Fortinet white logo
Fortinet white logo

FortiGate-6000 Handbook

Example FortiGate 6000F IPsec VPN VRF configuration

Example FortiGate 6000F IPsec VPN VRF configuration

The following shows the basics of how to set up a VRF configuration that allows traffic between two IPsec VPN interfaces with different VRFs on a FortiGate 6000F. To support this configuration, both IPsec tunnels must terminate on the same FPC, in this example, the FPC in slot 5.

Create two VLAN interfaces:

config system interface

edit "v0031"

set vdom "vrf1"

set vrf 10

set ip <ip-address>

set interface "port1"

set vlanid 31

next

edit "v0032"

set vdom "vrf1"

set vrf 11

set ip <ip-address>

set interface "port2"

set vlanid 32

next

Create two phase1-interface tunnels. Add each tunnel to one of the VLAN interfaces created in step 1. The ipsec-tunnel-slot setting for both is FPC5.

config vpn ipsec phase1-interface

edit "p1-v31"

set interface "v0031"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

next

edit "p1-v32"

set interface "v0032"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

end

Edit each IPsec VPN interface and set the VRF ID for each one:

config system interface

edit "p1-v31"

set vdom "vrf1"

set vrf 10

set type tunnel

set interface "v0031"

next

edit "p1-v32"

set vdom "vrf1"

set vrf 11

set type tunnel

set interface "v0032"

end

Example FortiGate 6000F IPsec VPN VRF configuration

Example FortiGate 6000F IPsec VPN VRF configuration

The following shows the basics of how to set up a VRF configuration that allows traffic between two IPsec VPN interfaces with different VRFs on a FortiGate 6000F. To support this configuration, both IPsec tunnels must terminate on the same FPC, in this example, the FPC in slot 5.

Create two VLAN interfaces:

config system interface

edit "v0031"

set vdom "vrf1"

set vrf 10

set ip <ip-address>

set interface "port1"

set vlanid 31

next

edit "v0032"

set vdom "vrf1"

set vrf 11

set ip <ip-address>

set interface "port2"

set vlanid 32

next

Create two phase1-interface tunnels. Add each tunnel to one of the VLAN interfaces created in step 1. The ipsec-tunnel-slot setting for both is FPC5.

config vpn ipsec phase1-interface

edit "p1-v31"

set interface "v0031"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

next

edit "p1-v32"

set interface "v0032"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

end

Edit each IPsec VPN interface and set the VRF ID for each one:

config system interface

edit "p1-v31"

set vdom "vrf1"

set vrf 10

set type tunnel

set interface "v0031"

next

edit "p1-v32"

set vdom "vrf1"

set vrf 11

set type tunnel

set interface "v0032"

end