Fortinet white logo
Fortinet white logo

FortiGate-6000 Administration Guide

Example FortiGate-6000 IPsec VPN VRF configuration

Example FortiGate-6000 IPsec VPN VRF configuration

The following shows the basics of how to set up a VRF configuration that allows traffic between two IPsec VPN interfaces with different VRFs on a FortiGate-6000. To support this configuration, both IPsec tunnels must terminate on the same FPC, in this example, the FPC in slot 5.

Create two VLAN interfaces:

config system interface

edit "v0031"

set vdom "vrf1"

set vrf 10

set ip <ip-address>

set interface "port1"

set vlanid 31

next

edit "v0032"

set vdom "vrf1"

set vrf 11

set ip <ip-address>

set interface "port2"

set vlanid 32

next

Create two phase1-interface tunnels. Add each tunnel to one of the VLAN interfaces created in step 1. The ipsec-tunnel-slot setting for both is FPC5.

config vpn ipsec phase1-interface

edit "p1-v31"

set interface "v0031"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

next

edit "p1-v32"

set interface "v0032"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

end

Edit each IPsec VPN interface and set the VRF ID for each one:

config system interface

edit "p1-v31"

set vdom "vrf1"

set vrf 10

set type tunnel

set interface "v0031"

next

edit "p1-v32"

set vdom "vrf1"

set vrf 11

set type tunnel

set interface "v0032"

end

Example FortiGate-6000 IPsec VPN VRF configuration

Example FortiGate-6000 IPsec VPN VRF configuration

The following shows the basics of how to set up a VRF configuration that allows traffic between two IPsec VPN interfaces with different VRFs on a FortiGate-6000. To support this configuration, both IPsec tunnels must terminate on the same FPC, in this example, the FPC in slot 5.

Create two VLAN interfaces:

config system interface

edit "v0031"

set vdom "vrf1"

set vrf 10

set ip <ip-address>

set interface "port1"

set vlanid 31

next

edit "v0032"

set vdom "vrf1"

set vrf 11

set ip <ip-address>

set interface "port2"

set vlanid 32

next

Create two phase1-interface tunnels. Add each tunnel to one of the VLAN interfaces created in step 1. The ipsec-tunnel-slot setting for both is FPC5.

config vpn ipsec phase1-interface

edit "p1-v31"

set interface "v0031"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

next

edit "p1-v32"

set interface "v0032"

set local-gw <ip-address>

set peertype any

set proposal 3des-sha256

set remote-gw <ip-address>

set psksecret <psk>

set ipsec-tunnel-slot FPC5

end

Edit each IPsec VPN interface and set the VRF ID for each one:

config system interface

edit "p1-v31"

set vdom "vrf1"

set vrf 10

set type tunnel

set interface "v0031"

next

edit "p1-v32"

set vdom "vrf1"

set vrf 11

set type tunnel

set interface "v0032"

end