Matching IPsec tunnel gateway based on address parameters 7.2.8
This information is also available in the FortiOS 7.2 Administration Guide: |
FortiOS supports source IP anchoring in dial-up IPsec tunnel connection. When a dial-up client first makes an IPsec connection to the FortiGate VPN gateway, the FortiGate will use the source IP to match the IPsec tunnel based on the IP subnet, address range or country defined for that IPsec tunnel. IPv4 and IPv6 are supported. This feature requires the dynamic (dial-up) tunnel to be defined in IKEv2.
config vpn ipsec phase1-interface edit <name> set type dynamic set ike-version 2 set remote-gw-match {any | ipmask | iprange | geography} next end
any
|
Match any connecting clients. |
ipmask
|
Use src-ip of the connecting client to match IP subnet of remote VPN gateway. You can then define the IP subnet by setting remote-gw-subnet . |
iprange
|
Use src-ip of the connecting client to match IP range of remote VPN gateway. You can then define the IP address range by setting remote-gw-start-ip and remote-gw-end-ip . |
geography
|
Use src-ip of the connecting client to match the specified country of the VPN gateway. You can then define the country by setting remote-gw-country . |
Example
The following example uses the source IP address of the client to match the IPsec tunnel gateway based on the country parameters. The client, PC1, is behind a NAT'd device with address 160.106.x.x, which resolves to Canada. Two IPsec tunnels, TestMatchA
and TestMatchB
, will be configured on the phase1 interface to test remote gateway country matching. The tunnel that is assigned to Canada will match while the other will not.
This example only includes configurations related to the |
To match dialup IPsec tunnel gateway based on country:
-
On the phase1 interface, configure two IPsec tunnels on the FGT VPN Gateway, with
TestMatchA
set to the United States (US) andTestMatchB
set to Canada (CA):config vpn ipsec phase1-interface edit "TestMatchA" set type dynamic set ike-version 2 set remote-gw-match geography set remote-gw-country "US" next edit "TestMatchB" set type dynamic set ike-version 2 set remote-gw-match geography set remote-gw-country "CA" next end
-
From PC2, initiate a dial-up VPN connection.
-
On the FortiGate, review the gateway list.
# diagnose vpn ike gateway list vd: root/0 name: TestMatchB_0 version: 2 interface: port5 13 addr: 173.1.1.1:500 -> 160.106.x.x:500 tun_id: 160.106.x.x/::10.0.0.35 remote_location: 0.0.0.0 network-id: 0 created: 162s ago peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com peer-id-auth: yes PPK: no IKE SA: created 1/1 established 1/1 time 10/10/10 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 10884 54ab158a7d192cbc/ef82ff5e91d72f59 direction: responder status: established 162-162s ago = 10ms proposal: aes128-sha256 child: no SK_ei: f1d74e0f026674b1-7687368f42305b31 SK_er: b693bc06ea670ad3-643a6562cca05617 SK_ai: 7edea8cfc3f82ce0-9a8ac426e05205b5-b71efc76d940589c-e9725108e7309cf5 SK_ar: da3eaa37cc171369-1261fc51d4404bc7-c38bbaa9efa1bcfe-de3c285f3eb18617 PPK: no message-id sent/recv: 0/8 lifetime/rekey: 86400/85967 DPD sent/recv: 00000000/00000000 peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
Since the client IP address is anchored in Canada,
TestMatchB
matched. -
Change the country assignments of the two IPsec tunnels so that
TestMatchA
is set to Canada (CA) andTestMatchB
is set to China (CN):config vpn ipsec phase1-interface edit "TestMatchA" set type dynamic set ike-version 2 set remote-gw-match geography set remote-gw-country "CA" next edit "TestMatchB" set type dynamic set ike-version 2 set remote-gw-match geography set remote-gw-country "CN" next end
-
From PC2, initiate a dial-up VPN connection.
-
On the FortiGate, review the gateway list again.
# diagnose vpn ike gateway list vd: root/0 name: TestMatchA_0 version: 2 interface: port5 13 addr: 173.1.1.1:500 -> 160.106.x.x:500 tun_id: 160.106.x.x/::10.0.0.37 remote_location: 0.0.0.0 network-id: 0 created: 1856s ago peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com peer-id-auth: yes PPK: no IKE SA: created 1/1 established 1/1 time 0/0/0 ms IPsec SA: created 1/1 established 1/1 time 0/0/0 ms id/spi: 10886 fec7cd972847a2ac/0c1ee0b54ddc155e direction: responder status: established 1856-1856s ago = 0ms proposal: aes128-sha256 child: no SK_ei: 7e8c8d05a6a9adab-bfcf9ff2705e8965 SK_er: bdd6ee61fc38cd81-202b5f142cefa5ce SK_ai: 30f905722136bbce-0c96d365dd52957c-3d05b83efd026140-831fbc76fc677456 SK_ar: 4363f29c44d49f30-7d798777766efb09-aca39e8a8ca0e6d7-5b83c113e46b339d PPK: no message-id sent/recv: 0/89 lifetime/rekey: 86400/84273 DPD sent/recv: 00000000/00000000 peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
Since the client IP address is anchored in Canada,
TestMatchA
matched.