Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    Home FortiSASE FortiGate NGFW to FortiSASE SPA Hub Conversion Deployment Guide

    IPsec VPN configuration using IPsec wizard and CLI

    IPsec VPN configuration using IPsec wizard and CLI

    The FortiGate next generation firewall requires the following IPsec VPN settings:

    • IKEv2
    • Hub configured as an IPsec VPN dialup server. The FortiSASE security points of presence (PoP) act as spokes and connect to your hub via IPsec dialup connections.
    • You must enable the mode config setting. Each FortiSASE security PoP acquires IP addresses and automatically configures their tunnel interfaces IP addresses with the acquired IP address. You also use this IP address to set up BGP peering.
    • On spokes, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist
    • Using mode config for dynamic IP address
    • Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>
    • Preshared key for each overlay tunnel
    • Phase 1 and 2 proposals and settings
      • For IPsec phase 1, the following proposals are supported:

        aes128-sha256

        aes256-sha256

        aes128-sha1

        aes256-sha1

        DH groups 14 and 5

      • For IPsec phase 2, the following proposals are supported:

        aes128-sha1

        aes256-sha1

        aes128-sha256

        aes256-sha256

        aes128gcm

        aes256gcm

        chacha20poly1305

        DH groups 14 and 5

    • Hub configured with set auto-discovery-sender enable to enable ADVPN on the hub
    Note

    To allow for dynamic scaling of customer environments, as-needed, it is necessary to use the following mode configuration settings that make use of a /24 subnet for the mode configuration IP address space:

    set ipv4-start-ip 192.168.1.1

    set ipv4-end-ip 192.168.1.252

    set ipv4-netmask 255.255.255.0

    Depending on the size of the customer, the mode configuration IP address space may need to be even larger than a /24 subnet.
    To configure an IPsec VPN using the GUI and IPsec wizard:
    1. Go to VPN > IPsec Wizard. The VPN Creation Wizard displays.
    2. Configure the following VPN Setup options:
      1. In the Name field, enter VPN1.
      2. For Template type, select Hub and Spoke.
      3. For Role, select Hub. Click Next.

    3. Configure the following Authentication options:
      1. From the Incoming Interface dropdown list, select the WAN interface that the hub will listen on for VPN peer connections. For example, you could select port1.
      2. For Authentication method, select Pre-shared Key.
      3. In the Pre-shared key field, enter the desired key in alphanumeric characters. Click Next.
    4. Configure the following Tunnel Interface options:
      1. In the Tunnel IP field, enter 10.251.1.254.
      2. In the Remote IP/netmask field, enter 10.251.1.253/24. Click Next.
    5. Configure the following Policy & Routing options:
      1. In the Local AS field, enter 65001.
      2. For Local interface, select one or more local interfaces on the FortiGate. For example, you can select port4.
      3. For Local subnets, the IPsec wizard selects local subnets that correspond to the selected local interfaces. You can also specify local subnets manually. These local subnets are advertised to BGP peers. For example, you could enter 192.168.111.0/24.
      4. For Spoke type, select Range.
      5. In the Spoke range prefix field, enter 10.251.1.0/24.
      6. For Spoke neighbor group, click Create to create a neighbor group called VPN1:
        1. In the Name field, enter VPN1.
        2. In the Remote AS field, enter 65001.
        3. Leave the Interface field blank.
        4. Enable Activate IPv4.
        5. Disable Attribute unchanged.
        6. Select the following options:
          • Route reflector client.
          • Next hop self.
          • Capability: graceful restart.
          • Capability: route refresh.
        7. Click OK.
      7. From the Spoke neighbor group dropdown list, select the newly created VPN1 neighbor group. Click Next.
    6. Review the settings, then click Create. FortiOS displays a The VPN has been set-up message when the wizard successfully configures the IPsec VPN configuration.
    7. Configure the following settings using the CLI. The IPsec wizard does not configure these settings. Replace VPN1 with your actual IPsec VPN phase 1 name:
      1. Enable IKEv2
      2. Enable network overlays
      3. Configure the VPN gateway network ID. Replace the 1 with the integer value corresponding to the network overlay ID.
      4. Enable mode config.
      5. Configure start and end IP addresses and netmask to use to automatically assign IP addresses to VPN peers using mode config. Replace 10.251.1.1, 10.251.1.252, and 255.255.255.0 accordingly.
      config vpn ipsec phase1-interface
    edit VPN1
        set ike-version 2
        set network-overlay enable
        set network-id 1
        set mode-cfg enable
        set ipv4-start-ip 10.251.1.1
        set ipv4-end-ip 10.251.1.252
        set ipv4-netmask 255.255.255.0
    next
end
    Previous
    Next

    IPsec VPN configuration using IPsec wizard and CLI

    IPsec VPN configuration using IPsec wizard and CLI

    The FortiGate next generation firewall requires the following IPsec VPN settings:

    • IKEv2
    • Hub configured as an IPsec VPN dialup server. The FortiSASE security points of presence (PoP) act as spokes and connect to your hub via IPsec dialup connections.
    • You must enable the mode config setting. Each FortiSASE security PoP acquires IP addresses and automatically configures their tunnel interfaces IP addresses with the acquired IP address. You also use this IP address to set up BGP peering.
    • On spokes, remote gateway(s) where one overlay tunnel should be established per underlay even though multiple WAN underlays exist
    • Using mode config for dynamic IP address
    • Use network overlay IDs for each overlay tunnel configuring set network-overlay enable and set network-id <n>
    • Preshared key for each overlay tunnel
    • Phase 1 and 2 proposals and settings
      • For IPsec phase 1, the following proposals are supported:

        aes128-sha256

        aes256-sha256

        aes128-sha1

        aes256-sha1

        DH groups 14 and 5

      • For IPsec phase 2, the following proposals are supported:

        aes128-sha1

        aes256-sha1

        aes128-sha256

        aes256-sha256

        aes128gcm

        aes256gcm

        chacha20poly1305

        DH groups 14 and 5

    • Hub configured with set auto-discovery-sender enable to enable ADVPN on the hub
    Note

    To allow for dynamic scaling of customer environments, as-needed, it is necessary to use the following mode configuration settings that make use of a /24 subnet for the mode configuration IP address space:

    set ipv4-start-ip 192.168.1.1

    set ipv4-end-ip 192.168.1.252

    set ipv4-netmask 255.255.255.0

    Depending on the size of the customer, the mode configuration IP address space may need to be even larger than a /24 subnet.
    To configure an IPsec VPN using the GUI and IPsec wizard:
    1. Go to VPN > IPsec Wizard. The VPN Creation Wizard displays.
    2. Configure the following VPN Setup options:
      1. In the Name field, enter VPN1.
      2. For Template type, select Hub and Spoke.
      3. For Role, select Hub. Click Next.

    3. Configure the following Authentication options:
      1. From the Incoming Interface dropdown list, select the WAN interface that the hub will listen on for VPN peer connections. For example, you could select port1.
      2. For Authentication method, select Pre-shared Key.
      3. In the Pre-shared key field, enter the desired key in alphanumeric characters. Click Next.
    4. Configure the following Tunnel Interface options:
      1. In the Tunnel IP field, enter 10.251.1.254.
      2. In the Remote IP/netmask field, enter 10.251.1.253/24. Click Next.
    5. Configure the following Policy & Routing options:
      1. In the Local AS field, enter 65001.
      2. For Local interface, select one or more local interfaces on the FortiGate. For example, you can select port4.
      3. For Local subnets, the IPsec wizard selects local subnets that correspond to the selected local interfaces. You can also specify local subnets manually. These local subnets are advertised to BGP peers. For example, you could enter 192.168.111.0/24.
      4. For Spoke type, select Range.
      5. In the Spoke range prefix field, enter 10.251.1.0/24.
      6. For Spoke neighbor group, click Create to create a neighbor group called VPN1:
        1. In the Name field, enter VPN1.
        2. In the Remote AS field, enter 65001.
        3. Leave the Interface field blank.
        4. Enable Activate IPv4.
        5. Disable Attribute unchanged.
        6. Select the following options:
          • Route reflector client.
          • Next hop self.
          • Capability: graceful restart.
          • Capability: route refresh.
        7. Click OK.
      7. From the Spoke neighbor group dropdown list, select the newly created VPN1 neighbor group. Click Next.
    6. Review the settings, then click Create. FortiOS displays a The VPN has been set-up message when the wizard successfully configures the IPsec VPN configuration.
    7. Configure the following settings using the CLI. The IPsec wizard does not configure these settings. Replace VPN1 with your actual IPsec VPN phase 1 name:
      1. Enable IKEv2
      2. Enable network overlays
      3. Configure the VPN gateway network ID. Replace the 1 with the integer value corresponding to the network overlay ID.
      4. Enable mode config.
      5. Configure start and end IP addresses and netmask to use to automatically assign IP addresses to VPN peers using mode config. Replace 10.251.1.1, 10.251.1.252, and 255.255.255.0 accordingly.
      config vpn ipsec phase1-interface
    edit VPN1
        set ike-version 2
        set network-overlay enable
        set network-id 1
        set mode-cfg enable
        set ipv4-start-ip 10.251.1.1
        set ipv4-end-ip 10.251.1.252
        set ipv4-netmask 255.255.255.0
    next
end
    Previous
    Next