BAFBBD34AD3044E ike V=root:0:fd23616068ea787b/0000000000000000:897: VID unknown (16): C1DC4350476B98A429B91781914CA43E ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699 ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify payload (61699) ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type 61699 ike V=root:0:fd23616068ea787b/0000000000000000:897: ignoring unauthenticated notify payload (61699) ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_SOURCE_IP ike V=root:0:fd23616068ea787b/0000000000000000:897: received notify type NAT_DETECTION_DESTINATION_IP ike V=root:0:fd23616068ea787b/0000000000000000:897: incoming proposal: ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 1: ike V=root:0:fd23616068ea787b/0000000000000000:897: protocol = IKEv2: ike V=root:0:fd23616068ea787b/0000000000000000:897: encapsulation = IKEv2/none ike V=root:0:fd23616068ea787b/0000000000000000:897: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:fd23616068ea787b/0000000000000000:897: type=INTEGR, val=AUTH_HMAC_SHA_96 ike V=root:0:fd23616068ea787b/0000000000000000:897: type=PRF, val=PRF_HMAC_SHA ike V=root:0:fd23616068ea787b/0000000000000000:897: type=DH_GROUP, val=MODP1536. ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 2: ike V=root:0:fd23616068ea787b/0000000000000000:897: protocol = IKEv2: ike V=root:0:fd23616068ea787b/0000000000000000:897: encapsulation = IKEv2/none ike V=root:0:fd23616068ea787b/0000000000000000:897: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:fd23616068ea787b/0000000000000000:897: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike V=root:0:fd23616068ea787b/0000000000000000:897: type=PRF, val=PRF_HMAC_SHA2_256 ike V=root:0:fd23616068ea787b/0000000000000000:897: type=DH_GROUP, val=MODP1536. ike V=root:0:fd23616068ea787b/0000000000000000:897: matched proposal id 2 ike V=root:0:fd23616068ea787b/0000000000000000:897: proposal id = 2: ike V=root:0:fd23616068ea787b/0000000000000000:897: protocol = IKEv2: ike V=root:0:fd23616068ea787b/0000000000000000:897: encapsulation = IKEv2/none ike V=root:0:fd23616068ea787b/0000000000000000:897: type=ENCR, val=AES_CBC (key_len = 128) ike V=root:0:fd23616068ea787b/0000000000000000:897: type=INTEGR, val=AUTH_HMAC_SHA2_256_128 ike V=root:0:fd23616068ea787b/0000000000000000:897: type=PRF, val=PRF_HMAC_SHA2_256 ike V=root:0:fd23616068ea787b/0000000000000000:897: type=DH_GROUP, val=MODP1536. ike V=root:0:fd23616068ea787b/0000000000000000:897: lifetime=86400 ike V=root:0:fd23616068ea787b/0000000000000000:897: SA proposal chosen, matched gateway ADC Tunnel ike V=root:0:ADC Tunnel: created connection: 0xf9e2ff0 5 192.168.1.1->192.168.1.11:4500. ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_SOURCE_IP ike V=root:0:ADC Tunnel:897: processing NAT-D payload ike V=root:0:ADC Tunnel:897: NAT detected: PEER ike V=root:0:ADC Tunnel:897: process NAT-D ike V=root:0:ADC Tunnel:897: processing notify type NAT_DETECTION_DESTINATION_IP ike V=root:0:ADC Tunnel:897: processing NAT-D payload ike V=root:0:ADC Tunnel:897: NAT detected: ME PEER ike V=root:0:ADC Tunnel:897: process NAT-D ike V=root:0:ADC Tunnel:897: enable FortiClient endpoint compliance check, use 169.254.7.1 ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg ike V=root:0:ADC Tunnel:897: generate DH public value request queued ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg ike V=root:0:ADC Tunnel:897: compute DH shared secret request queued ike V=root:0:ADC Tunnel:897: responder preparing SA_INIT msg ike V=root:0:ADC Tunnel:897: create NAT-D hash local 192.168.1.1/4500 remote 192.168.1.11/4500 ike 0:ADC Tunnel:897: out FD23616068EA787B8A56F0004EEC7C3D212022200000000000000160220000300000002C020100040300000C0100000C800E00800300000802000005030000080300000C0000000804000005280000C80005000000AE7B893BC5E3A52AA663A0334F31B4E900C9F5635E5CE2817A0FD7734EA390EEDF0898E22540B9AE00E8C4E1DECB51DA24B0A7C326FF6286ADF943020E4027FF73A6E4752FEA8B133EBAB7553723BDC61E43FBC99C2D95FA88BC5BF8E322B7598FAB4F5C55A13B2226D71DF952B088256A57D88E16C671881DDD028AC24D9E4ACA40DC26017C87C0553EDDE75D031FCFC0DBB74B4F26E9EE0AC662A66FAD4E48A3D2232E0BDB7552E3855535D340BF34B28873D28C8FABB2FCAC5194A5373E29000014DE6499159A9592FF9CF6A338697810782900001C0000400412CB23AF2CCA5494532E14CE0775D4D1CFA05EA40000001C0000400514E0C02BB1C1041736812AF33F10C047BDEB6A36 ike V=root:0:ADC Tunnel:897: sent IKE msg (SA_INIT_RESPONSE): 192.168.1.1:4500->192.168.1.11:4500, len=352, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d, oif=5 ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ei 16:5204278EAA78717A3D501DB8ED8FD673 ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_er 16:7B38711FE8D81E238370F4D9D75B4954 ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ai 32:68CF5D7F413B68413D0E6411181CD5F0EE4AA630D72274B56E6790A7EE7568F8 ike 0:ADC Tunnel:897: IKE SA fd23616068ea787b/8a56f0004eec7c3d SK_ar 32:6033D1AFE65E3A3B65B1D6B58B0B7CC7083D077684039D03897CF68F23C96DAE ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=612.... ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000001 len=608 ike 0: in FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000026023000244B257D3A5A3F8787BF85F7EAA6C68421A1613119EB8BB13C7FF639E41A46A81372B058C22714F93996558DCAEC8062BD8B1D1E9521B52D41E32A0CAF350D9865ECEB0E65118D7E6E4B6531A0F459D852390B9A560FEFFF4191C52FFB9A123C58A18EA5F9D7DF7B39823A92FBB5FEDFA291A7936B14D3EC484252C3D199A4260FC7AC9AFD89377376397B7A043B9969ED189E6590A9F68A5832A56E8D114E75C8736806DF7B85DA894EA7B7582894051CBE24AD640DC00BADF578DFC5BCA6F2895F71FDB1F3D4BE11DFD6C2D63F3735C3931BCE9109BDD47110112FEC282A94EB7C855F401F2BD53403E6F302506914CA81888C8AE0AD9E1E90F252F8C1AD288BC1C5295FE046A176F107F79E6397E4428C30160FFEEACEA0B2BCCA9BC34DA2E35EE233745B0A05665E8A95747D760282784B987DAB28DDCF50348B2550B414BE20297647BD15500EC8D4E6E5113BC403772153A671DA8587920F7C7E1C9E3A9341F3C5094DC01DC4E3539B19E178DB92A6D282D891FDAC63CB9F95F1821DBE530FD9C42106E0AE2DB13C8722039335FAE1A840E1BA2BC125AA48279530799BB48D91DF3DC5F000917B21DAD85BB55E2A14EC068DA364FA8941F0DFA25C267349C21F7125E7836B19ACC6E42FB581061D7D4F81D2D581B42C96BFE4E710B14148D4E1EEA2D8C6C361566F8BABFDB5A66A1A59E07F25BAC6CA8AD8698C8E0B2D0F73D7E06697504110A83ACC586E4C3227AEF2CE616041F18C464A0CC31374E1A18993FD8B92ABF2C4A1C900A7EF444684BD683E8013A237D8E7E6780831EF13D24 ike 0:ADC Tunnel:897: dec FD23616068EA787B8A56F0004EEC7C3D2E202308000000010000023A230000042900000C01000000C0A8010B29000008000040002F00012E0000F1005645523D310A4643545645523D372E322E342E303937320A5549443D39354630373530334342373234424530383332303846393745454239434638320A49503D3139322E3136382E312E31310A4D41433D30302D31352D35642D32332D61382D34613B30302D31352D35642D32332D61382D35613B0A484F53543D4445534B544F502D493134495656430A555345523D69707365630A4F535645523D4D6963726F736F66742057696E646F777320313020456E74657270726973652045646974696F6E2C2036342D62697420286275696C64203139303435290A5245475F5354415455533D300A454D53534E3D464354454D53383832343039303331350A454D5349443D30303030303030303030303030303030303030303030303030303030303030300A002100005401000000000700104643543830303136343738393239393400010000000200000003000000040000000D00000019000000080000000F0000000A0000000B000070010000540A0000540B0000700000002C00005402000028010304038DE23FFD0300000C0100000C800E00800300000803000002000000080500000000000028020304038DE23FFD0300000C0100000C800E0080030000080300000C00000008050000002D00001801000000070000100000FFFF00000000FFFFFFFF0000001801000000070000100000FFFF00000000FFFFFFFF ike V=root:0:ADC Tunnel:897: responder received AUTH msg ike V=root:0:ADC Tunnel:897: processing notify type INITIAL_CONTACT ike V=root:0:ADC Tunnel:897: processing notify type FORTICLIENT_CONNECT ike V=root:0:ADC Tunnel:897: received FCT data len = 294, data = 'VER=1 FCTVER=7.2.4.0972 UID=95F07503CB724BE083208F97EEB9CF82 IP=192.168.1.11 MAC=00-15-5d-23-a8-4a;00-15-5d-23-a8-5a; HOST=DESKTOP-I14IVVC USER=ipsec OSVER=Microsoft Windows 10 Enterprise Edition, 64-bit (build 19045) REG_STATUS=0 EMSSN=FCTEMS12345 EMSID=00000000000000000000000000000000 ' ike V=root:0:ADC Tunnel:897: received FCT-UID : 123456 ike V=root:0:ADC Tunnel:897: peer identifier IPV4_ADDR 192.168.1.11 ike V=root:0:ADC Tunnel:897: re-validate gw ID ike V=root:0:ADC Tunnel:897: gw validation OK ike V=root:0:ADC Tunnel:897: responder preparing EAP identity request ike 0:ADC Tunnel:897: enc 2700000C01000000C0A8010130000028020000002CC85F24CD85A4D9BBD5130FD954CDE9631E41538971618AC5CA89FFDA271E450000000901B8000501020102 ike 0:ADC Tunnel:897: out FD23616068EA787B8A56F0004EEC7C3D2E2023200000000100000080240000642D7B15B7617F0AAB77FB620A310E31571D63B20BDE4BF92244B54828CCEA823498115B71F5CF9E3A6CE97DDB9C2256805BA9204032A89FF3D43D7772BFF51C427158D5E20A7CCE25EEF29F6B9AFEFCB4ED31E7DFDB6171994083D5F59A0DDF25 ike V=root:0:ADC Tunnel:897: sent IKE msg (AUTH_RESPONSE): 192.168.1.1:4500->192.168.1.11:4500, len=128, vrf=0, id=fd23616068ea787b/8a56f0004eec7c3d:00000001, oif=5 ike V=root:0: comes 192.168.1.11:4500->192.168.1.1:4500,ifindex=5,vrf=0,len=84.... ike V=root:0: IKEv2 exchange=AUTH id=fd23616068ea787b/8a56f0004eec7c3d:00000002 len=80
- After the VPN connection succeeds, ping internal servers located behind the FortiGate from the endpoint to verify that it can access them. Ping should succeed:
ping 192.168.2.4 Pinging 192.168.2.4 with 32 bytes of data: Reply from 192.168.2.4: bytes=32 time=1ms TTL=127 Reply from 192.168.2.4: bytes=32 time<1ms TTL=127 Reply from 192.168.2.4: bytes=32 time=1ms TTL=127 Reply from 192.168.2.4: bytes=32 time<1ms TTL=127 Ping statistics for 192.168.2.4: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms