Fortinet black logo

New Features

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

Matching IPsec tunnel gateway based on address parameters 7.2.8

Matching IPsec tunnel gateway based on address parameters 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

FortiOS supports matching IPsec tunnel gateway connections based on the IPv4 or IPv6 gateway address parameters, such as the subnet, address range, or country.

config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2
        set remote-gw-match {any | ipmask | iprange | geography}
    next
end
any Match any gateway address.
ipmask Match an IP gateway subnet. You can then define the IP subnet by setting remote-gw-subnet.
iprange Match an IP gateway address range. You can then define the IP address range by setting remote-gw-start-ip and remote-gw-end-ip.
geography Match the IP gateway address from a specified country. You can then define the country by setting remote-gw-country.

Example

The following example matches the IPsec tunnel gateway based on the country parameters. The client IP address, 160.106.x.x, is assigned to Canada. Two IPsec tunnels, TestMatchA and TestMatchB, will be configured on the phase1 interface to test remote gateway country matching. The tunnel that is assigned to Canada will match while the other will not.

Note

This example only includes configurations related to the remote-gw-match feature. Other configurations, such as those for the phase2 interface, are omitted for brevity.
To match dialup IPsec tunnel gateway based on country:

  1. On the phase1 interface, configure two IPsec tunnels on FGT_B, with TestMatchA set to the United States (US) and TestMatchB set to Canada (CA):

    config vpn ipsec phase1-interface
    edit "TestMatchA"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "US"
    next
    edit "TestMatchB"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "CA"
    next
end

  2. Review the gateway list.

    # diagnose vpn ike gateway list

vd: root/0
name: TestMatchB_0
version: 2
interface: port5 13
addr: 173.1.1.1:500 -> 160.106.x.x:500
tun_id: 160.106.x.x/::10.0.0.35
remote_location: 0.0.0.0
network-id: 0
created: 162s ago
peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
peer-id-auth: yes
PPK: no
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 10884 54ab158a7d192cbc/ef82ff5e91d72f59
  direction: responder
  status: established 162-162s ago = 10ms
  proposal: aes128-sha256
  child: no
  SK_ei: f1d74e0f026674b1-7687368f42305b31
  SK_er: b693bc06ea670ad3-643a6562cca05617
  SK_ai: 7edea8cfc3f82ce0-9a8ac426e05205b5-b71efc76d940589c-e9725108e7309cf5
  SK_ar: da3eaa37cc171369-1261fc51d4404bc7-c38bbaa9efa1bcfe-de3c285f3eb18617
  PPK: no
  message-id sent/recv: 0/8
  lifetime/rekey: 86400/85967
  DPD sent/recv: 00000000/00000000
  peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchB matched.

  3. Change the country assignments of the two IPsec tunnels so that TestMatchA is set to Canada (CA) and TestMatchB is set to China (CN):

    config vpn ipsec phase1-interface
    edit "TestMatchA"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "CA"
    next
    edit "TestMatchB"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "CN"
    next
end

  4. Review the gateway list again.

    # diagnose vpn ike gateway list

vd: root/0
name: TestMatchA_0
version: 2
interface: port5 13
addr: 173.1.1.1:500 -> 160.106.x.x:500
tun_id: 160.106.x.x/::10.0.0.37
remote_location: 0.0.0.0
network-id: 0
created: 1856s ago
peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
peer-id-auth: yes
PPK: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 10886 fec7cd972847a2ac/0c1ee0b54ddc155e
  direction: responder
  status: established 1856-1856s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: 7e8c8d05a6a9adab-bfcf9ff2705e8965
  SK_er: bdd6ee61fc38cd81-202b5f142cefa5ce
  SK_ai: 30f905722136bbce-0c96d365dd52957c-3d05b83efd026140-831fbc76fc677456
  SK_ar: 4363f29c44d49f30-7d798777766efb09-aca39e8a8ca0e6d7-5b83c113e46b339d
  PPK: no
  message-id sent/recv: 0/89
  lifetime/rekey: 86400/84273
  DPD sent/recv: 00000000/00000000
  peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchA matched.

Previous
Next

Matching IPsec tunnel gateway based on address parameters 7.2.8

Note

This information is also available in the FortiOS 7.2 Administration Guide:

FortiOS supports matching IPsec tunnel gateway connections based on the IPv4 or IPv6 gateway address parameters, such as the subnet, address range, or country.

config vpn ipsec phase1-interface
    edit <name>
        set type dynamic
        set ike-version 2
        set remote-gw-match {any | ipmask | iprange | geography}
    next
end
any Match any gateway address.
ipmask Match an IP gateway subnet. You can then define the IP subnet by setting remote-gw-subnet.
iprange Match an IP gateway address range. You can then define the IP address range by setting remote-gw-start-ip and remote-gw-end-ip.
geography Match the IP gateway address from a specified country. You can then define the country by setting remote-gw-country.

Example

The following example matches the IPsec tunnel gateway based on the country parameters. The client IP address, 160.106.x.x, is assigned to Canada. Two IPsec tunnels, TestMatchA and TestMatchB, will be configured on the phase1 interface to test remote gateway country matching. The tunnel that is assigned to Canada will match while the other will not.

Note

This example only includes configurations related to the remote-gw-match feature. Other configurations, such as those for the phase2 interface, are omitted for brevity.
To match dialup IPsec tunnel gateway based on country:

  1. On the phase1 interface, configure two IPsec tunnels on FGT_B, with TestMatchA set to the United States (US) and TestMatchB set to Canada (CA):

    config vpn ipsec phase1-interface
    edit "TestMatchA"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "US"
    next
    edit "TestMatchB"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "CA"
    next
end

  2. Review the gateway list.

    # diagnose vpn ike gateway list

vd: root/0
name: TestMatchB_0
version: 2
interface: port5 13
addr: 173.1.1.1:500 -> 160.106.x.x:500
tun_id: 160.106.x.x/::10.0.0.35
remote_location: 0.0.0.0
network-id: 0
created: 162s ago
peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
peer-id-auth: yes
PPK: no
IKE SA: created 1/1  established 1/1  time 10/10/10 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 10884 54ab158a7d192cbc/ef82ff5e91d72f59
  direction: responder
  status: established 162-162s ago = 10ms
  proposal: aes128-sha256
  child: no
  SK_ei: f1d74e0f026674b1-7687368f42305b31
  SK_er: b693bc06ea670ad3-643a6562cca05617
  SK_ai: 7edea8cfc3f82ce0-9a8ac426e05205b5-b71efc76d940589c-e9725108e7309cf5
  SK_ar: da3eaa37cc171369-1261fc51d4404bc7-c38bbaa9efa1bcfe-de3c285f3eb18617
  PPK: no
  message-id sent/recv: 0/8
  lifetime/rekey: 86400/85967
  DPD sent/recv: 00000000/00000000
  peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchB matched.

  3. Change the country assignments of the two IPsec tunnels so that TestMatchA is set to Canada (CA) and TestMatchB is set to China (CN):

    config vpn ipsec phase1-interface
    edit "TestMatchA"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "CA"
    next
    edit "TestMatchB"
        set type dynamic
        set ike-version 2
        set remote-gw-match geography
        set remote-gw-country "CN"
    next
end

  4. Review the gateway list again.

    # diagnose vpn ike gateway list

vd: root/0
name: TestMatchA_0
version: 2
interface: port5 13
addr: 173.1.1.1:500 -> 160.106.x.x:500
tun_id: 160.106.x.x/::10.0.0.37
remote_location: 0.0.0.0
network-id: 0
created: 1856s ago
peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com
peer-id-auth: yes
PPK: no
IKE SA: created 1/1  established 1/1  time 0/0/0 ms
IPsec SA: created 1/1  established 1/1  time 0/0/0 ms

  id/spi: 10886 fec7cd972847a2ac/0c1ee0b54ddc155e
  direction: responder
  status: established 1856-1856s ago = 0ms
  proposal: aes128-sha256
  child: no
  SK_ei: 7e8c8d05a6a9adab-bfcf9ff2705e8965
  SK_er: bdd6ee61fc38cd81-202b5f142cefa5ce
  SK_ai: 30f905722136bbce-0c96d365dd52957c-3d05b83efd026140-831fbc76fc677456
  SK_ar: 4363f29c44d49f30-7d798777766efb09-aca39e8a8ca0e6d7-5b83c113e46b339d
  PPK: no
  message-id sent/recv: 0/89
  lifetime/rekey: 86400/84273
  DPD sent/recv: 00000000/00000000
  peer-id: C = US, ST = California, L = Sunnyvale, O = Fortinet, OU = FortiGate, CN = FG201EXXXXXXXXXX, emailAddress = support@fortinet.com

    Since the client IP address is anchored in Canada, TestMatchA matched.

Previous
Next