Fortinet black logo

FortiGate-6000 Handbook

Home FortiGate-6000 5.6.14 FortiGate-6000 Handbook

Adding source and destination subnets to IPsec VPN phase 2 configurations

5.6.14
7.0.15
7.0.14
7.0.13
7.0.12
7.0.10
7.0.5
6.4.15
6.4.14
6.4.13
6.4.12
6.4.10
6.4.8
6.4.6
6.4.2
6.2.16
6.2.16
6.2.15
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.7
6.2.6
6.2.4
6.2.3
6.0.18
6.0.17
6.0.16
6.0.15
6.0.14
6.0.13
6.0.12
6.0.10
6.0.9
6.0.8
6.0.6
6.0.4
5.6.14
5.6.12
5.6.11
5.6.7
5.4.10
Copy Link
Copy Doc ID 87e9ac87-1723-11ec-8c53-00505692583a:202963
Download PDF

Adding source and destination subnets to IPsec VPN phase 2 configurations

If your FortiGate-6000 configuration includes IPsec VPNs you should enhance your IPsec VPN Phase 2 configurations as described in this section. Because the FortiGate-6000 only allows 16-bit to 32-bit routes, you must add one or more destination subnets to your IPsec VPN phase 2 configuration for FortiGate-6000 using the following command:

config vpn ipsec phase2-interface

edit "to_fgt2"

set phase1name <name>

set src-subnet <IP> <netmask>

set dst-subnet <IP> <netmask>

end

Where

src-subnet is the subnet protected by the FortiGate-6000 that you are configuring and from which users connect to the destination subnet. Configuring the source subnet is optional but recommended.

dst-subnet is the destination subnet behind the remote IPsec VPN endpoint. Configuring the destination subnet is required.

Example basic IPsec VPN Phase 2 configuration

In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can just add the subnets to the phase 2 configuration.

Enter the following command to add the source and destination subnets to the FortiGate-6000 IPsec VPN Phase 2 configuration.

config vpn ipsec phase2-interface

edit "to_fgt2"

set phase1name "to_fgt2"

set src-subnet 172.16.1.0 255.255.255.0

set dst-subnet 172.16.2.0 255.255.255.0

end

Example multiple subnet IPsec VPN Phase 2 configuration

In a more complex configuration, such as the one below with a total of 5 subnets you still need to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet and the addresses to address groups and add the address groups to the Phase 2 configuration.

Enter the following commands to create firewall addresses for each subnet.

config firewall address

edit "local_subnet_1"

set subnet 4.2.1.0 255.255.255.0

next

edit "local_subnet_2"

set subnet 4.2.2.0 255.255.255.0

next

edit "remote_subnet_3"

set subnet 4.2.3.0 255.255.255.0

next

edit "remote_subnet_4"

set subnet 4.2.4.0 255.255.255.0

next

edit "remote_subnet_5"

set subnet 4.2.5.0 255.255.255.0

end

And then put the five firewall addresses into two firewall address groups.

config firewall addrgrp

edit "local_group"

set member "local_subnet_1" "local_subnet_2"

next

edit "remote_group"

set member "remote_subnet_3" "remote_subnet_4" "remote_subnet_5"

end

Now, use the firewall address groups in the Phase 2 configuration:

config vpn ipsec phase2-interface

edit "to-fgt2"

set phase1name "to-fgt2"

set src-addr-type name

set dst-addr-type name

set src-name "local_group"

set dst-name "remote_group"

end

Previous
Next

Adding source and destination subnets to IPsec VPN phase 2 configurations

If your FortiGate-6000 configuration includes IPsec VPNs you should enhance your IPsec VPN Phase 2 configurations as described in this section. Because the FortiGate-6000 only allows 16-bit to 32-bit routes, you must add one or more destination subnets to your IPsec VPN phase 2 configuration for FortiGate-6000 using the following command:

config vpn ipsec phase2-interface

edit "to_fgt2"

set phase1name <name>

set src-subnet <IP> <netmask>

set dst-subnet <IP> <netmask>

end

Where

src-subnet is the subnet protected by the FortiGate-6000 that you are configuring and from which users connect to the destination subnet. Configuring the source subnet is optional but recommended.

dst-subnet is the destination subnet behind the remote IPsec VPN endpoint. Configuring the destination subnet is required.

Example basic IPsec VPN Phase 2 configuration

In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can just add the subnets to the phase 2 configuration.

Enter the following command to add the source and destination subnets to the FortiGate-6000 IPsec VPN Phase 2 configuration.

config vpn ipsec phase2-interface

edit "to_fgt2"

set phase1name "to_fgt2"

set src-subnet 172.16.1.0 255.255.255.0

set dst-subnet 172.16.2.0 255.255.255.0

end

Example multiple subnet IPsec VPN Phase 2 configuration

In a more complex configuration, such as the one below with a total of 5 subnets you still need to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet and the addresses to address groups and add the address groups to the Phase 2 configuration.

Enter the following commands to create firewall addresses for each subnet.

config firewall address

edit "local_subnet_1"

set subnet 4.2.1.0 255.255.255.0

next

edit "local_subnet_2"

set subnet 4.2.2.0 255.255.255.0

next

edit "remote_subnet_3"

set subnet 4.2.3.0 255.255.255.0

next

edit "remote_subnet_4"

set subnet 4.2.4.0 255.255.255.0

next

edit "remote_subnet_5"

set subnet 4.2.5.0 255.255.255.0

end

And then put the five firewall addresses into two firewall address groups.

config firewall addrgrp

edit "local_group"

set member "local_subnet_1" "local_subnet_2"

next

edit "remote_group"

set member "remote_subnet_3" "remote_subnet_4" "remote_subnet_5"

end

Now, use the firewall address groups in the Phase 2 configuration:

config vpn ipsec phase2-interface

edit "to-fgt2"

set phase1name "to-fgt2"

set src-addr-type name

set dst-addr-type name

set src-name "local_group"

set dst-name "remote_group"

end

Previous
Next