Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • SPA with a FortiGate SD-WAN Deployment Guide

    Home FortiSASE SPA with a FortiGate SD-WAN Deployment Guide

    IPsec VPN configuration

    IPsec VPN configuration

    The FortiGate SD-WAN hub requires the following IPsec VPN settings:

    • IKEv2
    • Hub configured as an IPsec VPN dialup server
    • On spokes, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist
    • Using mode config for dynamic IP address
    • Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>
    • Preshared key for each overlay tunnel
    • Phase 1 and phase 2 proposals and settings
      • IPsec VPN phase 1 supports the following proposals:

        aes128-sha256

        aes256-sha256

        aes128-sha1

        aes256-sha1

        DH groups 14 and 5

      • IPsec VPN phase 2 supports the following proposals:

        aes128-sha1

        aes256-sha1

        aes128-sha256

        aes256-sha256

        aes128gcm

        aes256gcm

        chacha20poly1305

        DH groups 14 and 5

    • Hub configured with set auto-discovery-sender enable to enable ADVPN on the hub

    The following shows a configuration sample of the IPsec VPN CLI configuration:

    • The IPsec VPN type must be dynamic. The FortiSASE security points of presence (PoP) act as spokes and connect to your Hub to establish IPsec VPN overlays.
    • You must enable the mode-cfg setting. Each FortiSASE security PoP acquires IP addresses and automatically configures their tunnel interfaces IP addresses with the IP acquired. This IP address is also be used to set up BGP peering.
    Note

    To allow for dynamic scaling of customer environments, as-needed, it is necessary to use the following mode configuration settings that make use of a /24 subnet for the mode configuration IP address space:

    set ipv4-start-ip 192.168.10.1

    set ipv4-end-ip 192.168.10.252

    set ipv4-netmask 255.255.255.0

    Depending on the size of the customer, the mode configuration IP address space may need to be even larger than a /24 subnet.

    		 
    config vpn ipsec phase1-interface
    edit VPN1
        set type dynamic
        set interface port1
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 0
        set ipv4-start-ip 192.168.10.1
        set ipv4-end-ip 192.168.10.252
        set ipv4-netmask 255.255.255.0
        set psksecret < pre-shared key >
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit VPN1
        set phase1name VPN1
        set proposal aes256-sha256
    next
end
    Previous
    Next

    IPsec VPN configuration

    IPsec VPN configuration

    The FortiGate SD-WAN hub requires the following IPsec VPN settings:

    • IKEv2
    • Hub configured as an IPsec VPN dialup server
    • On spokes, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist
    • Using mode config for dynamic IP address
    • Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>
    • Preshared key for each overlay tunnel
    • Phase 1 and phase 2 proposals and settings
      • IPsec VPN phase 1 supports the following proposals:

        aes128-sha256

        aes256-sha256

        aes128-sha1

        aes256-sha1

        DH groups 14 and 5

      • IPsec VPN phase 2 supports the following proposals:

        aes128-sha1

        aes256-sha1

        aes128-sha256

        aes256-sha256

        aes128gcm

        aes256gcm

        chacha20poly1305

        DH groups 14 and 5

    • Hub configured with set auto-discovery-sender enable to enable ADVPN on the hub

    The following shows a configuration sample of the IPsec VPN CLI configuration:

    • The IPsec VPN type must be dynamic. The FortiSASE security points of presence (PoP) act as spokes and connect to your Hub to establish IPsec VPN overlays.
    • You must enable the mode-cfg setting. Each FortiSASE security PoP acquires IP addresses and automatically configures their tunnel interfaces IP addresses with the IP acquired. This IP address is also be used to set up BGP peering.
    Note

    To allow for dynamic scaling of customer environments, as-needed, it is necessary to use the following mode configuration settings that make use of a /24 subnet for the mode configuration IP address space:

    set ipv4-start-ip 192.168.10.1

    set ipv4-end-ip 192.168.10.252

    set ipv4-netmask 255.255.255.0

    Depending on the size of the customer, the mode configuration IP address space may need to be even larger than a /24 subnet.

    		 
    config vpn ipsec phase1-interface
    edit VPN1
        set type dynamic
        set interface port1
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 0
        set ipv4-start-ip 192.168.10.1
        set ipv4-end-ip 192.168.10.252
        set ipv4-netmask 255.255.255.0
        set psksecret < pre-shared key >
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit VPN1
        set phase1name VPN1
        set proposal aes256-sha256
    next
end
    Previous
    Next