Fortinet white logo
Fortinet white logo

FortiGate-7000E Administration Guide

Example FortiGate 7000E IPsec VPN VRF configuration

Example FortiGate 7000E IPsec VPN VRF configuration

The following shows the basics of how to set up a VRF configuration that allows traffic between two IPsec VPN interfaces with different VRFs on a FortiGate 7000E. To support this configuration, both IPsec tunnels must terminate on the same FPM, in this example, the FPM in slot 5.

Create two VLAN interfaces:

config system interface

edit "v0031"

set vdom "vrf1"

set vrf 10

set ip <ip-address>

set interface "port1"

set vlanid 31

next

edit "v0032"

set vdom "vrf1"

set vrf 11

set ip <ip-address>

set interface "port2"

set vlanid 32

next

Create two phase1-interface tunnels. Add each tunnel to one of the VLAN interfaces created in step 1. The ipsec-tunnel-slot setting for both is FPM5.

config vpn ipsec phase1-interface

edit "p1-v31"

set interface "v0031"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPM5

next

edit "p1-v32"

set interface "v0032"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPM5

end

Edit each IPsec VPN interface and set the VRF ID for each one:

config system interface

edit "p1-v31"

set vdom "vrf1"

set vrf 10

set type tunnel

set interface "v0031"

next

edit "p1-v32"

set vdom "vrf1"

set vrf 11

set type tunnel

set interface "v0032"

end

Example FortiGate 7000E IPsec VPN VRF configuration

Example FortiGate 7000E IPsec VPN VRF configuration

The following shows the basics of how to set up a VRF configuration that allows traffic between two IPsec VPN interfaces with different VRFs on a FortiGate 7000E. To support this configuration, both IPsec tunnels must terminate on the same FPM, in this example, the FPM in slot 5.

Create two VLAN interfaces:

config system interface

edit "v0031"

set vdom "vrf1"

set vrf 10

set ip <ip-address>

set interface "port1"

set vlanid 31

next

edit "v0032"

set vdom "vrf1"

set vrf 11

set ip <ip-address>

set interface "port2"

set vlanid 32

next

Create two phase1-interface tunnels. Add each tunnel to one of the VLAN interfaces created in step 1. The ipsec-tunnel-slot setting for both is FPM5.

config vpn ipsec phase1-interface

edit "p1-v31"

set interface "v0031"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPM5

next

edit "p1-v32"

set interface "v0032"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPM5

end

Edit each IPsec VPN interface and set the VRF ID for each one:

config system interface

edit "p1-v31"

set vdom "vrf1"

set vrf 10

set type tunnel

set interface "v0031"

next

edit "p1-v32"

set vdom "vrf1"

set vrf 11

set type tunnel

set interface "v0032"

end