Adding source and destination subnets to IPsec VPN phase 2 configurations
If your FortiGate-6000 configuration includes IPsec VPNs you should enhance your IPsec VPN Phase 2 configurations as described in this section. Because the FortiGate-6000 only allows 16-bit to 32-bit routes, you must add one or more destination subnets to your IPsec VPN phase 2 configuration for FortiGate-6000 using the following command:
config vpn ipsec phase2-interface
edit "to_fgt2"
set phase1name <name>
set src-subnet <IP> <netmask>
set dst-subnet <IP> <netmask>
end
Where
src-subnet
is the subnet protected by the FortiGate-6000 that you are configuring and from which users connect to the destination subnet. Configuring the source subnet is optional but recommended.
dst-subnet
is the destination subnet behind the remote IPsec VPN endpoint. Configuring the destination subnet is required.
Example basic IPsec VPN Phase 2 configuration
In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can just add the subnets to the phase 2 configuration.
Enter the following command to add the source and destination subnets to the FortiGate-6000 IPsec VPN Phase 2 configuration.
config vpn ipsec phase2-interface
edit "to_fgt2"
set phase1name "to_fgt2"
set src-subnet 172.16.1.0 255.255.255.0
set dst-subnet 172.16.2.0 255.255.255.0
end
Example multiple subnet IPsec VPN Phase 2 configuration
In a more complex configuration, such as the one below with a total of 5 subnets you still need to add all of the subnets to the Phase 2 configuration. In this case you can create a firewall address for each subnet and the addresses to address groups and add the address groups to the Phase 2 configuration.
Enter the following commands to create firewall addresses for each subnet.
config firewall address
edit "local_subnet_1"
set subnet 4.2.1.0 255.255.255.0
next
edit "local_subnet_2"
set subnet 4.2.2.0 255.255.255.0
next
edit "remote_subnet_3"
set subnet 4.2.3.0 255.255.255.0
next
edit "remote_subnet_4"
set subnet 4.2.4.0 255.255.255.0
next
edit "remote_subnet_5"
set subnet 4.2.5.0 255.255.255.0
end
And then put the five firewall addresses into two firewall address groups.
config firewall addrgrp
edit "local_group"
set member "local_subnet_1" "local_subnet_2"
next
edit "remote_group"
set member "remote_subnet_3" "remote_subnet_4" "remote_subnet_5"
end
Now, use the firewall address groups in the Phase 2 configuration:
config vpn ipsec phase2-interface
edit "to-fgt2"
set phase1name "to-fgt2"
set src-addr-type name
set dst-addr-type name
set src-name "local_group"
set dst-name "remote_group"
end