Example FortiGate-7000E IPsec VPN VRF configuration
The following shows the basics of how to set up a VRF configuration that allows traffic between two IPsec VPN interfaces with different VRFs on a FortiGate-7000E. To support this configuration, both IPsec tunnels must terminate on the same FPM, in this example, the FPM in slot 5.
Create two VLAN interfaces:
config system interface
edit "v0031"
set vdom "vrf1"
set vrf 10
set ip <ip-address>
set interface "port1"
set vlanid 31
next
edit "v0032"
set vdom "vrf1"
set vrf 11
set ip <ip-address>
set interface "port2"
set vlanid 32
next
Create two phase1-interface tunnels. Add each tunnel to one of the VLAN interfaces created in step 1. The ipsec-tunnel-slot
setting for both is FPM5
.
config vpn ipsec phase1-interface
edit "p1-v31"
set interface "v0031"
set local-gw <ip-address>
set peertype any
set proposal 3des-sha256
set remote-gw <ip-address>
set psksecret <psk>
set ipsec-tunnel-slot FPM5
next
edit "p1-v32"
set interface "v0032"
set local-gw <ip-address>
set peertype any
set proposal 3des-sha256
set remote-gw <ip-address>
set psksecret <psk>
set ipsec-tunnel-slot FPM5
end
Edit each IPsec VPN interface and set the VRF ID for each one:
config system interface
edit "p1-v31"
set vdom "vrf1"
set vrf 10
set type tunnel
set interface "v0031"
next
edit "p1-v32"
set vdom "vrf1"
set vrf 11
set type tunnel
set interface "v0032"
end