Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.1 Administration Guide
    7.4.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Securely exchange serial numbers between FortiGates connected with IPsec VPN NEW

    Securely exchange serial numbers between FortiGates connected with IPsec VPN NEW

    Serial numbers can be securely exchanged between FortiGates connected with IPsec VPN. This feature is supported in IKEv2, IKEv1 main mode, and IKEv1 aggressive mode. The exchange is only performed with participating FortiGates that have enabled the exchange-fgt-device-id setting under config vpn ipsec phase1-interface.

    Example

    In this example, FortiGates A and B are in an HA cluster, so the serial numbers will not exchange after failover. The cluster is connected to FortiGate D through IPsec VPN.

    To securely exchange serial numbers between the FortiGates:

    1. Configure the IPsec settings on FortiGate A.

      1. Configure the phase 1 interface settings:

        config vpn ipsec phase1-interface
    edit "to_FGTD"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set exchange-fgt-device-id enable
        set remote-gw 172.16.200.4
        set psksecret **********
    next
end

      2. Configure the phase 2 interface settings:

        config vpn ipsec phase2-interface
    edit "to_FGTD"
        set phase1name "to_FGTD"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type name
        set dst-addr-type name
        set src-name "to_FGTD_local"
        set dst-name "to_FGTD_remote"
    next
end

    2. Configure the IPsec settings on FortiGate D.

      1. Configure the phase 1 interface settings:

        config vpn ipsec phase1-interface
    edit "to_FGTA"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set exchange-fgt-device-id enable
        set remote-gw 172.16.200.1
        set psksecret **********
    next
end

      2. Configure the phase 2 interface settings:

        config vpn ipsec phase2-interface
    edit "to_FGTA"
        set phase1name "to_FGTA"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type name
        set dst-addr-type name
        set src-name "to_FGTA_local"
        set dst-name "to_FGTA_remote"
    next
end

    3. Verify the peer serial numbers.

      1. On FortiGate A:

        # diagnose vpn ike gateway list

vd: root/0
name: to_FGTD
version: 1
interface: port1 19
addr: 172.16.200.1:500 -> 172.16.200.4:500
tun_id: 172.16.200.4/::172.16.200.4
remote_location: 0.0.0.0
network-id: 0
created: 783s ago
peer-id: 172.16.200.4
peer-id-auth: no
peer-SN: FG181FTK19900083
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 2 a8b2df203ef134e8/955fafbd10a04fa0
  direction: initiator
  status: established 783-783s ago = 0ms
  proposal: aes128-sha256
  key: 644db099e1178d1f-119fee3141f1e2a6
  lifetime/rekey: 86400/85316
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.4

      2. On FortiGate D:

        # diagnose vpn ike gateway list

vd: root/0
name: to_FGTA
version: 1
interface: port2 10
addr: 172.16.200.4:500 -> 172.16.200.1:500
tun_id: 172.16.200.1/::172.16.200.1
remote_location: 0.0.0.0
network-id: 0
created: 723s ago
peer-id: 172.16.200.1
peer-id-auth: no
peer-SN: FG200E4Q17904575
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 0/0

  id/spi: 7 a8b2df203ef134e8/955fafbd10a04fa0
  direction: responder
  status: established 723-723s ago = 10ms
  proposal: aes128-sha256
  key: 644db099e1178d1f-119fee3141f1e2a6
  lifetime/rekey: 86400/85406
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.1

    4. After an HA failover, verify that the peer serial numbers have not changed.

      1. On FortiGate B:

        # diagnose vpn ike gateway  list

vd: root/0
name: to_FGTD
version: 2
interface: port1 19
addr: 172.16.200.1:500 -> 172.16.200.4:500
tun_id: 172.16.200.4/::172.16.200.4
remote_location: 0.0.0.0
network-id: 0
created: 104s ago
peer-id: 172.16.200.4
peer-id-auth: no
peer-SN: FG181FTK19900083
PPK: no
IKE SA: created 1/2  established 1/2  time 0/0/0 ms
IPsec SA: created 1/2  established 1/2  time 0/0/0 ms

  id/spi: 8 3aab6778ea613bcd/e28dd0a1251a2eb1
  direction: responder
  status: established 101-101s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: c05f59ac726e4c3c-0d273aa8bf5dde35
  SK_er: 5be947724fbbd85b-d1e090a757823e6a
  SK_ai: 11f85a5c896a897f-2d7a551a91d5c1e2-63394ec02414ddb2-33598a09e77c8207
  SK_ar: 4291445e00062982-f7c5a848c9ada403-6ce7e4394e3a4fd5-bf2dc03492576cfc
  PPK: no
  message-id sent/recv: 12/3
  lifetime/rekey: 86400/86028
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.4

      2. On FortiGate D:

        # diagnose vpn ike gateway list

vd: root/0
name: to_FGTA
version: 2
interface: port2 10
addr: 172.16.200.4:500 -> 172.16.200.1:500
tun_id: 172.16.200.1/::172.16.200.1
remote_location: 0.0.0.0
network-id: 0
created: 132s ago
peer-id: 172.16.200.1
peer-id-auth: no
peer-SN: FG200E4Q17904575
PPK: no
IKE SA: created 1/2  established 1/2  time 0/10500/21000 ms
IPsec SA: created 1/2  established 1/2  time 0/10500/21000 ms

  id/spi: 9 3aab6778ea613bcd/e28dd0a1251a2eb1
  direction: initiator
  status: established 132-111s ago = 21000ms
  proposal: aes128-sha256
  child: no
  SK_ei: c05f59ac726e4c3c-0d273aa8bf5dde35
  SK_er: 5be947724fbbd85b-d1e090a757823e6a
  SK_ai: 11f85a5c896a897f-2d7a551a91d5c1e2-63394ec02414ddb2-33598a09e77c8207
  SK_ar: 4291445e00062982-f7c5a848c9ada403-6ce7e4394e3a4fd5-bf2dc03492576cfc
  PPK: no
  message-id sent/recv: 3/12
  lifetime/rekey: 86400/85988
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.1
    To retrieve the peer serial number in FortiManager:

    1. Add and authorize FortiGate A (see Adding online devices using Discover mode for more details).

    2. Go to Device Manager > Device & Groups and select the FortiGate A.

    3. Add the IPsec VPN widget (see Customizing the dashboard for more details).

    4. Open the developer tools in your browser and select the Network tab.

    5. Refresh the IPsec VPN widget.

    6. In the Network tab, there should be a JSON POST request that FortiManager will proxy request to the FortiGate for the IPsec API. The response should contain the peer serial number.

    Previous
    Next

    Securely exchange serial numbers between FortiGates connected with IPsec VPN NEW

    Securely exchange serial numbers between FortiGates connected with IPsec VPN NEW

    Serial numbers can be securely exchanged between FortiGates connected with IPsec VPN. This feature is supported in IKEv2, IKEv1 main mode, and IKEv1 aggressive mode. The exchange is only performed with participating FortiGates that have enabled the exchange-fgt-device-id setting under config vpn ipsec phase1-interface.

    Example

    In this example, FortiGates A and B are in an HA cluster, so the serial numbers will not exchange after failover. The cluster is connected to FortiGate D through IPsec VPN.

    To securely exchange serial numbers between the FortiGates:

    1. Configure the IPsec settings on FortiGate A.

      1. Configure the phase 1 interface settings:

        config vpn ipsec phase1-interface
    edit "to_FGTD"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set exchange-fgt-device-id enable
        set remote-gw 172.16.200.4
        set psksecret **********
    next
end

      2. Configure the phase 2 interface settings:

        config vpn ipsec phase2-interface
    edit "to_FGTD"
        set phase1name "to_FGTD"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type name
        set dst-addr-type name
        set src-name "to_FGTD_local"
        set dst-name "to_FGTD_remote"
    next
end

    2. Configure the IPsec settings on FortiGate D.

      1. Configure the phase 1 interface settings:

        config vpn ipsec phase1-interface
    edit "to_FGTA"
        set interface "port2"
        set peertype any
        set net-device disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set exchange-fgt-device-id enable
        set remote-gw 172.16.200.1
        set psksecret **********
    next
end

      2. Configure the phase 2 interface settings:

        config vpn ipsec phase2-interface
    edit "to_FGTA"
        set phase1name "to_FGTA"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set src-addr-type name
        set dst-addr-type name
        set src-name "to_FGTA_local"
        set dst-name "to_FGTA_remote"
    next
end

    3. Verify the peer serial numbers.

      1. On FortiGate A:

        # diagnose vpn ike gateway list

vd: root/0
name: to_FGTD
version: 1
interface: port1 19
addr: 172.16.200.1:500 -> 172.16.200.4:500
tun_id: 172.16.200.4/::172.16.200.4
remote_location: 0.0.0.0
network-id: 0
created: 783s ago
peer-id: 172.16.200.4
peer-id-auth: no
peer-SN: FG181FTK19900083
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 2 a8b2df203ef134e8/955fafbd10a04fa0
  direction: initiator
  status: established 783-783s ago = 0ms
  proposal: aes128-sha256
  key: 644db099e1178d1f-119fee3141f1e2a6
  lifetime/rekey: 86400/85316
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.4

      2. On FortiGate D:

        # diagnose vpn ike gateway list

vd: root/0
name: to_FGTA
version: 1
interface: port2 10
addr: 172.16.200.4:500 -> 172.16.200.1:500
tun_id: 172.16.200.1/::172.16.200.1
remote_location: 0.0.0.0
network-id: 0
created: 723s ago
peer-id: 172.16.200.1
peer-id-auth: no
peer-SN: FG200E4Q17904575
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 0/0

  id/spi: 7 a8b2df203ef134e8/955fafbd10a04fa0
  direction: responder
  status: established 723-723s ago = 10ms
  proposal: aes128-sha256
  key: 644db099e1178d1f-119fee3141f1e2a6
  lifetime/rekey: 86400/85406
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.1

    4. After an HA failover, verify that the peer serial numbers have not changed.

      1. On FortiGate B:

        # diagnose vpn ike gateway  list

vd: root/0
name: to_FGTD
version: 2
interface: port1 19
addr: 172.16.200.1:500 -> 172.16.200.4:500
tun_id: 172.16.200.4/::172.16.200.4
remote_location: 0.0.0.0
network-id: 0
created: 104s ago
peer-id: 172.16.200.4
peer-id-auth: no
peer-SN: FG181FTK19900083
PPK: no
IKE SA: created 1/2  established 1/2  time 0/0/0 ms
IPsec SA: created 1/2  established 1/2  time 0/0/0 ms

  id/spi: 8 3aab6778ea613bcd/e28dd0a1251a2eb1
  direction: responder
  status: established 101-101s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: c05f59ac726e4c3c-0d273aa8bf5dde35
  SK_er: 5be947724fbbd85b-d1e090a757823e6a
  SK_ai: 11f85a5c896a897f-2d7a551a91d5c1e2-63394ec02414ddb2-33598a09e77c8207
  SK_ar: 4291445e00062982-f7c5a848c9ada403-6ce7e4394e3a4fd5-bf2dc03492576cfc
  PPK: no
  message-id sent/recv: 12/3
  lifetime/rekey: 86400/86028
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.4

      2. On FortiGate D:

        # diagnose vpn ike gateway list

vd: root/0
name: to_FGTA
version: 2
interface: port2 10
addr: 172.16.200.4:500 -> 172.16.200.1:500
tun_id: 172.16.200.1/::172.16.200.1
remote_location: 0.0.0.0
network-id: 0
created: 132s ago
peer-id: 172.16.200.1
peer-id-auth: no
peer-SN: FG200E4Q17904575
PPK: no
IKE SA: created 1/2  established 1/2  time 0/10500/21000 ms
IPsec SA: created 1/2  established 1/2  time 0/10500/21000 ms

  id/spi: 9 3aab6778ea613bcd/e28dd0a1251a2eb1
  direction: initiator
  status: established 132-111s ago = 21000ms
  proposal: aes128-sha256
  child: no
  SK_ei: c05f59ac726e4c3c-0d273aa8bf5dde35
  SK_er: 5be947724fbbd85b-d1e090a757823e6a
  SK_ai: 11f85a5c896a897f-2d7a551a91d5c1e2-63394ec02414ddb2-33598a09e77c8207
  SK_ar: 4291445e00062982-f7c5a848c9ada403-6ce7e4394e3a4fd5-bf2dc03492576cfc
  PPK: no
  message-id sent/recv: 3/12
  lifetime/rekey: 86400/85988
  DPD sent/recv: 00000000/00000000
  peer-id: 172.16.200.1
    To retrieve the peer serial number in FortiManager:

    1. Add and authorize FortiGate A (see Adding online devices using Discover mode for more details).

    2. Go to Device Manager > Device & Groups and select the FortiGate A.

    3. Add the IPsec VPN widget (see Customizing the dashboard for more details).

    4. Open the developer tools in your browser and select the Network tab.

    5. Refresh the IPsec VPN widget.

    6. In the Network tab, there should be a JSON POST request that FortiManager will proxy request to the FortiGate for the IPsec API. The response should contain the peer serial number.

    Previous
    Next