Fortinet black logo

AliCloud Administration Guide

Connecting a local FortiGate to an AliCloud FortiGate via site-to-site VPN

Copy Link
Copy Doc ID 03f7daea-90b5-11eb-b70b-00505692583a:456805
Download PDF

Connecting a local FortiGate to an AliCloud FortiGate via site-to-site VPN

This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud FortiGate via site-to-site IPsec VPN with static routing. The following depicts the network topology for this sample deployment:

The following prerequisites must be met for this configuration:

  • A FortiGate located on AliCloud with port1 connected to local LAN and a public IP address mapped to port1.
  • A local FortiGate in a local environment. Determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this example, the on-premise FortiGate is behind NAT.

This guide consists of the following steps:

  1. Configure the local FortiGate.
  2. Configure the AliCloud FortiGate.
  3. Establish a VPN connection between the local and AliCloud FortiGates.
  4. Run diagnose commands.

Configuring the local FortiGate

To configure the local FortiGate using the GUI:
  1. Configure the interfaces:
    1. In FortiOS, go to Network > Interfaces.
    2. Edit port1. From the Role dropdown list, select WAN. In the IP/Network Mask field, enter 10.6.30.194/255.255.255.0 for the interface that is connected to the Internet.
    3. Edit port4. From the Role dropdown list, select LAN. In the IP/Network Mask field, enter 192.168.4.194/255.255.255.0 for the interface that is connected to the local subnet.
  2. Configure a static route to connect to the Internet:
    1. Go to Network > Static Routes.
    2. Click Create New.
    3. In the Destination field, enter 0.0.0.0/0.0.0.0.
    4. From the Interface dropdown list, select port1.
    5. In the Gateway Address field, enter 10.6.30.254.
  3. Configure IPsec VPN:
    1. Go to VPN > IPsec Wizard.
    2. Configure VPN Setup:
      1. In the Name field, enter the desired name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select This site is behind NAT. Click Next. For non-dialup situations where the local FortiGate has an external IP address, select No NAT between sites.
    3. Configure Authentication:
      1. For Remote Device, select IP Address.
      2. In the IP Address field, enter 47.254.43.106. This is the AliCloud FortiGate port1 public IP address.
      3. From the Outgoing Interface dropdown list, select port1.
      4. For Authentication Method, select Pre-shared Key.
      5. In the Pre-shared Key field, enter 123456. Click Next.
    4. Configure Policy & Routing:
      1. From the Local Interface dropdown list, select port4. This autofills the Local Subnets field with 192.168.4.0/24.
      2. In the Remote Subnets field, enter 192.168.4.0/24. This is the AliCloud FortiGate port1 subnet.
      3. For Internet Access, select None. Click Create.
To configure the local FortiGate using the CLI:
  1. Configure the interfaces:

    config system interface edit "port1" set vdom "root" set ip 10.6.30.194 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set role wan set snmp-index 1 next edit "port4 set vdom "root" set ip 192.168.4.194 255.255.255.0 set allowaccess ping https ssh snmp fgfm ftm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 4 next end

  2. Configure a static route to connect to the Internet:

    config router static edit 1 set gateway 10.6.30.254 set device "port1" next end

  3. Configure IPsec VPN:

    config vpn ipsec phase1-interface edit "to_ali" set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: to_ali (Created by VPN wizard)" set wizard-type static-fortigate set remote-gw 47.254.43.106 set psksecret xxxxxx next end config vpn ipsec phase2-interface edit "to_ali" set phase1name "to_ali" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_ali (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_ali_local" set dst-name "to_ali_remote" next end config router static edit 2 set device "to_ali" set comment "VPN: to_ali (Created by VPN wizard)" set dstaddr "to_ali_remote" next edit 3 set distance 254 set comment "VPN: to_ali (Created by VPN wizard)" set blackhole enable set dstaddr "to_ali_remote" next end config firewall policy edit 1 set name "vpn_to_ali_local" set uuid c6b2d36e-6c65-51e9-5a78-9a0881a0b07c set srcintf "port4" set dstintf "to_ali" set srcaddr "to_ali_local" set dstaddr "to_ali_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next edit 2 set name "vpn_to_ali_remote" set uuid c6bf126e-6c65-51e9-8652-cb88546929b4 set srcintf "to_ali" set dstintf "port4" set srcaddr "to_ali_remote" set dstaddr "to_ali_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next end

Configuring the AliCloud FortiGate

To configure the AliCloud FortiGate using the GUI:
  1. Configure the interface:
    1. In FortiOS, go to Network > Interfaces.
    2. Edit port1.
    3. From the Role dropdown list, select LAN.
    4. Ensure that Addressing mode is set to DHCP and that the FortiGate can list the assigned IP address.
  2. Configure IPsec VPN:
    1. Go to VPN > IPsec Wizard.
    2. Configure VPN Setup:
      1. In the Name field, enter the desired name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT. Click Next.
    3. Configure Authentication:
      1. From the Incoming Interface dropdown list, select port1.
      2. For Authentication Method, select Pre-shared Key.
      3. In the Pre-shared Key field, enter 123456. Click Next.
    4. Configure Policy & Routing:
      1. From the Local Interface dropdown list, select port1. This autofills the Local Subnets field with 192.168.4.0/24.
      2. In the Remote Subnets field, enter 192.168.4.0/24. This is the local FortiGate port4 subnet.
      3. For Internet Access, select None. Click Create.
To configure the AliCloud FortiGate using the CLI:
  1. Configure the interface and ensure that the FortiGate can list the assigned IP address:

    config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh fgfm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 1 next end

    diagnose ip address list IP=192.168.0.177->192.168.0.177/255.255.255.0 index=3 devname=port1

  2. Configure IPsec VPN:

    config vpn ipsec phase1-interface edit "to_local" set type dynamic set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set comments "VPN: to_local (Created by VPN wizard)" set wizard-type dialup-fortigate set psksecret xxxxxx set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "to_local" set phase1name "to_local" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_local (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_local_local" set dst-name "to_local_remote" next end config firewall policy edit 1 set name "vpn_to_local_local" set uuid e07aaa72-833c-51e9-ad33-4c1e96b656da set srcintf "port1" set dstintf "to_local" set srcaddr "to_local_local" set dstaddr "to_local_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next edit 2 set name "vpn_to_local_remote" set uuid e086b2b8-833c-51e9-3aaf-49e3cd4c5c70 set srcintf "to_local" set dstintf "port1" set srcaddr "to_local_remote" set dstaddr "to_local_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next end

To establish the VPN connection between the FortiGates:

The tunnel is down until you initiate connection from the local FortiGate.

  1. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
  2. Click the created tunnel.
  3. Click Bring Up. The tunnel is up.

  4. In FortiOS on the AliCloud FortiGate, go to Monitor > IPsec Monitor to verify that the tunnel is up.

To run diagnose commands:
  1. Show the local FortiGate VPN status:

    FGT-194-Level1 # diagnose vpn ike gateway list vd: root/0 name: to_ali version: 1 interface: port1 3 addr: 10.6.30.194:4500 -> 47.254.43.106:4500 created: 4057s ago nat: me peer IKE SA: created 1/1 established 1/1 time 21180/21180/21180 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 2 fd018d163ea303aa/9d7a245f889ee6c4 direction: initiator status: established 4057-4036s ago = 21180ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82063 DPD sent/recv: 00000000/00000009 FGT-194-Level1 # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_ali ver=1 serial=1 10.6.30.194:4500->47.254.43.106:4500 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3382 txp=3404 rxb=432896 txb=204240 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=to_ali proto=0 sa=1 ref=2 serial=3 src: 0:192.168.4.0/255.255.255.0:0 dst: 0:192.168.0.0/255.255.255.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=1422 expire=39471/0B replaywin=2048 seqno=d14 esn=0 replaywin_lastseq=00000d0d itn=0 qat=0 life: type=01 bytes=0/0 timeout=42903/43200 dec: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da enc: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 dec:pkts/bytes=3325/199500, enc:pkts/bytes=3347/428416

  2. Show the AliCloud FortiGate VPN status:

    FGT-ALIONDEMAND # diagnose vpn ike gateway list vd: root/0 name: to_local_0 version: 1 interface: port1 3 addr: 192.168.0.177:4500 -> 208.91.114.1:64916 created: 4103s ago nat: me peer IKE SA: created 1/1 established 1/1 time 120/120/120 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 0 fd018d163ea303aa/9d7a245f889ee6c4 direction: responder status: established 4103-4103s ago = 120ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82026 DPD sent/recv: 00000009/00000000 FGT-ALIONDEMAND # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_local ver=1 serial=1 192.168.0.177:0->0.0.0.0:0 dst_mtu=0 bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=0 child_num=1 refcnt=11 ilast=4118 olast=4118 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 ------------------------------------------------------ name=to_local_0 ver=1 serial=2 192.168.0.177:4500->208.91.114.1:64916 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/976 options[03d0]=create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=to_local index=0 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3459 txp=3459 rxb=442752 txb=207540 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=9 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=to_local proto=0 sa=1 ref=2 serial=3 add-route src: 0:192.168.0.0/255.255.255.0:0 dst: 0:192.168.4.0/255.255.255.0:0 SA: ref=3 options=282 type=00 soft=0 mtu=1422 expire=39694/0B replaywin=2048 seqno=d4b esn=0 replaywin_lastseq=00000d52 itn=0 qat=0 life: type=01 bytes=0/0 timeout=43187/43200 dec: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 enc: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da dec:pkts/bytes=3402/204120, enc:pkts/bytes=3402/435456

Connecting a local FortiGate to an AliCloud FortiGate via site-to-site VPN

This guide provides sample configuration of a site-to-site VPN connection from a local FortiGate to an AliCloud FortiGate via site-to-site IPsec VPN with static routing. The following depicts the network topology for this sample deployment:

The following prerequisites must be met for this configuration:

  • A FortiGate located on AliCloud with port1 connected to local LAN and a public IP address mapped to port1.
  • A local FortiGate in a local environment. Determine if your FortiGate has a publicly accessible IP address or if it is behind NAT. In this example, the on-premise FortiGate is behind NAT.

This guide consists of the following steps:

  1. Configure the local FortiGate.
  2. Configure the AliCloud FortiGate.
  3. Establish a VPN connection between the local and AliCloud FortiGates.
  4. Run diagnose commands.

Configuring the local FortiGate

To configure the local FortiGate using the GUI:
  1. Configure the interfaces:
    1. In FortiOS, go to Network > Interfaces.
    2. Edit port1. From the Role dropdown list, select WAN. In the IP/Network Mask field, enter 10.6.30.194/255.255.255.0 for the interface that is connected to the Internet.
    3. Edit port4. From the Role dropdown list, select LAN. In the IP/Network Mask field, enter 192.168.4.194/255.255.255.0 for the interface that is connected to the local subnet.
  2. Configure a static route to connect to the Internet:
    1. Go to Network > Static Routes.
    2. Click Create New.
    3. In the Destination field, enter 0.0.0.0/0.0.0.0.
    4. From the Interface dropdown list, select port1.
    5. In the Gateway Address field, enter 10.6.30.254.
  3. Configure IPsec VPN:
    1. Go to VPN > IPsec Wizard.
    2. Configure VPN Setup:
      1. In the Name field, enter the desired name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select This site is behind NAT. Click Next. For non-dialup situations where the local FortiGate has an external IP address, select No NAT between sites.
    3. Configure Authentication:
      1. For Remote Device, select IP Address.
      2. In the IP Address field, enter 47.254.43.106. This is the AliCloud FortiGate port1 public IP address.
      3. From the Outgoing Interface dropdown list, select port1.
      4. For Authentication Method, select Pre-shared Key.
      5. In the Pre-shared Key field, enter 123456. Click Next.
    4. Configure Policy & Routing:
      1. From the Local Interface dropdown list, select port4. This autofills the Local Subnets field with 192.168.4.0/24.
      2. In the Remote Subnets field, enter 192.168.4.0/24. This is the AliCloud FortiGate port1 subnet.
      3. For Internet Access, select None. Click Create.
To configure the local FortiGate using the CLI:
  1. Configure the interfaces:

    config system interface edit "port1" set vdom "root" set ip 10.6.30.194 255.255.255.0 set allowaccess ping https ssh http fgfm set type physical set role wan set snmp-index 1 next edit "port4 set vdom "root" set ip 192.168.4.194 255.255.255.0 set allowaccess ping https ssh snmp fgfm ftm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 4 next end

  2. Configure a static route to connect to the Internet:

    config router static edit 1 set gateway 10.6.30.254 set device "port1" next end

  3. Configure IPsec VPN:

    config vpn ipsec phase1-interface edit "to_ali" set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: to_ali (Created by VPN wizard)" set wizard-type static-fortigate set remote-gw 47.254.43.106 set psksecret xxxxxx next end config vpn ipsec phase2-interface edit "to_ali" set phase1name "to_ali" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_ali (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_ali_local" set dst-name "to_ali_remote" next end config router static edit 2 set device "to_ali" set comment "VPN: to_ali (Created by VPN wizard)" set dstaddr "to_ali_remote" next edit 3 set distance 254 set comment "VPN: to_ali (Created by VPN wizard)" set blackhole enable set dstaddr "to_ali_remote" next end config firewall policy edit 1 set name "vpn_to_ali_local" set uuid c6b2d36e-6c65-51e9-5a78-9a0881a0b07c set srcintf "port4" set dstintf "to_ali" set srcaddr "to_ali_local" set dstaddr "to_ali_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next edit 2 set name "vpn_to_ali_remote" set uuid c6bf126e-6c65-51e9-8652-cb88546929b4 set srcintf "to_ali" set dstintf "port4" set srcaddr "to_ali_remote" set dstaddr "to_ali_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_ali (Created by VPN wizard)" next end

Configuring the AliCloud FortiGate

To configure the AliCloud FortiGate using the GUI:
  1. Configure the interface:
    1. In FortiOS, go to Network > Interfaces.
    2. Edit port1.
    3. From the Role dropdown list, select LAN.
    4. Ensure that Addressing mode is set to DHCP and that the FortiGate can list the assigned IP address.
  2. Configure IPsec VPN:
    1. Go to VPN > IPsec Wizard.
    2. Configure VPN Setup:
      1. In the Name field, enter the desired name.
      2. For Template Type, select Site to Site.
      3. For Remote Device Type, select FortiGate.
      4. For NAT Configuration, select The remote site is behind NAT. Click Next.
    3. Configure Authentication:
      1. From the Incoming Interface dropdown list, select port1.
      2. For Authentication Method, select Pre-shared Key.
      3. In the Pre-shared Key field, enter 123456. Click Next.
    4. Configure Policy & Routing:
      1. From the Local Interface dropdown list, select port1. This autofills the Local Subnets field with 192.168.4.0/24.
      2. In the Remote Subnets field, enter 192.168.4.0/24. This is the local FortiGate port4 subnet.
      3. For Internet Access, select None. Click Create.
To configure the AliCloud FortiGate using the CLI:
  1. Configure the interface and ensure that the FortiGate can list the assigned IP address:

    config system interface edit "port1" set vdom "root" set mode dhcp set allowaccess ping https ssh fgfm set type physical set device-identification enable set lldp-transmission enable set role lan set snmp-index 1 next end

    diagnose ip address list IP=192.168.0.177->192.168.0.177/255.255.255.0 index=3 devname=port1

  2. Configure IPsec VPN:

    config vpn ipsec phase1-interface edit "to_local" set type dynamic set interface "port1" set peertype any set net-device enable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set dpd on-idle set comments "VPN: to_local (Created by VPN wizard)" set wizard-type dialup-fortigate set psksecret xxxxxx set dpd-retryinterval 60 next end config vpn ipsec phase2-interface edit "to_local" set phase1name "to_local" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: to_local (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "to_local_local" set dst-name "to_local_remote" next end config firewall policy edit 1 set name "vpn_to_local_local" set uuid e07aaa72-833c-51e9-ad33-4c1e96b656da set srcintf "port1" set dstintf "to_local" set srcaddr "to_local_local" set dstaddr "to_local_remote" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next edit 2 set name "vpn_to_local_remote" set uuid e086b2b8-833c-51e9-3aaf-49e3cd4c5c70 set srcintf "to_local" set dstintf "port1" set srcaddr "to_local_remote" set dstaddr "to_local_local" set action accept set schedule "always" set service "ALL" set comments "VPN: to_local (Created by VPN wizard)" next end

To establish the VPN connection between the FortiGates:

The tunnel is down until you initiate connection from the local FortiGate.

  1. In FortiOS on the local FortiGate, go to Monitor > IPsec Monitor.
  2. Click the created tunnel.
  3. Click Bring Up. The tunnel is up.

  4. In FortiOS on the AliCloud FortiGate, go to Monitor > IPsec Monitor to verify that the tunnel is up.

To run diagnose commands:
  1. Show the local FortiGate VPN status:

    FGT-194-Level1 # diagnose vpn ike gateway list vd: root/0 name: to_ali version: 1 interface: port1 3 addr: 10.6.30.194:4500 -> 47.254.43.106:4500 created: 4057s ago nat: me peer IKE SA: created 1/1 established 1/1 time 21180/21180/21180 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 2 fd018d163ea303aa/9d7a245f889ee6c4 direction: initiator status: established 4057-4036s ago = 21180ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82063 DPD sent/recv: 00000000/00000009 FGT-194-Level1 # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_ali ver=1 serial=1 10.6.30.194:4500->47.254.43.106:4500 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3382 txp=3404 rxb=432896 txb=204240 dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0 natt: mode=keepalive draft=32 interval=10 remote_port=4500 proxyid=to_ali proto=0 sa=1 ref=2 serial=3 src: 0:192.168.4.0/255.255.255.0:0 dst: 0:192.168.0.0/255.255.255.0:0 SA: ref=3 options=10226 type=00 soft=0 mtu=1422 expire=39471/0B replaywin=2048 seqno=d14 esn=0 replaywin_lastseq=00000d0d itn=0 qat=0 life: type=01 bytes=0/0 timeout=42903/43200 dec: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da enc: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 dec:pkts/bytes=3325/199500, enc:pkts/bytes=3347/428416

  2. Show the AliCloud FortiGate VPN status:

    FGT-ALIONDEMAND # diagnose vpn ike gateway list vd: root/0 name: to_local_0 version: 1 interface: port1 3 addr: 192.168.0.177:4500 -> 208.91.114.1:64916 created: 4103s ago nat: me peer IKE SA: created 1/1 established 1/1 time 120/120/120 ms IPsec SA: created 1/3 established 1/3 time 20/26/30 ms id/spi: 0 fd018d163ea303aa/9d7a245f889ee6c4 direction: responder status: established 4103-4103s ago = 120ms proposal: aes128-sha256 key: c7bab4dd8883b727-3b249220088216f8 lifetime/rekey: 86400/82026 DPD sent/recv: 00000009/00000000 FGT-ALIONDEMAND # diagnose vpn tunnel list list all ipsec tunnel in vd 0 ------------------------------------------------------ name=to_local ver=1 serial=1 192.168.0.177:0->0.0.0.0:0 dst_mtu=0 bound_if=3 lgwy=static/1 tun=intf/0 mode=dialup/2 encap=none/528 options[0210]=create_dev frag-rfc accept_traffic=1 proxyid_num=0 child_num=1 refcnt=11 ilast=4118 olast=4118 ad=/0 stat: rxp=0 txp=0 rxb=0 txb=0 dpd: mode=on-idle on=0 idle=60000ms retry=3 count=0 seqno=0 natt: mode=none draft=0 interval=0 remote_port=0 ------------------------------------------------------ name=to_local_0 ver=1 serial=2 192.168.0.177:4500->208.91.114.1:64916 dst_mtu=1500 bound_if=3 lgwy=static/1 tun=intf/0 mode=dial_inst/3 encap=none/976 options[03d0]=create_dev no-sysctl rgwy-chg rport-chg frag-rfc accept_traffic=1 parent=to_local index=0 proxyid_num=1 child_num=0 refcnt=14 ilast=0 olast=0 ad=/0 stat: rxp=3459 txp=3459 rxb=442752 txb=207540 dpd: mode=on-idle on=1 idle=60000ms retry=3 count=0 seqno=9 natt: mode=keepalive draft=32 interval=10 remote_port=64916 proxyid=to_local proto=0 sa=1 ref=2 serial=3 add-route src: 0:192.168.0.0/255.255.255.0:0 dst: 0:192.168.4.0/255.255.255.0:0 SA: ref=3 options=282 type=00 soft=0 mtu=1422 expire=39694/0B replaywin=2048 seqno=d4b esn=0 replaywin_lastseq=00000d52 itn=0 qat=0 life: type=01 bytes=0/0 timeout=43187/43200 dec: spi=e2723047 esp=aes key=16 f93b233906039c179924923a4f09ebae ah=sha1 key=20 c2c6225e26927de6381bf44c6ccd6d0a325e2e27 enc: spi=8427ce41 esp=aes key=16 961323608ef02c111ce4cc393cd79293 ah=sha1 key=20 9cffabaa0163df6a92e1917efa333148b58ff9da dec:pkts/bytes=3402/204120, enc:pkts/bytes=3402/435456