Fortinet white logo
Fortinet white logo

Admin Guide (Standalone)

Configure VPN

Configure VPN

VPN configurations include the following operations:

  • Configure phase-1 parameters
  • Configure phase-2 parameters
  • Configure firewall policies
  • Configure route

Configure phase-1 parameters

Use the following commands to configure a VPN tunnel.

CLI command

Description

ike-version

Specify the IKE protocol version, 1 or 2.

keylife

Specify the time (in seconds) to wait before the Phase-1 encryption key expires. The valid range is 20 –172800.

proposal

Specify Phase-1 proposal.

Dhgrp

Select one of the following DH groups:

  • 1
  • 2
  • 5
  • 14

*interface

Use either of the following:

  • wan
  • eth1/lte1/lte2

type

Select a remote gateway type:

  • static
  • ddns

*remote-gw

Specify the IPv4 address of the remote gateway’s external interface.

*remotegw-ddns

Specify the domain name of the remote gateway, e.g., xyz.DDNS.com.

authmethod

Select an authentication method:

  • psk(pre-shared key)
  • signature

*psksecret

Specify the pre-shared secret created when configuring the VPN client.

*certificate

set certificate <local-cert-name> Specify the name of local signed personal certificates. This entry is only available when authmethod is set to signature. You can enter the names of up to four signed personal certificates for the FortiExtender unit. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

*peer

set peer <ca-cert-name> This is the name of the CA certificate used to constrain that the peer certificate is issued by it or its sub-CA. This entry is available only when authmethod is set to signature. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

Note: If no peer is set, the peer certificate can still be accepted as long as a CA certificate that can verify the peer certificate exists.

Localid

Specify the local ID.

peerid

Accept the peer ID.

Add-gw-route

Enable/disable automatically adding a route to the remote gateway.

Dev-id-notification

Enable/disable the Device ID notification for the first IKE message.

A Phase-1 interface can be of two categories:

  • A static remote VPN gateway with a fixed IP address.
  • A DDNS with a dynamic IP address functioning as a dynamic DNS client.

A Phase-1 interface can support the following two authentication methods:

  • psk (pre-shared key)
  • signature

When a psk is configured, the psksecret must be configured as well. When signature is chosen, it uses the default Fortinet certs for authentication. Signature mode only supports FortiGate or FortiExtender as a remote gateway.

A tunnel interface is created in the system interface list when an IPSec Phase-1 is successfully created.

Configure phase-2 parameters

Parameter

Description

phase1name

The name of Phase-1 which determines the options required for Phase- 2.

proposal

Phase-2 proposal.

pfs

Select either of the following:

  • enable
  • disable

Dhgrp

Phase-2 DH group.

keylife-type

Key life type.

keylifeseconds

Phase-2 key life time in seconds.

Note: The valid range is 120—172800.

encapsulation

ESP encapsulation mode

protocol

Quick mode protocol selector.

Note: The valid range is 1—255. 0 means for all.

src-addr-type

Local proxy ID type. Select one of the following:

  • subnet— IPv4 subnet
  • range —IPv4 range
  • ip —IPv4 IP
  • name — IPv4 network address name

src-subnet

Local proxy ID subnet.

Note: This field is only available when src-addr-type is set to subnet.

src-start-ip

Local proxy ID start.

Note: This field is only available when src-addr-type is set to either range or ip.

src-end-ip

Local proxy ID end.

Note: This field is only available when src-addr-type is set to range.

src-name

Local proxy ID name.

Note: This field is only available when src-addr-type is set to name.

src-port

Quick mode source port.

Note: The valid range is 1—65535. 0 means for all.

dst-addr-type

Remote proxy ID type. Select one of the following:

subnet— IPv4 subnet

range —IPv4 range

ip —IPv4 IP

name— IPv4 network address name

dst-subnet

Remote proxy ID subnet.

Note: The field is only available when dst-addr-type is set to subnet.

dst-start-ip

Remote proxy ID start.

Note: This field is only available when dst-addr-type is set to either range or ip.

dst-end-ip

Remote proxy ID end.

Note: This field is only available when dst-addr-type is set to range.

dst-name

Remote proxy ID name.

Note: This field is only available when dst-addr-type is set to name.

dst-port

Quick mode destination port.

Note: The valid range is 1—65535. 0 means for all.

Example VPN configuration:
FX511FTQ21001262 # config vpn ipsec 
FX511FTQ21001262 (ipsec) # show 
config vpn ipsec
    config phase1-interface
        edit test511
            set ike-version 2
            set keylife 86400
            set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
            set dhgrp 14 5
            set interface lte1
            set type static
            set remote-gw 166.253.42.217
            set authmethod psk
            set psksecret ******
            set localid 
            set peerid 
            set add-gw-route disable
            set dev-id-notification disable
        next
    end
    config phase2-interface
        edit test511_p2_1
            set phase1name test511
            set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
            set pfs enable
            set dhgrp 14 5
            set keylife-type seconds
            set keylifeseconds 43200
            set encapsulation tunnel-mode
            set protocol 0
            set src-addr-type name
            set src-name test511_local_subnet_1
            set src-port 0
            set dst-addr-type name
            set dst-name test511_remote_subnet_1
            set dst-port 0
        next
    end
end

FX511FTQ21001262 # config network address 
FX511FTQ21001262 (address) # show 
config network address
    edit test511_local_subnet_1
        set type ipmask
        set subnet 192.168.180.0/24
    next
    edit test511_remote_subnet_1
        set type ipmask
        set subnet 20.0.0.0/8
    next
end
FX511FTQ21001262 # config firewall policy 
FX511FTQ21001262 (policy) # show 
config firewall policy
    edit vpn_test511_local
        set srcintf any
        set dstintf test511
        set srcaddr test511_local_subnet_1
        set dnat disable
        set dstaddr test511_remote_subnet_1
        set action accept
        set status enable
        set service ALL
        set nat disable
    next
    edit vpn_test511_remote
        set srcintf test511
        set dstintf any
        set srcaddr test511_remote_subnet_1
        set dnat disable
        set dstaddr test511_local_subnet_1
        set action accept
        set status enable
        set service ALL
        set nat disable
    next
end
FX511FTQ21001262 # config router policy   
FX511FTQ21001262 (policy) # show 
config router policy
    edit vpn_test511_remote
        set input-device 
        set srcaddr test511_local_subnet_1
        set dstaddr test511_remote_subnet_1
        set service ALL
        set target target.test511
        set status enable
        set comment
    next
end

Configure firewall policies

You must define two ACCEPT firewall polices to permit communications between the source and destination addresses.

config firewall policy
     edit to_remote
         set srcaddr <The address name for the private network behind this FortiExtender unit>
         set dstaddr <The address name that you defined for the private network behind the remote peer>
         set service ALL
         set nat disable
         set srcintf <The interface that connects to the private network behind this FortiExtender unit>
         set dstintf <The VPN Tunnel (IPsec Interface)>
         set status enable
     next
     edit from_remote
         set srcaddr <The address name that you defined for the private network behind the remote peer>
         set dstaddr <The address name for the private network behind this FortiExtender unit>
         set service ALL
         set nat disable
         set srcintf <The VPN Tunnel (IPsec Interface)>
         set dstintf <The interface that connects to the private network behind this FortiExtender unit>
         set status enable
     next
end
Tooltip

Configure VPN

Configure VPN

VPN configurations include the following operations:

  • Configure phase-1 parameters
  • Configure phase-2 parameters
  • Configure firewall policies
  • Configure route

Configure phase-1 parameters

Use the following commands to configure a VPN tunnel.

CLI command

Description

ike-version

Specify the IKE protocol version, 1 or 2.

keylife

Specify the time (in seconds) to wait before the Phase-1 encryption key expires. The valid range is 20 –172800.

proposal

Specify Phase-1 proposal.

Dhgrp

Select one of the following DH groups:

  • 1
  • 2
  • 5
  • 14

*interface

Use either of the following:

  • wan
  • eth1/lte1/lte2

type

Select a remote gateway type:

  • static
  • ddns

*remote-gw

Specify the IPv4 address of the remote gateway’s external interface.

*remotegw-ddns

Specify the domain name of the remote gateway, e.g., xyz.DDNS.com.

authmethod

Select an authentication method:

  • psk(pre-shared key)
  • signature

*psksecret

Specify the pre-shared secret created when configuring the VPN client.

*certificate

set certificate <local-cert-name> Specify the name of local signed personal certificates. This entry is only available when authmethod is set to signature. You can enter the names of up to four signed personal certificates for the FortiExtender unit. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

*peer

set peer <ca-cert-name> This is the name of the CA certificate used to constrain that the peer certificate is issued by it or its sub-CA. This entry is available only when authmethod is set to signature. The certificates must have already been installed on the FortiExtender before you are trying to enter them here.

Note: If no peer is set, the peer certificate can still be accepted as long as a CA certificate that can verify the peer certificate exists.

Localid

Specify the local ID.

peerid

Accept the peer ID.

Add-gw-route

Enable/disable automatically adding a route to the remote gateway.

Dev-id-notification

Enable/disable the Device ID notification for the first IKE message.

A Phase-1 interface can be of two categories:

  • A static remote VPN gateway with a fixed IP address.
  • A DDNS with a dynamic IP address functioning as a dynamic DNS client.

A Phase-1 interface can support the following two authentication methods:

  • psk (pre-shared key)
  • signature

When a psk is configured, the psksecret must be configured as well. When signature is chosen, it uses the default Fortinet certs for authentication. Signature mode only supports FortiGate or FortiExtender as a remote gateway.

A tunnel interface is created in the system interface list when an IPSec Phase-1 is successfully created.

Configure phase-2 parameters

Parameter

Description

phase1name

The name of Phase-1 which determines the options required for Phase- 2.

proposal

Phase-2 proposal.

pfs

Select either of the following:

  • enable
  • disable

Dhgrp

Phase-2 DH group.

keylife-type

Key life type.

keylifeseconds

Phase-2 key life time in seconds.

Note: The valid range is 120—172800.

encapsulation

ESP encapsulation mode

protocol

Quick mode protocol selector.

Note: The valid range is 1—255. 0 means for all.

src-addr-type

Local proxy ID type. Select one of the following:

  • subnet— IPv4 subnet
  • range —IPv4 range
  • ip —IPv4 IP
  • name — IPv4 network address name

src-subnet

Local proxy ID subnet.

Note: This field is only available when src-addr-type is set to subnet.

src-start-ip

Local proxy ID start.

Note: This field is only available when src-addr-type is set to either range or ip.

src-end-ip

Local proxy ID end.

Note: This field is only available when src-addr-type is set to range.

src-name

Local proxy ID name.

Note: This field is only available when src-addr-type is set to name.

src-port

Quick mode source port.

Note: The valid range is 1—65535. 0 means for all.

dst-addr-type

Remote proxy ID type. Select one of the following:

subnet— IPv4 subnet

range —IPv4 range

ip —IPv4 IP

name— IPv4 network address name

dst-subnet

Remote proxy ID subnet.

Note: The field is only available when dst-addr-type is set to subnet.

dst-start-ip

Remote proxy ID start.

Note: This field is only available when dst-addr-type is set to either range or ip.

dst-end-ip

Remote proxy ID end.

Note: This field is only available when dst-addr-type is set to range.

dst-name

Remote proxy ID name.

Note: This field is only available when dst-addr-type is set to name.

dst-port

Quick mode destination port.

Note: The valid range is 1—65535. 0 means for all.

Example VPN configuration:
FX511FTQ21001262 # config vpn ipsec 
FX511FTQ21001262 (ipsec) # show 
config vpn ipsec
    config phase1-interface
        edit test511
            set ike-version 2
            set keylife 86400
            set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
            set dhgrp 14 5
            set interface lte1
            set type static
            set remote-gw 166.253.42.217
            set authmethod psk
            set psksecret ******
            set localid 
            set peerid 
            set add-gw-route disable
            set dev-id-notification disable
        next
    end
    config phase2-interface
        edit test511_p2_1
            set phase1name test511
            set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
            set pfs enable
            set dhgrp 14 5
            set keylife-type seconds
            set keylifeseconds 43200
            set encapsulation tunnel-mode
            set protocol 0
            set src-addr-type name
            set src-name test511_local_subnet_1
            set src-port 0
            set dst-addr-type name
            set dst-name test511_remote_subnet_1
            set dst-port 0
        next
    end
end

FX511FTQ21001262 # config network address 
FX511FTQ21001262 (address) # show 
config network address
    edit test511_local_subnet_1
        set type ipmask
        set subnet 192.168.180.0/24
    next
    edit test511_remote_subnet_1
        set type ipmask
        set subnet 20.0.0.0/8
    next
end
FX511FTQ21001262 # config firewall policy 
FX511FTQ21001262 (policy) # show 
config firewall policy
    edit vpn_test511_local
        set srcintf any
        set dstintf test511
        set srcaddr test511_local_subnet_1
        set dnat disable
        set dstaddr test511_remote_subnet_1
        set action accept
        set status enable
        set service ALL
        set nat disable
    next
    edit vpn_test511_remote
        set srcintf test511
        set dstintf any
        set srcaddr test511_remote_subnet_1
        set dnat disable
        set dstaddr test511_local_subnet_1
        set action accept
        set status enable
        set service ALL
        set nat disable
    next
end
FX511FTQ21001262 # config router policy   
FX511FTQ21001262 (policy) # show 
config router policy
    edit vpn_test511_remote
        set input-device 
        set srcaddr test511_local_subnet_1
        set dstaddr test511_remote_subnet_1
        set service ALL
        set target target.test511
        set status enable
        set comment
    next
end

Configure firewall policies

You must define two ACCEPT firewall polices to permit communications between the source and destination addresses.

config firewall policy
     edit to_remote
         set srcaddr <The address name for the private network behind this FortiExtender unit>
         set dstaddr <The address name that you defined for the private network behind the remote peer>
         set service ALL
         set nat disable
         set srcintf <The interface that connects to the private network behind this FortiExtender unit>
         set dstintf <The VPN Tunnel (IPsec Interface)>
         set status enable
     next
     edit from_remote
         set srcaddr <The address name that you defined for the private network behind the remote peer>
         set dstaddr <The address name for the private network behind this FortiExtender unit>
         set service ALL
         set nat disable
         set srcintf <The VPN Tunnel (IPsec Interface)>
         set dstintf <The interface that connects to the private network behind this FortiExtender unit>
         set status enable
     next
end
Tooltip