Fortinet black logo

Cookbook

Creating the branch side of the IPsec VPN

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:765012
Download PDF

Creating the branch side of the IPsec VPN

The IPsec VPN configuration is similar to a normal site-to-site VPN configuration. Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel.

  1. Create two Phase 1 configurations, one for each data center. These configurations include:
    • Setting peertype to any
    • Setting remote-gw to the IP address of the data center.

    config vpn ipsec phase1-interface

    edit "vpn_dc1-1"

    set interface "vlan-3000"

    set peertype any

    set proposal aes256-sha256

    set dhgrp 5

    set remote-gw 172.20.10.10

    set psksecret <password>

    next

    edit "vpn_dc1-2"

    set interface "vlan-3001"

    set peertype any

    set proposal aes256-sha256

    set dhgrp 5

    set remote-gw 172.20.11.10

    set psksecret <password>

    next

    end

  2. Create two Phase 2 configurations, one for each data center. These configurations include:
    • Disabling pfs and replay
    • Enabling auto-negotiate to ensure VPN establishment

    config vpn ipsec phase2-interface

    edit "vpn_dc1-1_p2"

    set phase1name "vpn_dc1-1"

    set proposal aes256-sha256

    set pfs disable

    set replay disable

    set auto-negotiate enable

    next

    edit "vpn_dc1-2_p2"

    set phase1name "vpn_dc1-2"

    set proposal aes256-sha256

    set pfs disable

    set replay disable

    set auto-negotiate enable

    next

    end

Creating the branch side of the IPsec VPN

The IPsec VPN configuration is similar to a normal site-to-site VPN configuration. Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel.

  1. Create two Phase 1 configurations, one for each data center. These configurations include:
    • Setting peertype to any
    • Setting remote-gw to the IP address of the data center.

    config vpn ipsec phase1-interface

    edit "vpn_dc1-1"

    set interface "vlan-3000"

    set peertype any

    set proposal aes256-sha256

    set dhgrp 5

    set remote-gw 172.20.10.10

    set psksecret <password>

    next

    edit "vpn_dc1-2"

    set interface "vlan-3001"

    set peertype any

    set proposal aes256-sha256

    set dhgrp 5

    set remote-gw 172.20.11.10

    set psksecret <password>

    next

    end

  2. Create two Phase 2 configurations, one for each data center. These configurations include:
    • Disabling pfs and replay
    • Enabling auto-negotiate to ensure VPN establishment

    config vpn ipsec phase2-interface

    edit "vpn_dc1-1_p2"

    set phase1name "vpn_dc1-1"

    set proposal aes256-sha256

    set pfs disable

    set replay disable

    set auto-negotiate enable

    next

    edit "vpn_dc1-2_p2"

    set phase1name "vpn_dc1-2"

    set proposal aes256-sha256

    set pfs disable

    set replay disable

    set auto-negotiate enable

    next

    end