Fortinet black logo

FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

IPsec VPN configuration

Copy Link
Copy Doc ID b10d503a-c519-11ee-8c42-fa163e15d75b:347596
Download PDF

IPsec VPN configuration

The FortiGate next generation firewall requires the following IPsec VPN settings:

  • IKEv2
  • Hub configured as an IPsec VPN dialup server. The FortiSASE security points of presence (PoP) act as spokes and connect to your hub via IPsec dialup connections.
  • You must enable the mode config setting. Each FortiSASE security PoP acquires IP addresses and automatically configures their tunnel interfaces IP addresses with the acquired IP address. You also use this IP address to set up BGP peering.
  • On spokes, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist
  • Using mode config for dynamic IP address
  • Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>
  • Preshared key for each overlay tunnel
  • Phase 1 and 2 proposals and settings
    • For IPsec phase 1, the following proposals are supported:

      aes128-sha256

      aes256-sha256

      aes128-sha1

      aes256-sha1

      DH groups 14 and 5

    • For IPsec phase 2, the following proposals are supported:

      aes128-sha1

      aes256-sha1

      aes128-sha256

      aes256-sha256

      aes128gcm

      aes256gcm

      chacha20poly1305

      DH groups 14 and 5

  • Hub configured with set auto-discovery-sender enable to enable ADVPN on the hub
Note

The following settings are only examples. Do not consider them as recommended settings.

To configure an IPsec VPN tunnel using the GUI:
  1. Go to VPN > IPsec Tunnels.
  2. Click Create New > IPsec Tunnel. The VPN creation Wizard displays.
  3. Set the following options, then click Next:
    1. In the Name field, enter VPN1.
    2. For Template type, select Custom.
  4. Set the Network options:
    1. For IP Version, select IPv4.
    2. From the Remote Gateway dropdown list, select Dialup User.
    3. From the Interface dropdown list, select the WAN interface that the hub will listen on for VPN peer connections.
    4. Enable Mode Config.
    5. Enable Assign IP From, then select Range from the dropdown list.
  5. Set the IPv4 mode config options:
    1. Configure the Client Address Range, Subnet Mask, and DNS Server fields to automate remote client addressing.
    2. Deselect Enable IPv4 Split Tunnel.

  6. Set the remaining Network options:
    1. For NAT Traversal, select Enable.
    2. For Dead Peer Detection, select On Idle.
    3. In the DPD retry count field, enter 3.
    4. In the DPD retry interval field, enter 60.
    5. For Forward Error Correction, disable Egress and Ingress.
  7. Expand Advanced, then set the following options:
    1. For Add route, select Disabled.
    2. For Auto discovery sender, select Enabled.
    3. For Auto discovery receiver, select Disabled.
    4. For Exchange interface IP, select Disabled.
    5. For Device creation, select Disabled.

  8. Set the Authentication options:
    1. From the Method dropdown list, select Pre-shared Key.
    2. In the Pre-shared Key field, enter an alphanumeric string.
    3. For IKE > Version, select 2.
    4. From the Accept Types dropdown list, select Any peer ID.

  9. Set the Phase 1 Proposal options:
    1. Add or remove Encryption and Authentication combinations as desired.
    2. Configure your desired Diffie-Hellman Groups, Key Lifetime, and Local ID (optional).

  10. Set the New Phase 2 options:
    1. If desired, enter a new value in the Name field. Otherwise, this defaults to the phase 1 name.
    2. Change the Local Address or Remote Address as needed. Otherwise, this defaults to 0.0.0.0/0.0.0.0 for both addresses, which is the wildcard subnet, allowing all subnets.
  11. Expand Advanced, then set the following options:
    1. Add or remove Encryption and Authentication combinations as desired.
    2. Select Enable Replay Detection.
    3. Select Enable Perfect Forward Secrecy (PFS).
    4. Select your desired Diffie-Hellman Groups.
    5. For Local Port, Remote Port, and Protocol, select All.
    6. Deselect Autokey Keep Alive.
    7. From the Key Lifetime dropdown list, select Seconds.
    8. In the Seconds field, enter the desired key lifetime value in seconds.

  12. In the CLI, enable network overlays and configure the VPN gateway network ID. Replace VPN1 with the IPsec VPN phase 1 name. Replace 1 with the integer value that corresponds to the network ID. These options are unavailable in the GUI and you must run these CLI commands to configure them:

    config vpn ipsec phase1-interface edit VPN1 set network-overlay enable set network-id 1 next end

To configure an IPsec VPN tunnel using the CLI:
config vpn ipsec phase1-interface
    edit VPN1
        set type dynamic
        set interface port1
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set dhgrp 21 14 5
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 1
        set ipv4-start-ip 10.251.1.1
        set ipv4-end-ip 10.251.1.251
        set ipv4-netmask 255.255.255.0
        set psksecret < pre-shared key >
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit VPN1
        set phase1name VPN1
        set proposal aes256-sha256
    next
end

IPsec VPN configuration

The FortiGate next generation firewall requires the following IPsec VPN settings:

  • IKEv2
  • Hub configured as an IPsec VPN dialup server. The FortiSASE security points of presence (PoP) act as spokes and connect to your hub via IPsec dialup connections.
  • You must enable the mode config setting. Each FortiSASE security PoP acquires IP addresses and automatically configures their tunnel interfaces IP addresses with the acquired IP address. You also use this IP address to set up BGP peering.
  • On spokes, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist
  • Using mode config for dynamic IP address
  • Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>
  • Preshared key for each overlay tunnel
  • Phase 1 and 2 proposals and settings
    • For IPsec phase 1, the following proposals are supported:

      aes128-sha256

      aes256-sha256

      aes128-sha1

      aes256-sha1

      DH groups 14 and 5

    • For IPsec phase 2, the following proposals are supported:

      aes128-sha1

      aes256-sha1

      aes128-sha256

      aes256-sha256

      aes128gcm

      aes256gcm

      chacha20poly1305

      DH groups 14 and 5

  • Hub configured with set auto-discovery-sender enable to enable ADVPN on the hub
Note

The following settings are only examples. Do not consider them as recommended settings.

To configure an IPsec VPN tunnel using the GUI:
  1. Go to VPN > IPsec Tunnels.
  2. Click Create New > IPsec Tunnel. The VPN creation Wizard displays.
  3. Set the following options, then click Next:
    1. In the Name field, enter VPN1.
    2. For Template type, select Custom.
  4. Set the Network options:
    1. For IP Version, select IPv4.
    2. From the Remote Gateway dropdown list, select Dialup User.
    3. From the Interface dropdown list, select the WAN interface that the hub will listen on for VPN peer connections.
    4. Enable Mode Config.
    5. Enable Assign IP From, then select Range from the dropdown list.
  5. Set the IPv4 mode config options:
    1. Configure the Client Address Range, Subnet Mask, and DNS Server fields to automate remote client addressing.
    2. Deselect Enable IPv4 Split Tunnel.

  6. Set the remaining Network options:
    1. For NAT Traversal, select Enable.
    2. For Dead Peer Detection, select On Idle.
    3. In the DPD retry count field, enter 3.
    4. In the DPD retry interval field, enter 60.
    5. For Forward Error Correction, disable Egress and Ingress.
  7. Expand Advanced, then set the following options:
    1. For Add route, select Disabled.
    2. For Auto discovery sender, select Enabled.
    3. For Auto discovery receiver, select Disabled.
    4. For Exchange interface IP, select Disabled.
    5. For Device creation, select Disabled.

  8. Set the Authentication options:
    1. From the Method dropdown list, select Pre-shared Key.
    2. In the Pre-shared Key field, enter an alphanumeric string.
    3. For IKE > Version, select 2.
    4. From the Accept Types dropdown list, select Any peer ID.

  9. Set the Phase 1 Proposal options:
    1. Add or remove Encryption and Authentication combinations as desired.
    2. Configure your desired Diffie-Hellman Groups, Key Lifetime, and Local ID (optional).

  10. Set the New Phase 2 options:
    1. If desired, enter a new value in the Name field. Otherwise, this defaults to the phase 1 name.
    2. Change the Local Address or Remote Address as needed. Otherwise, this defaults to 0.0.0.0/0.0.0.0 for both addresses, which is the wildcard subnet, allowing all subnets.
  11. Expand Advanced, then set the following options:
    1. Add or remove Encryption and Authentication combinations as desired.
    2. Select Enable Replay Detection.
    3. Select Enable Perfect Forward Secrecy (PFS).
    4. Select your desired Diffie-Hellman Groups.
    5. For Local Port, Remote Port, and Protocol, select All.
    6. Deselect Autokey Keep Alive.
    7. From the Key Lifetime dropdown list, select Seconds.
    8. In the Seconds field, enter the desired key lifetime value in seconds.

  12. In the CLI, enable network overlays and configure the VPN gateway network ID. Replace VPN1 with the IPsec VPN phase 1 name. Replace 1 with the integer value that corresponds to the network ID. These options are unavailable in the GUI and you must run these CLI commands to configure them:

    config vpn ipsec phase1-interface edit VPN1 set network-overlay enable set network-id 1 next end

To configure an IPsec VPN tunnel using the CLI:
config vpn ipsec phase1-interface
    edit VPN1
        set type dynamic
        set interface port1
        set ike-version 2
        set peertype any
        set net-device disable
        set mode-cfg enable
        set proposal aes256-sha256
        set add-route disable
        set dpd on-idle
        set dhgrp 21 14 5
        set auto-discovery-sender enable
        set network-overlay enable
        set network-id 1
        set ipv4-start-ip 10.251.1.1
        set ipv4-end-ip 10.251.1.251
        set ipv4-netmask 255.255.255.0
        set psksecret < pre-shared key >
        set dpd-retryinterval 60
    next
end
config vpn ipsec phase2-interface
    edit VPN1
        set phase1name VPN1
        set proposal aes256-sha256
    next
end