Fortinet white logo
Fortinet white logo

Administration Guide

Policy-based IPsec tunnel

Policy-based IPsec tunnel

This is an example of policy-based IPsec tunnel using site-to-site VPN between branch and HQ. HQ is the IPsec concentrator.

Sample topology

Sample configuration

To configure a policy-based IPsec tunnel using the GUI:

To configure the IPsec VPN at HQ:
  1. Go to VPN > IPsec Wizard to set up branch 1.
    1. Enter a VPN Name. In this example, to_branch1.
    2. For Template Type, click Custom. Click Next.
    3. Uncheck Enable IPsec Interface Mode.
    4. For Remote Gateway, select Static IP Address.
    5. Enter IP address, in this example, 15.1.1.2.
    6. For Interface, select port9.
    7. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
    8. Click OK.
  2. Go to VPN > IPsec Wizard to set up branch 2.
    1. Enter a VPN Name. In this example, to_branch2.
    2. For Template Type, click Custom. Click Next.
    3. Uncheck Enable IPsec Interface Mode.
    4. For Remote Gateway, select Static IP Address.
    5. Enter IP address, in this example, 13.1.1.2.
    6. For Interface, select port9.
    7. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
    8. Click OK.
To configure the IPsec concentrator at HQ:
  1. Go to VPN > IPsec Concentrator and click Create New.
  2. Enter a name. In this example, branch.
  3. Add the Members to_branch1 and to_branch2.
  4. Click OK.
To configure the firewall policy at HQ:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter a policy Name.
  3. For Incoming Interface, select port10.
  4. For Outgoing Interface, select port9.
  5. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
  6. Select the VPN Tunnel, in this example, Branch1/Branch2.
  7. In this example, enable Allow traffic to be initiated from the remote site.
  8. Click OK.
To configure IPsec VPN at branch 1:
  1. Go to VPN > IPsec Wizard to set up branch 1.
  2. Enter a VPN name. In this example, to_HQ.
  3. For Template Type, click Custom. Click Next.
  4. Uncheck Enable IPsec Interface Mode.
  5. For Remote Gateway, select Static IP Address.
  6. Enter IP address, in this example, 22.1.1.1.
  7. For Interface, select wan1.
  8. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
  9. Click OK.
To configure the firewall policy at branch 1:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter a policy Name.
  3. Choose the Incoming Interface, in this example, internal.
  4. Choose the Outgoing Interface, in this example, wan1.
  5. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
  6. Select the VPN Tunnel, in this example, Branch1/Branch2.
  7. In this example, enable Allow traffic to be initiated from the remote site.
  8. Click OK.
To configure IPsec VPN at branch 2:
  1. Go to VPN > IPsec Wizard to set up branch 1.
  2. Enter a VPN name. In this example, to_HQ.
  3. For Template Type, click Custom. Click Next.
  4. Uncheck Enable IPsec Interface Mode.
  5. For Remote Gateway, select Static IP Address.
  6. Enter IP address, in this example, 22.1.1.1.
  7. For Interface, select wan1.
  8. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
  9. Click OK.
To configure the firewall policy at branch 2:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter a policy Name.
  3. Choose the Incoming Interface, in this example, internal.
  4. Choose the Outgoing Interface, in this example, wan1.
  5. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
  6. Select the VPN Tunnel, in this example, to_HQ.
  7. In this example, enable Allow traffic to be initiated from the remote site.
  8. Click OK.
To configure a policy-based IPsec tunnel using the CLI:
  1. Configure the HQ WAN interface and static route.
    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end
  2. Configure the HQ IPsec phase1 and phase2.
    config vpn ipsec phase1
        edit "to_branch1"
            set interface "port9"
            set peertype any
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set remote-gw 15.1.1.2
            set psksecret sample
            next
        edit "to_branch2"
            set interface "port9"
            set peertype any
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set remote-gw 13.1.1.2
            set psksecret sample
            next
    end
    config vpn ipsec phase2
        edit "to_branch1"
            set phase1name "to_branch1"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        next
        edit "to_branch2"
            set phase1name "to_branch2"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        next
    end
  3. Configure the firewall policy at HQ.
    config firewall policy
        edit 1
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "10.1.100.0"
            set action ipsec
            set schedule "always"
            set service "ALL"
            set inbound enable
            set vpntunnel "to_branch1"
        next
        edit 2
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "192.168.4.0"
            set action ipsec
            set schedule "always"
            set service "ALL"
            set inbound enable
            set vpntunnel "to_branch2"
        next
    end
  4. Configure the IPsec concentrator at HQ.
    config vpn ipsec concentrator
        edit "branch"
            set member "to_branch1" "to_branch2"
        next
    end
  5. Configure the branch WAN interface and static route.
    1. For branch 1.
      config system interface
          edit "wan1"
              set alias "primary_WAN"
              set ip 15.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 10.1.100.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 15.1.1.1
              set device "wan1"
          next
      end
    2. For branch 2.
      config system interface
          edit "wan1"
              set alias "primary_WAN"
              set ip 13.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 192.168.4.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 13.1.1.1
              set device "wan1"
          next
      end
  6. Configure the branch IPsec phase1 and phase2.
    1. For branch 1.
      config vpn ipsec phase1
          edit "to_HQ"
              set interface "wan1"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 22.1.1.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2
          edit "to_HQ"
              set phase1name "to_HQ"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    2. For branch 2.
      config vpn ipsec phase1
          edit "to_HQ"
              set interface "wan1"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 22.1.1.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2
          edit "to_HQ"
              set phase1name "to_HQ"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  7. Configure the branch firewall policy.
    1. For branch 1.
      config firewall policy
          edit 1
              set srcintf "internal"
              set dstintf "wan1"
              set srcaddr "10.1.100.0"
              set dstaddr "all"
              set action ipsec
              set schedule "always"
              set service "ALL"
              set inbound enable
              set vpntunnel "to_HQ"
          next
      end
    2. For branch 2.
      config firewall policy
          edit 1
              set srcintf "internal"
              set dstintf "wan1"
              set srcaddr "192.168.4.0"
              set dstaddr "all"
              set action ipsec
              set schedule "always"
              set service "ALL"
              set inbound enable
              set vpntunnel "to_HQ"
          next
      end
To view the IPsec VPN tunnel list at HQ:
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0 
----
name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0 tun_id=15.1.1.2
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu 
proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0
stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000680 itn=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8
       ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a
  enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1
       ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5
  dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354
  npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2
----
name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0 tun_id=13.1.1.2
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu 
proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42931/43200
  dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909
       ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe
  enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259
       ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0
To view the IPsec VPN concentrator at HQ:
# diagnose vpn concentrator list
list all ipsec concentrator in vd 0
name=branch              ref=3          tuns=2 flags=0

Policy-based IPsec tunnel

Policy-based IPsec tunnel

This is an example of policy-based IPsec tunnel using site-to-site VPN between branch and HQ. HQ is the IPsec concentrator.

Sample topology

Sample configuration

To configure a policy-based IPsec tunnel using the GUI:

To configure the IPsec VPN at HQ:
  1. Go to VPN > IPsec Wizard to set up branch 1.
    1. Enter a VPN Name. In this example, to_branch1.
    2. For Template Type, click Custom. Click Next.
    3. Uncheck Enable IPsec Interface Mode.
    4. For Remote Gateway, select Static IP Address.
    5. Enter IP address, in this example, 15.1.1.2.
    6. For Interface, select port9.
    7. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
    8. Click OK.
  2. Go to VPN > IPsec Wizard to set up branch 2.
    1. Enter a VPN Name. In this example, to_branch2.
    2. For Template Type, click Custom. Click Next.
    3. Uncheck Enable IPsec Interface Mode.
    4. For Remote Gateway, select Static IP Address.
    5. Enter IP address, in this example, 13.1.1.2.
    6. For Interface, select port9.
    7. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
    8. Click OK.
To configure the IPsec concentrator at HQ:
  1. Go to VPN > IPsec Concentrator and click Create New.
  2. Enter a name. In this example, branch.
  3. Add the Members to_branch1 and to_branch2.
  4. Click OK.
To configure the firewall policy at HQ:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter a policy Name.
  3. For Incoming Interface, select port10.
  4. For Outgoing Interface, select port9.
  5. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
  6. Select the VPN Tunnel, in this example, Branch1/Branch2.
  7. In this example, enable Allow traffic to be initiated from the remote site.
  8. Click OK.
To configure IPsec VPN at branch 1:
  1. Go to VPN > IPsec Wizard to set up branch 1.
  2. Enter a VPN name. In this example, to_HQ.
  3. For Template Type, click Custom. Click Next.
  4. Uncheck Enable IPsec Interface Mode.
  5. For Remote Gateway, select Static IP Address.
  6. Enter IP address, in this example, 22.1.1.1.
  7. For Interface, select wan1.
  8. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
  9. Click OK.
To configure the firewall policy at branch 1:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter a policy Name.
  3. Choose the Incoming Interface, in this example, internal.
  4. Choose the Outgoing Interface, in this example, wan1.
  5. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
  6. Select the VPN Tunnel, in this example, Branch1/Branch2.
  7. In this example, enable Allow traffic to be initiated from the remote site.
  8. Click OK.
To configure IPsec VPN at branch 2:
  1. Go to VPN > IPsec Wizard to set up branch 1.
  2. Enter a VPN name. In this example, to_HQ.
  3. For Template Type, click Custom. Click Next.
  4. Uncheck Enable IPsec Interface Mode.
  5. For Remote Gateway, select Static IP Address.
  6. Enter IP address, in this example, 22.1.1.1.
  7. For Interface, select wan1.
  8. In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared Key.
  9. Click OK.
To configure the firewall policy at branch 2:
  1. Go to Policy & Objects > Firewall Policy and click Create New.
  2. Enter a policy Name.
  3. Choose the Incoming Interface, in this example, internal.
  4. Choose the Outgoing Interface, in this example, wan1.
  5. Select the Source, Destination, Schedule, Service, and set Action to IPsec.
  6. Select the VPN Tunnel, in this example, to_HQ.
  7. In this example, enable Allow traffic to be initiated from the remote site.
  8. Click OK.
To configure a policy-based IPsec tunnel using the CLI:
  1. Configure the HQ WAN interface and static route.
    config system interface
        edit "port9"
            set alias "WAN"
            set ip 22.1.1.1 255.255.255.0
        next
        edit "port10"
            set alias "Internal"
            set ip 172.16.101.1 255.255.255.0
        next
    end   
    config router static
        edit 1
            set gateway 22.1.1.2
            set device "port9"
        next  
    end
  2. Configure the HQ IPsec phase1 and phase2.
    config vpn ipsec phase1
        edit "to_branch1"
            set interface "port9"
            set peertype any
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set remote-gw 15.1.1.2
            set psksecret sample
            next
        edit "to_branch2"
            set interface "port9"
            set peertype any
            set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
            set remote-gw 13.1.1.2
            set psksecret sample
            next
    end
    config vpn ipsec phase2
        edit "to_branch1"
            set phase1name "to_branch1"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        next
        edit "to_branch2"
            set phase1name "to_branch2"
            set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        next
    end
  3. Configure the firewall policy at HQ.
    config firewall policy
        edit 1
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "10.1.100.0"
            set action ipsec
            set schedule "always"
            set service "ALL"
            set inbound enable
            set vpntunnel "to_branch1"
        next
        edit 2
            set srcintf "port10"
            set dstintf "port9"
            set srcaddr "all"
            set dstaddr "192.168.4.0"
            set action ipsec
            set schedule "always"
            set service "ALL"
            set inbound enable
            set vpntunnel "to_branch2"
        next
    end
  4. Configure the IPsec concentrator at HQ.
    config vpn ipsec concentrator
        edit "branch"
            set member "to_branch1" "to_branch2"
        next
    end
  5. Configure the branch WAN interface and static route.
    1. For branch 1.
      config system interface
          edit "wan1"
              set alias "primary_WAN"
              set ip 15.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 10.1.100.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 15.1.1.1
              set device "wan1"
          next
      end
    2. For branch 2.
      config system interface
          edit "wan1"
              set alias "primary_WAN"
              set ip 13.1.1.2 255.255.255.0
          next
          edit "internal"
              set ip 192.168.4.1 255.255.255.0
          next
      end 
      config router static
          edit 1
              set gateway 13.1.1.1
              set device "wan1"
          next
      end
  6. Configure the branch IPsec phase1 and phase2.
    1. For branch 1.
      config vpn ipsec phase1
          edit "to_HQ"
              set interface "wan1"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 22.1.1.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2
          edit "to_HQ"
              set phase1name "to_HQ"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
    2. For branch 2.
      config vpn ipsec phase1
          edit "to_HQ"
              set interface "wan1"
              set peertype any
              set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
              set remote-gw 22.1.1.1
              set psksecret sample
              next
      end
      config vpn ipsec phase2
          edit "to_HQ"
              set phase1name "to_HQ"
              set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
          next
      end
  7. Configure the branch firewall policy.
    1. For branch 1.
      config firewall policy
          edit 1
              set srcintf "internal"
              set dstintf "wan1"
              set srcaddr "10.1.100.0"
              set dstaddr "all"
              set action ipsec
              set schedule "always"
              set service "ALL"
              set inbound enable
              set vpntunnel "to_HQ"
          next
      end
    2. For branch 2.
      config firewall policy
          edit 1
              set srcintf "internal"
              set dstintf "wan1"
              set srcaddr "192.168.4.0"
              set dstaddr "all"
              set action ipsec
              set schedule "always"
              set service "ALL"
              set inbound enable
              set vpntunnel "to_HQ"
          next
      end
To view the IPsec VPN tunnel list at HQ:
# diagnose vpn tunnel list
list all ipsec tunnel in vd 0 
----
name=to_branch1 ver=1 serial=4 22.1.1.1:0->15.1.1.2:0 tun_id=15.1.1.2
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu 
proxyid_num=1 child_num=0 refcnt=8 ilast=0 olast=0 ad=/0
stat: rxp=305409 txp=41985 rxb=47218630 txb=2130108
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_branch1 proto=0 sa=1 ref=3 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=6 options=10226 type=00 soft=0 mtu=1438 expire=42604/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000680 itn=0
  life: type=01 bytes=0/0 timeout=42932/43200
  dec: spi=ca646442 esp=aes key=16 58c91d4463968dddccc4fd97de90a4b8
       ah=sha1 key=20 c9176fe2fbc82ef7e726be9ad4af83eb1b55580a
  enc: spi=747c10c4 esp=aes key=16 7cf0f75b784f697bc7f6d8b4bb8a83c1
       ah=sha1 key=20 cdddc376a86f5ca0149346604a59af07a33b11c5
  dec:pkts/bytes=1664/16310, enc:pkts/bytes=0/16354
  npu_flag=03 npu_rgwy=15.1.1.2 npu_lgwy=22.1.1.1 npu_selid=3 dec_npuid=2 enc_npuid=2
----
name=to_branch2 ver=1 serial=5 22.1.1.1:0->13.1.1.2:0 tun_id=13.1.1.2
bound_if=42 lgwy=static/1 tun=tunnel/1 mode=auto/1 encap=none/8 options[0008]=npu 
proxyid_num=1 child_num=0 refcnt=7 ilast=2 olast=43228 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=to_branch2 proto=0 sa=1 ref=2 serial=1
  src: 0:0.0.0.0/0.0.0.0:0
  dst: 0:0.0.0.0/0.0.0.0:0
  SA:  ref=3 options=10226 type=00 soft=0 mtu=1280 expire=40489/0B replaywin=2048
       seqno=1 esn=0 replaywin_lastseq=00000000 itn=0
  life: type=01 bytes=0/0 timeout=42931/43200
  dec: spi=ca646441 esp=aes key=16 57ab680d29d4aad4e373579fb50e9909
       ah=sha1 key=20 12a2bc703d2615d917ff544eaff75a6d2c17f1fe
  enc: spi=f9cffb61 esp=aes key=16 3d64da9feb893874e007babce0229259
       ah=sha1 key=20 f92a3ad5e56cb8e89c47af4dac10bf4b4bebff16
  dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
  npu_flag=00 npu_rgwy=13.1.1.2 npu_lgwy=22.1.1.1 npu_selid=4 dec_npuid=0 enc_npuid=0
To view the IPsec VPN concentrator at HQ:
# diagnose vpn concentrator list
list all ipsec concentrator in vd 0
name=branch              ref=3          tuns=2 flags=0