Configure VPN
VPN configurations include the following operations:
- Configure phase-1 parameters
- Configure phase-2 parameters
- Configure firewall policies
- Configure route
Configure phase-1 parameters
Use the following commands to configure a VPN tunnel.
CLI command |
Description |
---|---|
ike-version |
Specify the IKE protocol version, 1 or 2. |
keylife |
Specify the time (in seconds) to wait before the Phase-1 encryption key expires. The valid range is 20 –172800. |
proposal |
Specify Phase-1 proposal. |
Dhgrp |
Select one of the following DH groups:
|
*interface |
Use either of the following:
|
type |
Select a remote gateway type:
|
*remote-gw |
Specify the IPv4 address of the remote gateway’s external interface. |
*remotegw-ddns |
Specify the domain name of the remote gateway, e.g., xyz.DDNS.com. |
authmethod |
Select an authentication method:
|
*psksecret |
Specify the pre-shared secret created when configuring the VPN client. |
*certificate |
|
*peer |
Note: If no peer is set, the peer certificate can still be accepted as long as a CA certificate that can verify the peer certificate exists. |
Localid |
Specify the local ID. |
peerid |
Accept the peer ID. |
|
Enable/disable automatically adding a route to the remote gateway. |
|
Enable/disable the Device ID notification for the first IKE message. |
A Phase-1 interface can be of two categories:
- A static remote VPN gateway with a fixed IP address.
- A DDNS with a dynamic IP address functioning as a dynamic DNS client.
A Phase-1 interface can support the following two authentication methods:
psk
(pre-shared key)signature
When a psk
is configured, the psksecret
must be configured as well. When signature
is chosen, it uses the default Fortinet certs for authentication. Signature mode only supports FortiGate or FortiExtender as a remote gateway.
A tunnel interface is created in the system interface list when an IPSec Phase-1 is successfully created.
Configure phase-2 parameters
Parameter |
Description |
---|---|
phase1name |
The name of Phase-1 which determines the options required for Phase- 2. |
proposal |
Phase-2 proposal. |
pfs |
Select either of the following:
|
|
Phase-2 DH group. |
keylife-type |
Key life type. |
keylifeseconds |
Phase-2 key life time in seconds. Note: The valid range is 120—172800. |
encapsulation |
ESP encapsulation mode |
protocol |
Quick mode protocol selector. Note: The valid range is 1—255. 0 means for all. |
src-addr-type |
Local proxy ID type. Select one of the following:
|
src-subnet |
Local proxy ID subnet. Note: This field is only available when |
src-start-ip |
Local proxy ID start. Note: This field is only available when |
src-end-ip |
Local proxy ID end. Note: This field is only available when |
src-name |
Local proxy ID name. Note: This field is only available when |
src-port |
Quick mode source port. Note: The valid range is 1—65535. 0 means for all. |
dst-addr-type |
Remote proxy ID type. Select one of the following:
|
dst-subnet |
Remote proxy ID subnet. Note: The field is only available when |
dst-start-ip |
Remote proxy ID start. Note: This field is only available when |
dst-end-ip |
Remote proxy ID end. Note: This field is only available when |
dst-name |
Remote proxy ID name. Note: This field is only available when |
dst-port |
Quick mode destination port. Note: The valid range is 1—65535. 0 means for all. |
Example VPN configuration:
FX511FTQ21001262 # config vpn ipsec FX511FTQ21001262 (ipsec) # show config vpn ipsec config phase1-interface edit test511 set ike-version 2 set keylife 86400 set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1 set dhgrp 14 5 set interface lte1 set type static set remote-gw 166.253.42.217 set authmethod psk set psksecret ****** set localid set peerid set add-gw-route disable set dev-id-notification disable next end config phase2-interface edit test511_p2_1 set phase1name test511 set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256 set pfs enable set dhgrp 14 5 set keylife-type seconds set keylifeseconds 43200 set encapsulation tunnel-mode set protocol 0 set src-addr-type name set src-name test511_local_subnet_1 set src-port 0 set dst-addr-type name set dst-name test511_remote_subnet_1 set dst-port 0 next end end FX511FTQ21001262 # config network address FX511FTQ21001262 (address) # show config network address edit test511_local_subnet_1 set type ipmask set subnet 192.168.180.0/24 next edit test511_remote_subnet_1 set type ipmask set subnet 20.0.0.0/8 next end FX511FTQ21001262 # config firewall policy FX511FTQ21001262 (policy) # show config firewall policy edit vpn_test511_local set srcintf any set dstintf test511 set srcaddr test511_local_subnet_1 set dnat disable set dstaddr test511_remote_subnet_1 set action accept set status enable set service ALL set nat disable next edit vpn_test511_remote set srcintf test511 set dstintf any set srcaddr test511_remote_subnet_1 set dnat disable set dstaddr test511_local_subnet_1 set action accept set status enable set service ALL set nat disable next end FX511FTQ21001262 # config router policy FX511FTQ21001262 (policy) # show config router policy edit vpn_test511_remote set input-device set srcaddr test511_local_subnet_1 set dstaddr test511_remote_subnet_1 set service ALL set target target.test511 set status enable set comment next end
Configure firewall policies
You must define two ACCEPT firewall polices to permit communications between the source and destination addresses.
config firewall policy edit to_remote set srcaddr <The address name for the private network behind this FortiExtender unit> set dstaddr <The address name that you defined for the private network behind the remote peer> set service ALL set nat disable set srcintf <The interface that connects to the private network behind this FortiExtender unit> set dstintf <The VPN Tunnel (IPsec Interface)> set status enable next edit from_remote set srcaddr <The address name that you defined for the private network behind the remote peer> set dstaddr <The address name for the private network behind this FortiExtender unit> set service ALL set nat disable set srcintf <The VPN Tunnel (IPsec Interface)> set dstintf <The interface that connects to the private network behind this FortiExtender unit> set status enable next end