Fortinet Document Library

Version:


Table of Contents

New Features

7.0.0
Download PDF
Copy Link

Dedicated tunnel ID for IPsec tunnels 7.0.1

The IPsec kernel now uses dedicated tunnel IDs as identifiers for each tunnel.

Routes are linked to the tunnels by the tunnel IDs, replacing the need to have a route tree in the IPsec tunnel list for selecting tunnels by next hop when net-device is disabled. Consequently, the tunnel search option in phase1 removed, because tunnels are now clearly identified by the tunnel ID and referenced in the routing table.

In general, tunnel IDs are assigned the IP address of the remote gateway. If multiple tunnels use the same gateway IP address, then a random IP address from the subnet 10.0.0.0/8 is assigned.

The IPsec kernel design change has also changed the routing table output, as seen in the following examples:

Example 1: Static site to site VPN with static routing

In this example, two sites are connected by a site-to-site IPsec VPN.

To configure IPsec on the FGT_HQ:
config vpn ipsec phase1-interface
    edit "hq-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.2.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "hq-vpn"
        set phase1name "hq-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config router static
    edit 2
        set dst 192.168.2.0 255.255.255.0
        set device "hq-vpn"
    next
end
To configure IPsec on the FGT_Branch:
config vpn ipsec phase1-interface
    edit "branch-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.1.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "branch-vpn"
        set phase1name "branch-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config router static
    edit 2
        set dst 192.168.1.0 255.255.255.0
        set device "branch-vpn"
    next
end
To compare the debug and routing table output between 7.0.1 and 6.4.7:

7.0.1

6.4.7

# diagnose vpn ike gateway list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
tun_id: 202.106.2.1
remote_location: 0.0.0.0
created: 740s ago
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 0 d2c4a8cff4cb24ac/5344ca7ec529dbcd
  direction: initiator
  status: established 740-740s ago = 0ms
  proposal: aes128-sha256
  key: c0a6eb7bdae7fd4a-a86ff7a09b8216b0
  lifetime/rekey: 86400/85359
  DPD sent/recv: 0000000c/0000005a

The output lists the tunnel ID that is associated with the remote gateway in the site-to-site IPsec tunnel.

# diagnose vpn ike gateway list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
created: 1026s ago
IKE SA: created 1/2  established 1/1  time 10/10/10 ms
IPsec SA: created 2/2  established 1/1  time 0/0/0 ms

  id/spi: 3 abf61a9364796569/e4f7a35227b039bd
  direction: responder
  status: established 1001-1001s ago = 10ms
  proposal: aes128-sha256
  key: 85b316cc2242f0ae-95eaf5d3d38ab83c
  lifetime/rekey: 86400/85128
  DPD sent/recv: 00000000/00000031

No tunnel ID is listed.

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=1 202.106.1.1:0->202.106.2.1:0 tun_id=202.106.2.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=3 olast=3 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=13
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=2 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42185/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42930/43200
  dec: spi=83fc537f esp=aes key=16 be77c39ca8255d551d51a0c2207c40ff
       ah=sha1 key=20 6734e315495cd2399a3eb3b1bf2cbb7fd086b777
  enc: spi=5a32b74b esp=aes key=16 94bd1250fdfdbd32bd4f52f491671f4f
       ah=sha1 key=20 7edc2b28b9b4cb48f2b6e74212bed74a67efb4fb
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
run_tally=0
# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=2 202.106.1.1:0->202.106.2.1:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=12 ilast=6 olast=6 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=50
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=2 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=41889/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=13721bed esp=aes key=16 2fbf85f8c19ee1699196e2a05fd8dfbf
       ah=sha1 key=20 6910afbf9bea9e72cc0647af9e2f78dfe0312db4
  enc: spi=5a32b74a esp=aes key=16 b52e9ac4ccdf4998d1a7f3c6e4bc7368
       ah=sha1 key=20 6bda8e5e442ddce0214f418e56b2eab5b3517c49
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
run_tally=1
# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
C       192.168.1.0/24 is directly connected, port2
S       192.168.2.0/24 [10/0] via hq-vpn tunnel 202.106.2.1
C       202.106.1.0/24 is directly connected, port1

The remote network is routable through the next hop corresponding to the hq-vpn tunnel with tunnel ID 202.106.2.1.

# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
C       192.168.1.0/24 is directly connected, port2
S       192.168.2.0/24 [10/0] is directly connected, hq-vpn
C       202.106.1.0/24 is directly connected, port1

The remote network is shown as directly connected.

Note

Although the remote gateway can be used as the tunnel ID, it does not equate to the actual IP rof the next hop when it appears in the routing table.

Example 2: Static site to site VPN with dynamic routing

In this example, two sites are connected by a site-to-site IPsec VPN and routing is implemented using OSPF.

To configure IPsec on the FGT_HQ:
config vpn ipsec phase1-interface
    edit "hq-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.2.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "hq-vpn"
        set phase1name "hq-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config system interface
    edit "hq-vpn"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.0
        set interface "port1"
    next
end
config router ospf
    set router-id 1.1.1.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "hq-vpn"
            set interface "hq-vpn"
            set mtu-ignore enable
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.1.0 255.255.255.0
        next
    end
end
To configure IPsec on the FGT_Branch:
config vpn ipsec phase1-interface
    edit "branch-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.1.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "branch-vpn"
        set phase1name "branch-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config system interface
    edit "branch-vpn"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.0
        set interface "port1"
    next
end
config router ospf
    set router-id 1.1.1.2
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "branch-vpn"
            set interface "branch-vpn"
            set mtu-ignore enable
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.2.0 255.255.255.0
        next
    end
end
To compare the debug and routing table output between 7.0.1 and 6.4.7:

7.0.1

6.4.7

# diagnose vpn ike gateway  list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
tun_id: 202.106.2.1
remote_location: 0.0.0.0
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 119s ago
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 0 3ff498dd0a456fc9/9278ce9982a2e19a
  direction: initiator
  status: established 119-119s ago = 0ms
  proposal: aes128-sha256
  key: fafdecf0c15fee4d-0c03b09f437517bd
  lifetime/rekey: 86400/85980
  DPD sent/recv: 00000000/00000000

The output lists the tunnel ID that is associated with the remote gateway in the site-to-site IPsec tunnel.

# diagnose vpn ike  gateway  list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 800s ago
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 0 3758c158569e3d79/47b6c55c18b72213
  direction: initiator
  status: established 800-800s ago = 0ms
  proposal: aes128-sha256
  key: 01d2e21717f05a84-434ab868d0ff37db
  lifetime/rekey: 86400/85299
  DPD sent/recv: 00000000/00000000

No tunnel ID is listed.

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=1 202.106.1.1:0->202.106.2.1:0 tun_id=202.106.2.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=6 ilast=4 olast=4 ad=/0
stat: rxp=24 txp=28 rxb=3328 txb=1934
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=6 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42808/0B replaywin=2048
       seqno=1d esn=0 replaywin_lastseq=00000019 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=ffdf028f esp=aes key=16 c7008f0d5592bf0e3471e68d930fe12c
       ah=sha1 key=20 c65b1d158a69c5735ea68e257d4b792aa92c3669
  enc: spi=5a32b750 esp=aes key=16 4c3fb9452d7a7d7c15e139b0327f23ad
       ah=sha1 key=20 c1ad92d290c96393c43e8db9f56b5b35e5835c2b
  dec:pkts/bytes=24/1708, enc:pkts/bytes=28/3808
run_tally=0
# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=1 202.106.1.1:0->202.106.2.1:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=17 ilast=5 olast=4 ad=/0
stat: rxp=124 txp=125 rxb=16672 txb=8343
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=5 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42128/0B replaywin=2048
       seqno=7e esn=0 replaywin_lastseq=0000007d itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=1374fc07 esp=aes key=16 33634bc564af960d809be9e78962dc30
       ah=sha1 key=20 7342c18b7aad274f81c4773bbd8065eb77adf064
  enc: spi=5a32b74f esp=aes key=16 1a6c88078b3efab4e33ba1ae421d1cc4
       ah=sha1 key=20 31621fa9cd466d23ef5a04ec20d896d4b746b2ed
  dec:pkts/bytes=124/8289, enc:pkts/bytes=125/16760
run_tally=1
# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
S       1.1.1.0/24 [5/0] via hq-vpn tunnel 202.106.2.1
C       1.1.1.1/32 is directly connected, hq-vpn
C       192.168.1.0/24 is directly connected, port2
O       192.168.2.0/24 [110/101] via hq-vpn tunnel 202.106.2.1, 00:01:23
C       202.106.1.0/24 is directly connected, port1

The remote virtual tunnel interface is one hop away.

The OSPF route has the next hop of the hq-vpn tunnel with tunnel ID 202.106.2.1.

# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
C       1.1.1.0/24 is directly connected, hq-vpn
C       1.1.1.1/32 is directly connected, hq-vpn
C       192.168.1.0/24 is directly connected, port2
O       192.168.2.0/24 [110/101] via 1.1.1.2, hq-vpn, 00:09:28
C       202.106.1.0/24 is directly connected, port1

Both the local and remote virtual tunnel interface IP addresses and subnets are directly connected.

The route learned from OSPF has a next hop through the remote virtual tunnel interface IP address, over the hq-vpn tunnel.

In the GUI, go to Dashboard > Network and expand the Routing widget to see the routing table:

7.0.1:

The gateway IP address shows the tunnel ID.

6.4.7:

The next hop is the hq-vpn, and the gateway IP address is the remote IP address 1.1.1.2.

Example 3: Dynamic dial-up VPN with mode-cfg

In this example, the HQ-FGT is the dial-up tunnel server. The remote clients include an endpoint with a public IP address, and two endpoints that are behind NAT.

The clients are connected through FortiClient VPN:

  • 7.0.1

    Client

    Tunnel name

    Assigned IP Address

    user1 - 10.6.30.221 (NAT’d to 202.106.100.253)

    Dia_0

    10.212.1.100

    user3 - 202.106.200.100

    Dia_1

    10.212.1.102

    user2 - 10.6.30.222 (NAT’d to 202.106.100.253)

    Dia_2

    10.212.1.101

  • 6.4.7

    Client

    Tunnel name

    Assigned IP Address

    user1 - 10.6.30.221 (NAT’d to 202.106.100.253)

    Dia_0

    10.212.1.100

    user2 - 10.6.30.222 (NAT’d to 202.106.100.253)

    Dia_1

    10.212.1.101

    user3 - 202.106.200.100

    Dia_2

    10.212.1.102

To configure IPsec on the FGT_HQ:
config vpn ipsec phase1-interface
    edit "Dia"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: Dia (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "Guest-group"
        set ipv4-start-ip 10.212.1.100
        set ipv4-end-ip 10.212.1.200
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set ipv4-split-include "Dia_split"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret <secret>
    next 
end
config vpn ipsec phase2-interface
    edit "Dia"
        set phase1name "Dia"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: Dia (Created by VPN wizard)"
    next
end
To compare the debug and routing table output between 7.0.1 and 6.4.7:

7.0.1

6.4.7

# diagnose vpn ike gateway  list  

vd: root/0
name: Dia_0
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:4500
tun_id: 202.106.100.253
remote_location: 0.0.0.0
created: 373s ago
xauth-user: user1
2FA: no
FortiClient UID: D09AAEEE825945DBA3D41F89D1016AA3
assigned IPv4 address: 10.212.1.100/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 110/110/110 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

…
vd: root/0
name: Dia_1
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.200.100:500
tun_id: 202.106.200.100
remote_location: 0.0.0.0
created: 342s ago
xauth-user: user3
2FA: no
FortiClient UID: 5911723955D74B86879F4F0EBB254082
assigned IPv4 address: 10.212.1.101/255.255.255.0
IKE SA: created 1/1  established 1/1  time 1220/1220/1220 ms
IPsec SA: created 1/1  established 1/1  time 1700/1700/1700 ms
…
vd: root/0
name: Dia_2
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:1025
tun_id: 10.0.0.2
remote_location: 0.0.0.0
created: 78s ago
xauth-user: user2
2FA: no
FortiClient UID: 288E34633A3C4716A55C32C42EEF1E0D
assigned IPv4 address: 10.212.1.102/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
…

The output lists the tunnel ID that is associated with each dial-up tunnel. When there is a conflict, the FortiGate uses an address from the 10.0.0.0/8 subnet as the tun_id.

# diagnose vpn ike gateway  list  

vd: root/0
name: Dia_1
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:1024
created: 247s ago
xauth-user: user2
FortiClient UID: 288E34633A3C4716A55C32C42EEF1E0D
assigned IPv4 address: 10.212.1.101/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

…
vd: root/0
name: Dia_0
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:4500
created: 237s ago
xauth-user: user1
FortiClient UID: D09AAEEE825945DBA3D41F89D1016AA3
assigned IPv4 address: 10.212.1.100/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 120/120/120 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

…
vd: root/0
name: Dia_2
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.200.100:500
created: 214s ago
xauth-user: user3
FortiClient UID: 5911723955D74B86879F4F0EBB254082
assigned IPv4 address: 10.212.1.102/255.255.255.0
IKE SA: created 1/1  established 1/1  time 1230/1230/1230 ms
IPsec SA: created 1/1  established 1/1  time 1710/1710/1710 ms
…

No tunnel ID is listed. The route tree is used to look up the tunnel for routing.

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Dia_0 ver=1 serial=2 202.106.1.1:4500->202.106.100.253:4500 tun_id=202.106.100.253 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=Dia index=0
…
------------------------------------------------------
name=Dia_1 ver=1 serial=3 202.106.1.1:0->202.106.200.100:0 tun_id=202.106.200.100 dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=Dia index=1
…
------------------------------------------------------
name=Dia_2 ver=1 serial=4 202.106.1.1:4500->202.106.100.253:1025 tun_id=10.0.0.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=Dia index=2
…
------------------------------------------------------
name=Dia ver=1 serial=1 202.106.1.1:0->0.0.0.0:0 tun_id=10.0.0.1 dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc  accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=3 refcnt=5 ilast=560 olast=560 ad=/0
stat: rxp=667 txp=88 rxb=804272 txb=740428
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
# diagnose vpn tunnel  list  
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Dia ver=1 serial=1 202.106.1.1:0->0.0.0.0:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc  accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=3 refcnt=18 ilast=981 olast=981 ad=/0
stat: rxp=2639 txp=353 rxb=3378568 txb=3147348
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=3
ipv4 route tree:
10.212.1.100->10.212.1.100 0
10.212.1.101->10.212.1.101 1
10.212.1.102->10.212.1.102 2
------------------------------------------------------
name=Dia_0 ver=1 serial=5 202.106.1.1:4500->202.106.100.253:4500 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=1 accept_traffic=1 overlay_id=0
parent=Dia index=0

…
------------------------------------------------------
name=Dia_1 ver=1 serial=4 202.106.1.1:4500->202.106.100.253:1024 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=1 accept_traffic=1 overlay_id=0
parent=Dia index=1

…
------------------------------------------------------
name=Dia_2 ver=1 serial=6 202.106.1.1:0->202.106.200.100:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc  run_state=1 accept_traffic=1 overlay_id=0
parent=Dia index=2
# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
S       10.212.1.100/32 [15/0] via Dia tunnel 202.106.100.253
S       10.212.1.101/32 [15/0] via Dia tunnel 202.106.200.100
S       10.212.1.102/32 [15/0] via Dia tunnel 10.0.0.2
C       192.168.1.0/24 is directly connected, port2
C       202.106.1.0/24 is directly connected, port1

The parent tunnel and tunnel ID are shown as the next hop, which uniquely identifies the tunnel that is being referenced.

# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
S       10.212.1.100/32 [15/0] via 202.106.100.253, Dia
S       10.212.1.101/32 [15/0] via 202.106.100.253, Dia
S       10.212.1.102/32 [15/0] via 202.106.200.100, Dia
C       192.168.1.0/24 is directly connected, port2
C       202.106.1.0/24 is directly connected, port1

The remote IP address and parent tunnel are shown as the next hop, but when two devices are behind NAT, the actual tunnel must be matched by looking up the route tree.

In the GUI, go to Dashboard > Network and expand the Routing widget to see the routing table:

7.0.1:

The gateway IP address shows the tunnel ID.

6.4.7:

The next hop is Dia, and the gateway IP address is the remote IP address.

Dedicated tunnel ID for IPsec tunnels 7.0.1

The IPsec kernel now uses dedicated tunnel IDs as identifiers for each tunnel.

Routes are linked to the tunnels by the tunnel IDs, replacing the need to have a route tree in the IPsec tunnel list for selecting tunnels by next hop when net-device is disabled. Consequently, the tunnel search option in phase1 removed, because tunnels are now clearly identified by the tunnel ID and referenced in the routing table.

In general, tunnel IDs are assigned the IP address of the remote gateway. If multiple tunnels use the same gateway IP address, then a random IP address from the subnet 10.0.0.0/8 is assigned.

The IPsec kernel design change has also changed the routing table output, as seen in the following examples:

Example 1: Static site to site VPN with static routing

In this example, two sites are connected by a site-to-site IPsec VPN.

To configure IPsec on the FGT_HQ:
config vpn ipsec phase1-interface
    edit "hq-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.2.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "hq-vpn"
        set phase1name "hq-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config router static
    edit 2
        set dst 192.168.2.0 255.255.255.0
        set device "hq-vpn"
    next
end
To configure IPsec on the FGT_Branch:
config vpn ipsec phase1-interface
    edit "branch-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.1.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "branch-vpn"
        set phase1name "branch-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config router static
    edit 2
        set dst 192.168.1.0 255.255.255.0
        set device "branch-vpn"
    next
end
To compare the debug and routing table output between 7.0.1 and 6.4.7:

7.0.1

6.4.7

# diagnose vpn ike gateway list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
tun_id: 202.106.2.1
remote_location: 0.0.0.0
created: 740s ago
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 0 d2c4a8cff4cb24ac/5344ca7ec529dbcd
  direction: initiator
  status: established 740-740s ago = 0ms
  proposal: aes128-sha256
  key: c0a6eb7bdae7fd4a-a86ff7a09b8216b0
  lifetime/rekey: 86400/85359
  DPD sent/recv: 0000000c/0000005a

The output lists the tunnel ID that is associated with the remote gateway in the site-to-site IPsec tunnel.

# diagnose vpn ike gateway list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
created: 1026s ago
IKE SA: created 1/2  established 1/1  time 10/10/10 ms
IPsec SA: created 2/2  established 1/1  time 0/0/0 ms

  id/spi: 3 abf61a9364796569/e4f7a35227b039bd
  direction: responder
  status: established 1001-1001s ago = 10ms
  proposal: aes128-sha256
  key: 85b316cc2242f0ae-95eaf5d3d38ab83c
  lifetime/rekey: 86400/85128
  DPD sent/recv: 00000000/00000031

No tunnel ID is listed.

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=1 202.106.1.1:0->202.106.2.1:0 tun_id=202.106.2.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=3 olast=3 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=13
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=2 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42185/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42930/43200
  dec: spi=83fc537f esp=aes key=16 be77c39ca8255d551d51a0c2207c40ff
       ah=sha1 key=20 6734e315495cd2399a3eb3b1bf2cbb7fd086b777
  enc: spi=5a32b74b esp=aes key=16 94bd1250fdfdbd32bd4f52f491671f4f
       ah=sha1 key=20 7edc2b28b9b4cb48f2b6e74212bed74a67efb4fb
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
run_tally=0
# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=2 202.106.1.1:0->202.106.2.1:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=12 ilast=6 olast=6 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=50
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=2 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=41889/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42897/43200
  dec: spi=13721bed esp=aes key=16 2fbf85f8c19ee1699196e2a05fd8dfbf
       ah=sha1 key=20 6910afbf9bea9e72cc0647af9e2f78dfe0312db4
  enc: spi=5a32b74a esp=aes key=16 b52e9ac4ccdf4998d1a7f3c6e4bc7368
       ah=sha1 key=20 6bda8e5e442ddce0214f418e56b2eab5b3517c49
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
run_tally=1
# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
C       192.168.1.0/24 is directly connected, port2
S       192.168.2.0/24 [10/0] via hq-vpn tunnel 202.106.2.1
C       202.106.1.0/24 is directly connected, port1

The remote network is routable through the next hop corresponding to the hq-vpn tunnel with tunnel ID 202.106.2.1.

# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
C       192.168.1.0/24 is directly connected, port2
S       192.168.2.0/24 [10/0] is directly connected, hq-vpn
C       202.106.1.0/24 is directly connected, port1

The remote network is shown as directly connected.

Note

Although the remote gateway can be used as the tunnel ID, it does not equate to the actual IP rof the next hop when it appears in the routing table.

Example 2: Static site to site VPN with dynamic routing

In this example, two sites are connected by a site-to-site IPsec VPN and routing is implemented using OSPF.

To configure IPsec on the FGT_HQ:
config vpn ipsec phase1-interface
    edit "hq-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.2.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "hq-vpn"
        set phase1name "hq-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config system interface
    edit "hq-vpn"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 1.1.1.2 255.255.255.0
        set interface "port1"
    next
end
config router ospf
    set router-id 1.1.1.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "hq-vpn"
            set interface "hq-vpn"
            set mtu-ignore enable
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.1.0 255.255.255.0
        next
    end
end
To configure IPsec on the FGT_Branch:
config vpn ipsec phase1-interface
    edit "branch-vpn"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set dpd on-idle
        set remote-gw 202.106.1.1
        set psksecret <secret>
    next
end
config vpn ipsec phase2-interface
    edit "branch-vpn"
        set phase1name "branch-vpn"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set auto-negotiate enable
    next
end
config system interface
    edit "branch-vpn"
        set vdom "root"
        set ip 1.1.1.2 255.255.255.255
        set allowaccess ping
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.0
        set interface "port1"
    next
end
config router ospf
    set router-id 1.1.1.2
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit "branch-vpn"
            set interface "branch-vpn"
            set mtu-ignore enable
            set network-type point-to-point
        next
    end
    config network
        edit 1
            set prefix 1.1.1.0 255.255.255.0
        next
        edit 2
            set prefix 192.168.2.0 255.255.255.0
        next
    end
end
To compare the debug and routing table output between 7.0.1 and 6.4.7:

7.0.1

6.4.7

# diagnose vpn ike gateway  list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
tun_id: 202.106.2.1
remote_location: 0.0.0.0
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 119s ago
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 0 3ff498dd0a456fc9/9278ce9982a2e19a
  direction: initiator
  status: established 119-119s ago = 0ms
  proposal: aes128-sha256
  key: fafdecf0c15fee4d-0c03b09f437517bd
  lifetime/rekey: 86400/85980
  DPD sent/recv: 00000000/00000000

The output lists the tunnel ID that is associated with the remote gateway in the site-to-site IPsec tunnel.

# diagnose vpn ike  gateway  list 

vd: root/0
name: hq-vpn
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.2.1:500
virtual-interface-addr: 1.1.1.1 -> 1.1.1.2
created: 800s ago
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 0 3758c158569e3d79/47b6c55c18b72213
  direction: initiator
  status: established 800-800s ago = 0ms
  proposal: aes128-sha256
  key: 01d2e21717f05a84-434ab868d0ff37db
  lifetime/rekey: 86400/85299
  DPD sent/recv: 00000000/00000000

No tunnel ID is listed.

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=1 202.106.1.1:0->202.106.2.1:0 tun_id=202.106.2.1 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=6 ilast=4 olast=4 ad=/0
stat: rxp=24 txp=28 rxb=3328 txb=1934
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=6 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42808/0B replaywin=2048
       seqno=1d esn=0 replaywin_lastseq=00000019 itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=ffdf028f esp=aes key=16 c7008f0d5592bf0e3471e68d930fe12c
       ah=sha1 key=20 c65b1d158a69c5735ea68e257d4b792aa92c3669
  enc: spi=5a32b750 esp=aes key=16 4c3fb9452d7a7d7c15e139b0327f23ad
       ah=sha1 key=20 c1ad92d290c96393c43e8db9f56b5b35e5835c2b
  dec:pkts/bytes=24/1708, enc:pkts/bytes=28/3808
run_tally=0
# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=hq-vpn ver=1 serial=1 202.106.1.1:0->202.106.2.1:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc  run_state=0 accept_traffic=1 overlay_id=0

proxyid_num=1 child_num=0 refcnt=17 ilast=5 olast=4 ad=/0
stat: rxp=124 txp=125 rxb=16672 txb=8343
dpd: mode=on-idle on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=hq-vpn proto=0 sa=1 ref=5 serial=1 auto-negotiate
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=38203 type=00 soft=0 mtu=1438 expire=42128/0B replaywin=2048
       seqno=7e esn=0 replaywin_lastseq=0000007d itn=0 qat=0 hash_search_len=1
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=1374fc07 esp=aes key=16 33634bc564af960d809be9e78962dc30
       ah=sha1 key=20 7342c18b7aad274f81c4773bbd8065eb77adf064
  enc: spi=5a32b74f esp=aes key=16 1a6c88078b3efab4e33ba1ae421d1cc4
       ah=sha1 key=20 31621fa9cd466d23ef5a04ec20d896d4b746b2ed
  dec:pkts/bytes=124/8289, enc:pkts/bytes=125/16760
run_tally=1
# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
S       1.1.1.0/24 [5/0] via hq-vpn tunnel 202.106.2.1
C       1.1.1.1/32 is directly connected, hq-vpn
C       192.168.1.0/24 is directly connected, port2
O       192.168.2.0/24 [110/101] via hq-vpn tunnel 202.106.2.1, 00:01:23
C       202.106.1.0/24 is directly connected, port1

The remote virtual tunnel interface is one hop away.

The OSPF route has the next hop of the hq-vpn tunnel with tunnel ID 202.106.2.1.

# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
C       1.1.1.0/24 is directly connected, hq-vpn
C       1.1.1.1/32 is directly connected, hq-vpn
C       192.168.1.0/24 is directly connected, port2
O       192.168.2.0/24 [110/101] via 1.1.1.2, hq-vpn, 00:09:28
C       202.106.1.0/24 is directly connected, port1

Both the local and remote virtual tunnel interface IP addresses and subnets are directly connected.

The route learned from OSPF has a next hop through the remote virtual tunnel interface IP address, over the hq-vpn tunnel.

In the GUI, go to Dashboard > Network and expand the Routing widget to see the routing table:

7.0.1:

The gateway IP address shows the tunnel ID.

6.4.7:

The next hop is the hq-vpn, and the gateway IP address is the remote IP address 1.1.1.2.

Example 3: Dynamic dial-up VPN with mode-cfg

In this example, the HQ-FGT is the dial-up tunnel server. The remote clients include an endpoint with a public IP address, and two endpoints that are behind NAT.

The clients are connected through FortiClient VPN:

  • 7.0.1

    Client

    Tunnel name

    Assigned IP Address

    user1 - 10.6.30.221 (NAT’d to 202.106.100.253)

    Dia_0

    10.212.1.100

    user3 - 202.106.200.100

    Dia_1

    10.212.1.102

    user2 - 10.6.30.222 (NAT’d to 202.106.100.253)

    Dia_2

    10.212.1.101

  • 6.4.7

    Client

    Tunnel name

    Assigned IP Address

    user1 - 10.6.30.221 (NAT’d to 202.106.100.253)

    Dia_0

    10.212.1.100

    user2 - 10.6.30.222 (NAT’d to 202.106.100.253)

    Dia_1

    10.212.1.101

    user3 - 202.106.200.100

    Dia_2

    10.212.1.102

To configure IPsec on the FGT_HQ:
config vpn ipsec phase1-interface
    edit "Dia"
        set type dynamic
        set interface "port1"
        set mode aggressive
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: Dia (Created by VPN wizard)"
        set wizard-type dialup-forticlient
        set xauthtype auto
        set authusrgrp "Guest-group"
        set ipv4-start-ip 10.212.1.100
        set ipv4-end-ip 10.212.1.200
        set ipv4-netmask 255.255.255.0
        set dns-mode auto
        set ipv4-split-include "Dia_split"
        set save-password enable
        set client-auto-negotiate enable
        set client-keep-alive enable
        set psksecret <secret>
    next 
end
config vpn ipsec phase2-interface
    edit "Dia"
        set phase1name "Dia"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "VPN: Dia (Created by VPN wizard)"
    next
end
To compare the debug and routing table output between 7.0.1 and 6.4.7:

7.0.1

6.4.7

# diagnose vpn ike gateway  list  

vd: root/0
name: Dia_0
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:4500
tun_id: 202.106.100.253
remote_location: 0.0.0.0
created: 373s ago
xauth-user: user1
2FA: no
FortiClient UID: D09AAEEE825945DBA3D41F89D1016AA3
assigned IPv4 address: 10.212.1.100/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 110/110/110 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

…
vd: root/0
name: Dia_1
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.200.100:500
tun_id: 202.106.200.100
remote_location: 0.0.0.0
created: 342s ago
xauth-user: user3
2FA: no
FortiClient UID: 5911723955D74B86879F4F0EBB254082
assigned IPv4 address: 10.212.1.101/255.255.255.0
IKE SA: created 1/1  established 1/1  time 1220/1220/1220 ms
IPsec SA: created 1/1  established 1/1  time 1700/1700/1700 ms
…
vd: root/0
name: Dia_2
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:1025
tun_id: 10.0.0.2
remote_location: 0.0.0.0
created: 78s ago
xauth-user: user2
2FA: no
FortiClient UID: 288E34633A3C4716A55C32C42EEF1E0D
assigned IPv4 address: 10.212.1.102/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
…

The output lists the tunnel ID that is associated with each dial-up tunnel. When there is a conflict, the FortiGate uses an address from the 10.0.0.0/8 subnet as the tun_id.

# diagnose vpn ike gateway  list  

vd: root/0
name: Dia_1
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:1024
created: 247s ago
xauth-user: user2
FortiClient UID: 288E34633A3C4716A55C32C42EEF1E0D
assigned IPv4 address: 10.212.1.101/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

…
vd: root/0
name: Dia_0
version: 1
interface: port1 3
addr: 202.106.1.1:4500 -> 202.106.100.253:4500
created: 237s ago
xauth-user: user1
FortiClient UID: D09AAEEE825945DBA3D41F89D1016AA3
assigned IPv4 address: 10.212.1.100/255.255.255.0
nat: peer
IKE SA: created 1/1  established 1/1  time 120/120/120 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

…
vd: root/0
name: Dia_2
version: 1
interface: port1 3
addr: 202.106.1.1:500 -> 202.106.200.100:500
created: 214s ago
xauth-user: user3
FortiClient UID: 5911723955D74B86879F4F0EBB254082
assigned IPv4 address: 10.212.1.102/255.255.255.0
IKE SA: created 1/1  established 1/1  time 1230/1230/1230 ms
IPsec SA: created 1/1  established 1/1  time 1710/1710/1710 ms
…

No tunnel ID is listed. The route tree is used to look up the tunnel for routing.

# diagnose vpn tunnel list 
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Dia_0 ver=1 serial=2 202.106.1.1:4500->202.106.100.253:4500 tun_id=202.106.100.253 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=Dia index=0
…
------------------------------------------------------
name=Dia_1 ver=1 serial=3 202.106.1.1:0->202.106.200.100:0 tun_id=202.106.200.100 dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=Dia index=1
…
------------------------------------------------------
name=Dia_2 ver=1 serial=4 202.106.1.1:4500->202.106.100.253:1025 tun_id=10.0.0.2 dst_mtu=1500 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=0 accept_traffic=1 overlay_id=0
parent=Dia index=2
…
------------------------------------------------------
name=Dia ver=1 serial=1 202.106.1.1:0->0.0.0.0:0 tun_id=10.0.0.1 dst_mtu=0 dpd-link=on remote_location=0.0.0.0 weight=1
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc  accept_traffic=1 overlay_id=0
proxyid_num=0 child_num=3 refcnt=5 ilast=560 olast=560 ad=/0
stat: rxp=667 txp=88 rxb=804272 txb=740428
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=0
# diagnose vpn tunnel  list  
list all ipsec tunnel in vd 0
------------------------------------------------------
name=Dia ver=1 serial=1 202.106.1.1:0->0.0.0.0:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/512 options[0200]=frag-rfc  accept_traffic=1 overlay_id=0

proxyid_num=0 child_num=3 refcnt=18 ilast=981 olast=981 ad=/0
stat: rxp=2639 txp=353 rxb=3378568 txb=3147348
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
run_tally=3
ipv4 route tree:
10.212.1.100->10.212.1.100 0
10.212.1.101->10.212.1.101 1
10.212.1.102->10.212.1.102 2
------------------------------------------------------
name=Dia_0 ver=1 serial=5 202.106.1.1:4500->202.106.100.253:4500 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=1 accept_traffic=1 overlay_id=0
parent=Dia index=0

…
------------------------------------------------------
name=Dia_1 ver=1 serial=4 202.106.1.1:4500->202.106.100.253:1024 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/896 options[0380]=rgwy-chg rport-chg frag-rfc  run_state=1 accept_traffic=1 overlay_id=0
parent=Dia index=1

…
------------------------------------------------------
name=Dia_2 ver=1 serial=6 202.106.1.1:0->202.106.200.100:0 dst_mtu=0
bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/640 options[0280]=rgwy-chg frag-rfc  run_state=1 accept_traffic=1 overlay_id=0
parent=Dia index=2
# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
S       10.212.1.100/32 [15/0] via Dia tunnel 202.106.100.253
S       10.212.1.101/32 [15/0] via Dia tunnel 202.106.200.100
S       10.212.1.102/32 [15/0] via Dia tunnel 10.0.0.2
C       192.168.1.0/24 is directly connected, port2
C       202.106.1.0/24 is directly connected, port1

The parent tunnel and tunnel ID are shown as the next hop, which uniquely identifies the tunnel that is being referenced.

# get router info routing-table  all 
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default

Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 202.106.1.254, port1
S       10.212.1.100/32 [15/0] via 202.106.100.253, Dia
S       10.212.1.101/32 [15/0] via 202.106.100.253, Dia
S       10.212.1.102/32 [15/0] via 202.106.200.100, Dia
C       192.168.1.0/24 is directly connected, port2
C       202.106.1.0/24 is directly connected, port1

The remote IP address and parent tunnel are shown as the next hop, but when two devices are behind NAT, the actual tunnel must be matched by looking up the route tree.

In the GUI, go to Dashboard > Network and expand the Routing widget to see the routing table:

7.0.1:

The gateway IP address shows the tunnel ID.

6.4.7:

The next hop is Dia, and the gateway IP address is the remote IP address.