Securely exchange serial numbers between FortiGates connected with IPsec VPN
Serial numbers can be securely exchanged between FortiGates connected with IPsec VPN. This feature is supported in IKEv2, IKEv1 main mode, and IKEv1 aggressive mode. The exchange is only performed with participating FortiGates that have enabled the exchange-fgt-device-id setting under config vpn ipsec phase1-interface.
Example
In this example, FortiGates A and B are in an HA cluster, so the serial numbers will not exchange after failover. The cluster is connected to FortiGate D through IPsec VPN.
To securely exchange serial numbers between the FortiGates:
-
Configure the IPsec settings on FortiGate A.
-
Configure the phase 1 interface settings:
config vpn ipsec phase1-interface edit "to_FGTD" set interface "port1" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set exchange-fgt-device-id enable set remote-gw 172.16.200.4 set psksecret ********** next end -
Configure the phase 2 interface settings:
config vpn ipsec phase2-interface edit "to_FGTD" set phase1name "to_FGTD" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-addr-type name set dst-addr-type name set src-name "to_FGTD_local" set dst-name "to_FGTD_remote" next end
-
-
Configure the IPsec settings on FortiGate D.
-
Configure the phase 1 interface settings:
config vpn ipsec phase1-interface edit "to_FGTA" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set exchange-fgt-device-id enable set remote-gw 172.16.200.1 set psksecret ********** next end -
Configure the phase 2 interface settings:
config vpn ipsec phase2-interface edit "to_FGTA" set phase1name "to_FGTA" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-addr-type name set dst-addr-type name set src-name "to_FGTA_local" set dst-name "to_FGTA_remote" next end
-
-
Verify the peer serial numbers.
-
On FortiGate A:
# diagnose vpn ike gateway list vd: root/0 name: to_FGTD version: 1 interface: port1 19 addr: 172.16.200.1:500 -> 172.16.200.4:500 tun_id: 172.16.200.4/::172.16.200.4 remote_location: 0.0.0.0 network-id: 0 created: 783s ago peer-id: 172.16.200.4 peer-id-auth: no peer-SN: FG181FTK19900083 IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 2 a8b2df203ef134e8/955fafbd10a04fa0 direction: initiator status: established 783-783s ago = 0ms proposal: aes128-sha256 key: 644db099e1178d1f-119fee3141f1e2a6 lifetime/rekey: 86400/85316 DPD sent/recv: 00000000/00000000 peer-id: 172.16.200.4
-
On FortiGate D:
# diagnose vpn ike gateway list vd: root/0 name: to_FGTA version: 1 interface: port2 10 addr: 172.16.200.4:500 -> 172.16.200.1:500 tun_id: 172.16.200.1/::172.16.200.1 remote_location: 0.0.0.0 network-id: 0 created: 723s ago peer-id: 172.16.200.1 peer-id-auth: no peer-SN: FG200E4Q17904575 IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 0/0 id/spi: 7 a8b2df203ef134e8/955fafbd10a04fa0 direction: responder status: established 723-723s ago = 10ms proposal: aes128-sha256 key: 644db099e1178d1f-119fee3141f1e2a6 lifetime/rekey: 86400/85406 DPD sent/recv: 00000000/00000000 peer-id: 172.16.200.1
-
-
After an HA failover, verify that the peer serial numbers have not changed.
-
On FortiGate B:
# diagnose vpn ike gateway list vd: root/0 name: to_FGTD version: 2 interface: port1 19 addr: 172.16.200.1:500 -> 172.16.200.4:500 tun_id: 172.16.200.4/::172.16.200.4 remote_location: 0.0.0.0 network-id: 0 created: 104s ago peer-id: 172.16.200.4 peer-id-auth: no peer-SN: FG181FTK19900083 PPK: no IKE SA: created 1/2 established 1/2 time 0/0/0 ms IPsec SA: created 1/2 established 1/2 time 0/0/0 ms id/spi: 8 3aab6778ea613bcd/e28dd0a1251a2eb1 direction: responder status: established 101-101s ago = 0ms proposal: aes128-sha256 child: no SK_ei: c05f59ac726e4c3c-0d273aa8bf5dde35 SK_er: 5be947724fbbd85b-d1e090a757823e6a SK_ai: 11f85a5c896a897f-2d7a551a91d5c1e2-63394ec02414ddb2-33598a09e77c8207 SK_ar: 4291445e00062982-f7c5a848c9ada403-6ce7e4394e3a4fd5-bf2dc03492576cfc PPK: no message-id sent/recv: 12/3 lifetime/rekey: 86400/86028 DPD sent/recv: 00000000/00000000 peer-id: 172.16.200.4
-
On FortiGate D:
# diagnose vpn ike gateway list vd: root/0 name: to_FGTA version: 2 interface: port2 10 addr: 172.16.200.4:500 -> 172.16.200.1:500 tun_id: 172.16.200.1/::172.16.200.1 remote_location: 0.0.0.0 network-id: 0 created: 132s ago peer-id: 172.16.200.1 peer-id-auth: no peer-SN: FG200E4Q17904575 PPK: no IKE SA: created 1/2 established 1/2 time 0/10500/21000 ms IPsec SA: created 1/2 established 1/2 time 0/10500/21000 ms id/spi: 9 3aab6778ea613bcd/e28dd0a1251a2eb1 direction: initiator status: established 132-111s ago = 21000ms proposal: aes128-sha256 child: no SK_ei: c05f59ac726e4c3c-0d273aa8bf5dde35 SK_er: 5be947724fbbd85b-d1e090a757823e6a SK_ai: 11f85a5c896a897f-2d7a551a91d5c1e2-63394ec02414ddb2-33598a09e77c8207 SK_ar: 4291445e00062982-f7c5a848c9ada403-6ce7e4394e3a4fd5-bf2dc03492576cfc PPK: no message-id sent/recv: 3/12 lifetime/rekey: 86400/85988 DPD sent/recv: 00000000/00000000 peer-id: 172.16.200.1
-
To retrieve the peer serial number in FortiManager:
-
Add and authorize FortiGate A (see Adding online devices using Discover mode for more details).
-
Go to Device Manager > Device & Groups and select the FortiGate A.
-
Add the IPsec VPN widget (see Customizing the dashboard for more details).
-
Open the developer tools in your browser and select the Network tab.
-
Refresh the IPsec VPN widget.
-
In the Network tab, there should be a JSON POST request that FortiManager will proxy request to the FortiGate for the IPsec API. The response should contain the peer serial number.