Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSASE Administration Guide

    IPsec VPN configuration using IPsec wizard and CLI

    IPsec VPN configuration using IPsec wizard and CLI

    The FortiGate as an IPsec device for SD-WAN On-Ramp requires the following IPsec VPN settings:

    • IKEv2
    • Branch device configured as an IPsec VPN dialup client. Your branch device connects to the FortiSASE SD-WAN On-Ramp location, which acts as a remote site.
    • You must enable the mode config setting. Each FortiSASE SD-WAN On-Ramp location assigns IP addresses, and the branch device automatically configures its tunnel interfaces IP address with the acquired IP address. You also use this IP address to set up BGP peering.
    • On branches, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist

      Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>

      Branch devices must be configured with a network ID of 1.

    • Pre-shared key for each overlay tunnel
    • Phase 1 and 2 proposals and settings
      • For IPsec phase 1, only aes256-sha256 is supported.
      • For IPsec phase 2, only aes256-sha256 is supported.
    Note

    The following settings are only examples. Do not consider them as recommended settings.
    To configure an IPsec VPN using the GUI and IPsec wizard:
    1. On the FortiGate, go to VPN > IPsec Wizard. The VPN Creation Wizard displays.
    2. Configure the following VPN Setup options:
      1. In the Name field, enter VPN1.
      2. For Template type, select Site to Site.
      3. For NAT configuration, select the option that corresponds to your network topology.
      4. For Remote device type, select FortiGate.
      5. Click Next.

    3. Configure the following Authentication options:
      1. For Remote device, select Dynamic DNS.
      2. For FQDN, paste the FQDN from the Edge Devices > SD-WAN On-Ramp > On-Ramp locations page. Notice that the FortiGate displays Resolved to < IP address >. Make note of this IP address since it will be used later.
      3. From the Outgoing Interface dropdown list, select the WAN interface that the hub will listen on for VPN peer connections. For example, you could select wan1.
      4. For Authentication method, select Pre-shared Key.
      5. In the Pre-shared key field, enter the desired key in alphanumeric characters. Click Next.
    4. Configure the following Tunnel Interface options:
      1. In the Tunnel IP field, enter 10.251.1.1.
      2. In the Remote IP/netmask field, enter 10.251.1.30/32. Click Next.

        The tunnel interface IP address is assigned by mode configuration. However, this step simply configures placeholder values to allow the IPsec wizard to proceed.

    5. Configure the following Policy & Routing options:
      1. Set Local interface to the desired LAN interface(s).
      2. Observe that the Local subnets are automatically detected based on the LAN interface(s) selected.
      3. For Remote Subnets since there are no specific destinations, enter 0.0.0.0/0
      4. For Internet access, select None. Click Next.
    6. Configure the following settings using the CLI. The IPsec wizard does not configure these settings. Replace VPN1 with your actual IPsec VPN phase 1 name:
      1. Enable IKEv2
      2. Enable network overlays
      3. Set the VPN gateway network ID to 1.
      4. Enable mode config.
        5. config vpn ipsec phase2-interface
   delete VPN1
end
config vpn ipsec phase1-interface
   edit VPN1
      set ike-version 2
      set network-overlay enable
      set network-id 1
      set mode-cfg enable
      set auto-discovery-receiver enable
   next
end
config vpn ipsec phase2-interface
   edit "VPN1"
      set phase1name "VPN1"
      set proposal aes256-sha256
   next
end
    Previous
    Next

    IPsec VPN configuration using IPsec wizard and CLI

    IPsec VPN configuration using IPsec wizard and CLI

    The FortiGate as an IPsec device for SD-WAN On-Ramp requires the following IPsec VPN settings:

    • IKEv2
    • Branch device configured as an IPsec VPN dialup client. Your branch device connects to the FortiSASE SD-WAN On-Ramp location, which acts as a remote site.
    • You must enable the mode config setting. Each FortiSASE SD-WAN On-Ramp location assigns IP addresses, and the branch device automatically configures its tunnel interfaces IP address with the acquired IP address. You also use this IP address to set up BGP peering.
    • On branches, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist

      Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>

      Branch devices must be configured with a network ID of 1.

    • Pre-shared key for each overlay tunnel
    • Phase 1 and 2 proposals and settings
      • For IPsec phase 1, only aes256-sha256 is supported.
      • For IPsec phase 2, only aes256-sha256 is supported.
    Note

    The following settings are only examples. Do not consider them as recommended settings.
    To configure an IPsec VPN using the GUI and IPsec wizard:
    1. On the FortiGate, go to VPN > IPsec Wizard. The VPN Creation Wizard displays.
    2. Configure the following VPN Setup options:
      1. In the Name field, enter VPN1.
      2. For Template type, select Site to Site.
      3. For NAT configuration, select the option that corresponds to your network topology.
      4. For Remote device type, select FortiGate.
      5. Click Next.

    3. Configure the following Authentication options:
      1. For Remote device, select Dynamic DNS.
      2. For FQDN, paste the FQDN from the Edge Devices > SD-WAN On-Ramp > On-Ramp locations page. Notice that the FortiGate displays Resolved to < IP address >. Make note of this IP address since it will be used later.
      3. From the Outgoing Interface dropdown list, select the WAN interface that the hub will listen on for VPN peer connections. For example, you could select wan1.
      4. For Authentication method, select Pre-shared Key.
      5. In the Pre-shared key field, enter the desired key in alphanumeric characters. Click Next.
    4. Configure the following Tunnel Interface options:
      1. In the Tunnel IP field, enter 10.251.1.1.
      2. In the Remote IP/netmask field, enter 10.251.1.30/32. Click Next.

        The tunnel interface IP address is assigned by mode configuration. However, this step simply configures placeholder values to allow the IPsec wizard to proceed.

    5. Configure the following Policy & Routing options:
      1. Set Local interface to the desired LAN interface(s).
      2. Observe that the Local subnets are automatically detected based on the LAN interface(s) selected.
      3. For Remote Subnets since there are no specific destinations, enter 0.0.0.0/0
      4. For Internet access, select None. Click Next.
    6. Configure the following settings using the CLI. The IPsec wizard does not configure these settings. Replace VPN1 with your actual IPsec VPN phase 1 name:
      1. Enable IKEv2
      2. Enable network overlays
      3. Set the VPN gateway network ID to 1.
      4. Enable mode config.
        5. config vpn ipsec phase2-interface
   delete VPN1
end
config vpn ipsec phase1-interface
   edit VPN1
      set ike-version 2
      set network-overlay enable
      set network-id 1
      set mode-cfg enable
      set auto-discovery-receiver enable
   next
end
config vpn ipsec phase2-interface
   edit "VPN1"
      set phase1name "VPN1"
      set proposal aes256-sha256
   next
end
    Previous
    Next