Fortinet white logo
Fortinet white logo

New Features

Matching IPsec tunnel gateway based on address parameters 7.2.8

Matching IPsec tunnel gateway based on address parameters 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

FortiOS supports source IP anchoring in dial-up IPsec tunnel connection. When a dial-up client first makes an IPsec connection to the FortiGate VPN gateway, the FortiGate will use the source IP to match the IPsec tunnel based on the IP subnet, address range or country defined for that IPsec tunnel. IPv4 and IPv6 are supported. This feature requires the dynamic (dial-up) tunnel to be defined in IKEv2.

config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2
        set remote-gw-match {any | ipmask | iprange | geography}
    next
end
any Match any connecting clients.
ipmask Use src-ip of the connecting client to match IP subnet of remote VPN gateway. You can then define the IP subnet by setting remote-gw-subnet.
iprange Use src-ip of the connecting client to match IP range of remote VPN gateway. You can then define the IP address range by setting remote-gw-start-ip and remote-gw-end-ip.
geography Use src-ip of the connecting client to match the specified country of the VPN gateway. You can then define the country by setting remote-gw-country.

Example

The following example uses the source IP address of the client to match the IPsec tunnel gateway based on the country parameters. The client, PC1, is behind a NAT'd device with address 160.106.x.x, which resolves to Canada. Two IPsec tunnels, TestMatchA and TestMatchB, will be configured on the phase1 interface to test remote gateway country matching. The tunnel that is assigned to Canada will match while the other will not.

Note

This example only includes configurations related to the remote-gw-match feature. Other configurations, such as those for the phase2 interface, are omitted for brevity.

To match dialup IPsec tunnel gateway based on country:
  1. On the phase1 interface, configure two IPsec tunnels on the FGT VPN Gateway, with TestMatchA set to the United States (US) and TestMatchB set to Canada (CA):

    config vpn ipsec phase1-interface
        edit "TestMatchA"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "US"
        next
        edit "TestMatchB"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "CA"
        next
    end
  2. From PC2, initiate a dial-up VPN connection.

  3. On the FortiGate, review the gateway list.

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: TestMatchB_0
    version: 2
    interface: port5 13
    addr: 173.1.1.1:500 -> 160.106.x.x:500
    tun_id: 160.106.x.x/::10.0.0.35
    remote_location: 0.0.0.0
    network-id: 0
    created: 162s ago
    peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
    peer-id-auth: yes
    PPK: no
    IKE SA: created 1/1  established 1/1  time 10/10/10 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    
      id/spi: 10884 54ab158a7d192cbc/ef82ff5e91d72f59
      direction: responder
      status: established 162-162s ago = 10ms
      proposal: aes128-sha256
      child: no
      SK_ei: f1d74e0f026674b1-7687368f42305b31
      SK_er: b693bc06ea670ad3-643a6562cca05617
      SK_ai: 7edea8cfc3f82ce0-9a8ac426e05205b5-b71efc76d940589c-e9725108e7309cf5
      SK_ar: da3eaa37cc171369-1261fc51d4404bc7-c38bbaa9efa1bcfe-de3c285f3eb18617
      PPK: no
      message-id sent/recv: 0/8
      lifetime/rekey: 86400/85967
      DPD sent/recv: 00000000/00000000
      peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchB matched.

  4. Change the country assignments of the two IPsec tunnels so that TestMatchA is set to Canada (CA) and TestMatchB is set to China (CN):

    config vpn ipsec phase1-interface
        edit "TestMatchA"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "CA"
        next
        edit "TestMatchB"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "CN"
        next
    end
  5. From PC2, initiate a dial-up VPN connection.

  6. On the FortiGate, review the gateway list again.

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: TestMatchA_0
    version: 2
    interface: port5 13
    addr: 173.1.1.1:500 -> 160.106.x.x:500
    tun_id: 160.106.x.x/::10.0.0.37
    remote_location: 0.0.0.0
    network-id: 0
    created: 1856s ago
    peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
    peer-id-auth: yes
    PPK: no
    IKE SA: created 1/1  established 1/1  time 0/0/0 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    
      id/spi: 10886 fec7cd972847a2ac/0c1ee0b54ddc155e
      direction: responder
      status: established 1856-1856s ago = 0ms
      proposal: aes128-sha256
      child: no
      SK_ei: 7e8c8d05a6a9adab-bfcf9ff2705e8965
      SK_er: bdd6ee61fc38cd81-202b5f142cefa5ce
      SK_ai: 30f905722136bbce-0c96d365dd52957c-3d05b83efd026140-831fbc76fc677456
      SK_ar: 4363f29c44d49f30-7d798777766efb09-aca39e8a8ca0e6d7-5b83c113e46b339d
      PPK: no
      message-id sent/recv: 0/89
      lifetime/rekey: 86400/84273
      DPD sent/recv: 00000000/00000000
      peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchA matched.

Matching IPsec tunnel gateway based on address parameters 7.2.8

Matching IPsec tunnel gateway based on address parameters 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

FortiOS supports source IP anchoring in dial-up IPsec tunnel connection. When a dial-up client first makes an IPsec connection to the FortiGate VPN gateway, the FortiGate will use the source IP to match the IPsec tunnel based on the IP subnet, address range or country defined for that IPsec tunnel. IPv4 and IPv6 are supported. This feature requires the dynamic (dial-up) tunnel to be defined in IKEv2.

config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2
        set remote-gw-match {any | ipmask | iprange | geography}
    next
end
any Match any connecting clients.
ipmask Use src-ip of the connecting client to match IP subnet of remote VPN gateway. You can then define the IP subnet by setting remote-gw-subnet.
iprange Use src-ip of the connecting client to match IP range of remote VPN gateway. You can then define the IP address range by setting remote-gw-start-ip and remote-gw-end-ip.
geography Use src-ip of the connecting client to match the specified country of the VPN gateway. You can then define the country by setting remote-gw-country.

Example

The following example uses the source IP address of the client to match the IPsec tunnel gateway based on the country parameters. The client, PC1, is behind a NAT'd device with address 160.106.x.x, which resolves to Canada. Two IPsec tunnels, TestMatchA and TestMatchB, will be configured on the phase1 interface to test remote gateway country matching. The tunnel that is assigned to Canada will match while the other will not.

Note

This example only includes configurations related to the remote-gw-match feature. Other configurations, such as those for the phase2 interface, are omitted for brevity.

To match dialup IPsec tunnel gateway based on country:
  1. On the phase1 interface, configure two IPsec tunnels on the FGT VPN Gateway, with TestMatchA set to the United States (US) and TestMatchB set to Canada (CA):

    config vpn ipsec phase1-interface
        edit "TestMatchA"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "US"
        next
        edit "TestMatchB"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "CA"
        next
    end
  2. From PC2, initiate a dial-up VPN connection.

  3. On the FortiGate, review the gateway list.

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: TestMatchB_0
    version: 2
    interface: port5 13
    addr: 173.1.1.1:500 -> 160.106.x.x:500
    tun_id: 160.106.x.x/::10.0.0.35
    remote_location: 0.0.0.0
    network-id: 0
    created: 162s ago
    peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
    peer-id-auth: yes
    PPK: no
    IKE SA: created 1/1  established 1/1  time 10/10/10 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    
      id/spi: 10884 54ab158a7d192cbc/ef82ff5e91d72f59
      direction: responder
      status: established 162-162s ago = 10ms
      proposal: aes128-sha256
      child: no
      SK_ei: f1d74e0f026674b1-7687368f42305b31
      SK_er: b693bc06ea670ad3-643a6562cca05617
      SK_ai: 7edea8cfc3f82ce0-9a8ac426e05205b5-b71efc76d940589c-e9725108e7309cf5
      SK_ar: da3eaa37cc171369-1261fc51d4404bc7-c38bbaa9efa1bcfe-de3c285f3eb18617
      PPK: no
      message-id sent/recv: 0/8
      lifetime/rekey: 86400/85967
      DPD sent/recv: 00000000/00000000
      peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchB matched.

  4. Change the country assignments of the two IPsec tunnels so that TestMatchA is set to Canada (CA) and TestMatchB is set to China (CN):

    config vpn ipsec phase1-interface
        edit "TestMatchA"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "CA"
        next
        edit "TestMatchB"
            set type dynamic
            set ike-version 2
            set remote-gw-match geography
            set remote-gw-country "CN"
        next
    end
  5. From PC2, initiate a dial-up VPN connection.

  6. On the FortiGate, review the gateway list again.

    # diagnose vpn ike gateway list
    
    vd: root/0
    name: TestMatchA_0
    version: 2
    interface: port5 13
    addr: 173.1.1.1:500 -> 160.106.x.x:500
    tun_id: 160.106.x.x/::10.0.0.37
    remote_location: 0.0.0.0
    network-id: 0
    created: 1856s ago
    peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
    peer-id-auth: yes
    PPK: no
    IKE SA: created 1/1  established 1/1  time 0/0/0 ms
    IPsec SA: created 1/1  established 1/1  time 0/0/0 ms
    
      id/spi: 10886 fec7cd972847a2ac/0c1ee0b54ddc155e
      direction: responder
      status: established 1856-1856s ago = 0ms
      proposal: aes128-sha256
      child: no
      SK_ei: 7e8c8d05a6a9adab-bfcf9ff2705e8965
      SK_er: bdd6ee61fc38cd81-202b5f142cefa5ce
      SK_ai: 30f905722136bbce-0c96d365dd52957c-3d05b83efd026140-831fbc76fc677456
      SK_ar: 4363f29c44d49f30-7d798777766efb09-aca39e8a8ca0e6d7-5b83c113e46b339d
      PPK: no
      message-id sent/recv: 0/89
      lifetime/rekey: 86400/84273
      DPD sent/recv: 00000000/00000000
      peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchA matched.