Fortigate Ipsecvpn 54

IPsec
FortiOSHandbook-IPsecVPN
VERSION5.4
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
http://cookbook.fortinet.com/how-to-work-with-fortinet-support/
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT

http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
Wednesday,September14,2016
FortiOSHandbook-IPsecVPN
01-541-112802-20160804
TABLEOFCONTENTS
ChangeLog 8
Introduction 9
What'snewinFortiOS5.4 11
FortiOS5.4.1 11
AddedwarningmessageinIPsecVPNwizardifusersselectsANYforpeerID
(357043) 11
IKEv1QuickCrashDetection(304612) 11
IKEmode-cfgIPv4/IPv6dualstacksupport(303550) 11
SecurityimprovementstothedefaultIPsecVPNsignatureandpeertypeconfiguration
(304894307500307490355149) 12
RemoteIPaddresschangedetection(209553) 12
FortiOS5.4.0 12
IKE/IPsecExtendedSequenceNumber(ESN)support(255144) 12
UpdatesandenhancementstotheIPsecVPNwizard(222339290377287021
289251) 12
Ciscocompatiblekeep-alivesupportforGRE(261595) 13
RepeatedAuthenticationinInternetKeyExchange(IKEv2)Protocol(282025) 13
ImprovementstoIPsecVPNinADVPNhub-and-spoke(275322) 13
ADVPNsupportforNATdevice(299798) 14
AES-GCMsupport(281822) 14
IPsectunnelidletimer(244180) 14
SAsnegotiationimprovement(245872) 15
AddVXLANoverIPsec(265556) 15
Abilitytoenable/disableIPsecASIC-offloading(269555) 15
AddedanoptiontoforceIPsectouseNATTraversal(275010) 15
AddafeaturetosupportIKEv2SessionResumptiondescribedinRFC5723(289914) 15
AddedsupportforIKEv2QuickCrashDetection(298970) 16
Removedsupportforauto-IPsec(300893) 16
ImprovedscalabilityforIPsecDPD(292500) 16
IPsecVPNconcepts 18
VPNtunnels 18
Tunneltemplates 19
VPNtunnellist 20
VPNgateways 20
Clients,servers,andpeers 22
Encryption 23
IPsecoverheads 23
Authentication 24
Presharedkeys 24
Additionalauthentication 24
Phase1andPhase2settings 24
Phase1 25
Phase2 25
SecurityAssociation 25
IKEandIPsecpacketprocessing 26
IKEv1 26
IKEv2 27
IPsecVPNoverview 29
TypesofVPNs 29
Route-basedVPNs 29
Policy-basedVPNs 30
Comparingpolicy-basedorroute-basedVPNs 30
PlanningyourVPN 31
Networktopologies 31
Generalpreparationsteps 32
HowtousethisguidetoconfigureanIPsecVPN 32
IPsecVPNintheweb-basedmanager 34
Phase1configuration 34
Phase1advancedconfigurationsettings 37
Phase2configuration 41
Phase2advancedconfigurationsettings 41
FortiClientVPN 44
Concentrator 45
IPsecMonitor 46
Phase1parameters 47
Overview 47
Definingthetunnelends 48
ChoosingMainmodeorAggressivemode 48
ChoosingtheIKEversion 49
IKEv2cookienotificationforIKE_SA_INIT 49
IKEv2QuickCrashDetection 49
AuthenticatingtheFortiGateunit 50
AuthenticatingtheFortiGateunitwithdigitalcertificates 50
AuthenticatingtheFortiGateunitwithapre-sharedkey 51
Authenticatingremotepeersandclients 52
RepeatedAuthenticationinInternetKeyExchange(IKEv2)Protocol 53
EnablingVPNaccessforspecificcertificateholders 53
EnablingVPNaccessbypeeridentifier 55
EnablingVPNaccesswithuseraccountsandpre-sharedkeys 56
DefiningIKEnegotiationparameters 58
Generatingkeystoauthenticateanexchange 58
DefiningIKEnegotiationparameters 59
UsingXAuthauthentication 62
UsingtheFortiGateunitasanXAuthserver 62
UsingtheFortiGateunitasanXAuthclient 63
DynamicIPsecroutecontrol 64
BlockingIPsecSANegotiation 64
Phase2parameters 65
Phase2settings 65
Phase2Proposals 65
ReplayDetection 65
PerfectForwardSecrecy(PFS) 65
Keylife 66
Quickmodeselectors 66
Usingtheadd-routeoption 67
ConfiguringthePhase2parameters 67
SpecifyingthePhase2parameters 67
AutokeyKeepAlive 69
Auto-negotiate 69
DHCP-IPsec 70
DefiningVPNsecuritypolicies 71
Definingpolicyaddresses 71
Definingsecuritypoliciesforpolicy-basedandroute-basedVPNs 73
Gateway-to-gateway 77
Configurationoverview 77
Gateway-to-gatewayconfiguration 80
Howtoworkwithoverlappingsubnets 85
Testing 90
Hub-and-spokeconfigurations 93
Hub-and-spokeinfrastructurerequirements 94
Spokegatewayaddressing 94
Protectednetworksaddressing 94
Authentication 95
Configurethehub 95
Definethehub-spokeVPNs 96
Definethehub-spokesecuritypolicies 97
Configuringcommunicationbetweenspokes(policy-basedVPN) 98
Configuringcommunicationbetweenspokes(route-basedVPN) 99
Configurethespokes 100
Configuringsecuritypoliciesforhub-to-spokecommunication 101
Configuringsecuritypoliciesforspoke-to-spokecommunication 102
Dynamicspokesconfigurationexample 103
Configurethehub(FortiGate_1) 104
Configurethespokes 107
DynamicDNSconfiguration 110
DynamicDNSoverVPNconcepts 110
DynamicDNS(DDNS) 110
DDNSoverVPN 111
DDNStopology 112
Assumptions 113
FortiClientdialup-clientconfiguration 123
Peeridentification 124
AutomaticconfigurationofFortiClientdialupclients 124
FortiGatedialup-clientconfigurations 132
SupportingIKEModeConfigclients 140
IKEModeConfigoverview 140
Automaticconfigurationoverview 140
IKEModeConfigmethod 140
Internet-browsingconfiguration 145
RoutingallremotetrafficthroughtheVPNtunnel 147
RedundantVPNconfigurations 149
CreatingabackupIPsecinterface 153
TransparentmodeVPNs 154
IPv6IPsecVPNs 159
Certificates 159
Configurationexamples 160
L2TPandIPsec(MicrosoftVPN) 171
Overview 171
Assumptions 172
GREoverIPsec(CiscoVPN) 180
ConfiguringtheCiscorouter 186
ProtectingOSPFwithIPsec 187
OSPFoverIPsecconfiguration 188
Creatingaredundantconfiguration 194
RedundantOSPFroutingoverIPsec 195
OSPFoverdynamicIPsec 199
BGPoverdynamicIPsec 202
IPsecAuto-DiscoveryVPN(ADVPN) 206
ExampleADVPNconfiguration 207
Loggingandmonitoring 212
MonitoringVPNconnections 212
VPNeventlogs 213
Troubleshooting 214
LANinterfaceconnection 216
Dialupconnection 217
TroubleshootingVPNconnections 217
VPNtroubleshootingtips 218
AttemptinghardwareoffloadingbeyondSHA1 218
CheckPhase1proposalsettings 219
Checkyourrouting 219
TryenablingXAuth 219
Generaltroubleshootingtips 219
AwordaboutNATdevices 220
TroubleshootingL2TPandIPsec 220
TroubleshootingGREoverIPsec 223
Change Log
ChangeLog
Date ChangeDescription
2016-09-13 Updatefor5.4.1-InheritfrompolicyfeatureunderXAuthoptionisnolonger
availableforAutoServerXAuthtype.
2016-07-12 RemovedVPNTunnelGUIoptionfromtableinDefiningVPNsecuritypolicies.
2016-07-07 UpdatedComparisonofpolicy-basedandroute-basedVPNstableregarding
L2TP-over-IPsecVPNsupport.
2016-06-08 Initialrelease.
IPsec VPN for FortiOS 5.4.1 8

Fortinet Technologies Inc.
Introduction
ThisFortiOSHandbookchaptercontainsthefollowingsections:
IPsecVPNconceptsexplainsthebasicconceptsthatyouneedtounderstandaboutvirtualprivatenetworks
(VPNs).
IPsecVPNoverviewprovidesabriefoverviewofIPsectechnologyandincludesgeneralinformationabouthowto
configureIPsecVPNsusingthisguide.
IPsecVPNintheweb-basedmanagerdescribestheIPsecVPNmenuoftheweb-basedmanagerinterface.
Gateway-to-gatewayconfigurationsexplainshowtosetupabasicgateway-to-gateway(site-to-site)IPsecVPN.
Inagateway-to-gatewayconfiguration,twoFortiGateunitscreateaVPNtunnelbetweentwoseparateprivate
networks.
Hub-and-spokeconfigurationsdescribeshowtosetuphub-and-spokeIPsecVPNs.Inahub-and-spoke
configuration,connectionstoanumberofremotepeersand/orclientsradiatefromasingle,centralFortiGate
hub.
DynamicDNSconfigurationdescribeshowtoconfigureasite-to-siteVPN,inwhichoneFortiGateunithasastatic
IPaddressandtheotherFortiGateunithasadynamicIPaddressandadomainname.
FortiClientdialup-clientconfigurationsguidesyouthroughconfiguringaFortiClientdialup-clientIPsecVPN.Ina
FortiClientdialup-clientconfiguration,theFortiGateunitactsasadialupserverandVPNclientfunctionalityis
providedbytheFortiClientEndpointSecurityapplicationinstalledonaremotehost.
FortiGatedialup-clientconfigurationsexplainshowtosetupaFortiGatedialup-clientIPsecVPN.InaFortiGate
dialup-clientconfiguration,aFortiGateunitwithastaticIPaddressactsasadialupserverandaFortiGateunit
withadynamicIPaddressinitiatesaVPNtunnelwiththeFortiGatedialupserver.
SupportingIKEModeconfigclientsexplainshowtosetupaFortiGateunitaseitheranIKEModeConfigserver
orclient.IKEModeConfigisanalternativetoDHCPoverIPsec.
Internet-browsingconfigurationexplainshowtosupportsecurewebbrowsingperformedbydialupVPNclients,
andhostsbehindaremoteVPNpeer.RemoteuserscanaccesstheprivatenetworkbehindthelocalFortiGate
unitandbrowsetheInternetsecurely.Alltrafficgeneratedremotelyissubjecttothesecuritypolicythatcontrols
trafficontheprivatenetworkbehindthelocalFortiGateunit.
RedundantVPNconfigurationsdiscussestheoptionsforsupportingredundantandpartiallyredundanttunnelsin
anIPsecVPNconfiguration.AFortiGateunitcanbeconfiguredtosupportredundanttunnelstothesameremote
peeriftheFortiGateunithasmorethanoneinterfacetotheInternet.
TransparentmodeVPNsdescribestwoFortiGateunitsthatcreateaVPNtunnelbetweentwoseparateprivate
networkstransparently.Intransparentmode,allFortiGateunitinterfacesexceptthemanagementinterfaceare
invisibleatthenetworklayer.
IPv6IPsecVPNsdescribesFortiGateunitVPNcapabilitiesfornetworksbasedonIPv6addressing.Thisincludes
IPv4-over-IPv6andIPv6-over-IPv4tunnellingconfigurations.IPv6IPsecVPNsareavailableinFortiOS3.0MR5
andlater.
L2TPandIPsec(MicrosoftVPN)explainshowtosupportMicrosoftWindowsnativeVPNclients.
9 IPsec VPN for FortiOS 5.4.1

Introduction
GREoverIPsec(CiscoVPN)explainshowtointeroperatewithCiscoVPNsthatuseGenericRouting
Encapsulation(GRE)protocolwithIPsec.
ProtectingOSPFwithIPsecprovidesanexampleofprotectingOSPFlinkswithIPsec.
RedundantOSPFroutingoverIPsecprovidesanexampleofredundantsecurecommunicationbetweentwo
remotenetworksusinganOSPFVPNconnection.
OSPFoverdynamicIPsecprovidesanexampleofhowtocreateadynamicIPsecVPNtunnelthatallowsOSPF.
BGPoverdynamicIPsecprovidesanexampleofhowtocreateadynamicIPsecVPNtunnelthatallowsBGP.
Phase1parametersprovidesdetailedstep-by-stepproceduresforconfiguringaFortiGateunittoaccepta
connectionfromaremotepeerordialupclient.ThebasicPhase1parametersidentifytheremotepeerorclients
andsupportauthenticationthroughpresharedkeysordigitalcertificates.YoucanincreaseVPNconnection
securityfurtherusingmethodssuchasextendedauthentication(XAuth).
Phase2parametersprovidesdetailedstep-by-stepproceduresforconfiguringanIPsecVPNtunnel.During
Phase2,thespecificIPsecsecurityassociationsneededtoimplementsecurityservicesareselectedandatunnel
isestablished.
DefiningVPNsecuritypoliciesexplainshowtospecifythesourceanddestinationIPaddressesoftraffic
transmittedthroughanIPsecVPNtunnel,andhowtodefineasecurityencryptionpolicy.Securitypoliciescontrol
allIPtrafficpassingbetweenasourceaddressandadestinationaddress.
LoggingandmonitoringandTroubleshootingprovideVPNmonitoringandtroubleshootingprocedures.

What'snewinFortiOS5.4
ThischapterdescribesnewIPsecVPNfeaturesaddedtoFortiOS5.4.0andFortiOS5.4.1.
FortiOS5.4.1
ThesefeaturesfirstappearedinFortiOS5.4.1.
AddedwarningmessageinIPsecVPNwizardifusersselectsANYforpeerID(357043)
Ifuserschangethepeertypesettingbacktoany,eitherviaCLIorGUI,theyreceiveawarningthatclearly
informsthemthatusingasettingofanywillallowremoteconnectionsgeneratedbyanyCAtrustedbythis
FortiGatetobeestablished.
l WarningiconshowsupinIPsectunnelpagewhensettingpeertypetoanyinVPNtunnel.
l WarningmessageshowsupinIPsectunneleditingpagewhensettingpeertypetoanyinVPNtunnel.
l IntheVPNwizardconfigurationpage,optionpeercertificateCAisaddedwhichisusedtocreatetherelatedpeer
userthroughVPNwizard.
l PeertypeissettopeercertificatebydefaultinGUIwhensettingauthmethodtosignatureforcustomIPsec
tunnel.
IKEv1QuickCrashDetection(304612)
BasedontheIKEv2quickcrashdetection(QCD)featureinMantis298970,whichisalreadyinthenewfeatures
listforFortiOS5.4.0below.
ThereisnoRFCforthisfeature.ItisimplementedusinganewIKEvendorID,"FortinetQuickCrashDetection",
andsobothendpointsmustbeFortiGatedevices.TheQCDtokenissentinthePhase1exchangeandmustbe
encrypted,sothisisonlyimplementedforIKEv1inMainmode(Aggressivemodeisnotsupportedasthereisno
availableAUTHmessageinwhichtoincludethetoken).
Otherwise,thefeatureworksthesameasinIKEv2(RFC6290).
IKEmode-cfgIPv4/IPv6dualstacksupport(303550)
ThepreviousIKECLIusesthemode-cfg-ip-versionoptiontospecifywhethermode-cfgshouldassignan
IPv4orIPv6address,butthisisnotidealforcustomersthatrequiredualstacksupport.
AsasolutioninFortiOS5.4.1,thephase1 mode-cfg-ip-versionoptionwasremoved.Theoptionwasnot
necessarybecausetheIPversioncanbedeterminedbytheselectortype(dst-addr-type)oftheconfigured
Phase2tunnel(s).IftheFortiGateclientconfigcontainsPhase2tunnelsforbothIPv4andIPv6,thenthe
FortiGateclientwillrequestIPv4andIPv6addressesduringmode-cfg.
Additionally,theFGTservercannowbeconfiguredtoreplywitheitherorbothIPv4andIPv6,aspertheclient's
mode-cfgrequest.

What's new in FortiOS 5.4 FortiOS 5.4.0
SecurityimprovementstothedefaultIPsecVPNsignatureandpeertypeconfiguration
(304894307500307490355149)
NewfeatureshavebeenintroducedtomakecertificationandimplementationinIPsecVPNmoresecureby
default.UserscannowcreatePKIcertificatesin-lineintheVPNeditor.
Inshort:
l ReimplementedPKIdialogssuchthatchangestoenforceattributesaredoneinnewframeworks
l ChangeddefaulttemplatesforVPNwizardtoenforcepeertype=anysothatwizardtunnelscanbecreated
l WillnowdefaulttoPKIstringwhencreatingsignatureVPNviaVPNedit
RemoteIPaddresschangedetection(209553)
ThisfeaturechangesthewayIPsecSAsaretrackedinthekernelinordertodetectexternalIPaddresschangesin
thetunnel.
Previously,SAswerestoredwhenkeyedoffoftheremoteIPaddress.Now,SAsarestoredinahashtablewhen
keyedofftheIPsecSASPIvalue(whichisactuallymoreRFCcompliant).ThisenablestheFortiGate,foreach
inboundESPpacketreceived,toimmediatelylookuptheSAandcomparethestoredIPaddressagainsttheone
intheincomingpacket.IftheincomingandstoredIPaddressesdiffer,anIPaddresschangecanbemadeinthe
kernelSA,andanupdateeventcanbetriggeredforIKE.
FortiOS5.4.0
ThesefeaturesfirstappearedinFortiOS5.4.0.
IKE/IPsecExtendedSequenceNumber(ESN)support(255144)
Thisfeatureimplementsnegotiationof64-bitExtendedSequencenumbersasdescribedinRFC4303,RFC4304
asanadditiontoIKEv1,andRFC5996forIKEv2.
UpdatesandenhancementstotheIPsecVPNwizard(222339290377287021289251)
TheIPsecVPNwizardhasbeensimplifiedtomoreclearlyidentifytunneltemplatetypes,remotedevicetypes,
andNATconfigurationrequirements.Exampletopologicaldiagramsarenowalsoincluded.

FortiOS 5.4.0 What's new in FortiOS 5.4
NewDialup-FortiGateandDialup-Windows(NativeL2TP/IPsec)tunneltemplateoptions.
Ciscocompatiblekeep-alivesupportforGRE(261595)
TheFortiGatecannowsendaGREkeep-aliveresponsetoaCiscodevicetodetectaGREtunnel.Ifitfails,itwill
removeanyroutesovertheGREinterface.
Syntax
config system gre-tunnel
edit <id>
set keepalive-interval <value: 0-32767>
set keepalive-failtimes <value: 1-255>
next
end
RepeatedAuthenticationinInternetKeyExchange(IKEv2)Protocol(282025)
Thisfeatureprovidestheoptiontocontrolwhetheradevicerequiresitspeertore-authenticateorwhetherre-key
issufficient.Itdoesnotinfluencethere-authenticationorre-keybehaviorofthedeviceitself,whichiscontrolled
bythepeer(withthedefaultbeingtore-key).
ThissolutionisinresponsetoRFC4478.AsdescribedbytheIETF,"thepurposeofthisistolimitthetimethat
securityassociations(SAs)canbeusedbyathirdpartywhohasgainedcontroloftheIPsecpeer".
Syntax
config vpn ipsec phase1-interface
edit p1
set reauth [enable | disable]
next
end
ImprovementstoIPsecVPNinADVPNhub-and-spoke(275322)
IPsecVPNtrafficisnowallowedthroughatunnelbetweenanADVPNhub-and-spoke


edit "int-fgtb"
...
set auto-discovery-sender [enable | disable]
set auto-discovery-receiver [enable | disable]
set auto-discovery-forwarder [enable | disable]
...
next
end
edit "int-fgtb"
...
set auto-discovery-sender phase1 [enable | disable]
...
next
end
ADVPNsupportforNATdevice(299798)
TheADVPNfeaturehasbeenextendedsothatitallowsADVPNshortcutstobenegotiatedaslongasoneofthe
devicesisnotbehindNAT.
Theon-the-wireformatoftheADVPNmessageswaschangedsothattheyuseTLVencoding.Sincetheon-the-
wireformathaschangedthisisnotcompatiblewithanypreviousADVPNbuilds.
AES-GCMsupport(281822)
AES-GCM(128|256)AEADhasbeenadded,asspecifiedinRFC4106:
edit "tofgta"
...
set suite-b disable | suite-b-gcm-128 | suite-b-gcm-256
...
next
end
edit "tofgta"
set phase1name "tofgta"
set proposal aes128gcm aes256gcm
...
next
end
IPsectunnelidletimer(244180)
AddacommandtodefineanidletimerforIPsectunnelswhennotraffichaspassedthroughthetunnelforthe
configuredidle-timeoutvalue,theIPsectunnelwillbeflushed.
edit p1
set idle-timeout enable/disable
set idle-timeoutinterval <integer> //IPsectunnelidletimeoutinminutes(10-43200).

end
end
SAsnegotiationimprovement(245872)
TheIPsecSAconnectmessagegeneratedisusedtoinstalldynamicselectors.Theseselectorscannowbe
installedviatheauto-negotiatemechanism.Whenphase2hasauto-negotiateenabled,andphase1hasmesh-
selector-typesettosubnet,anewdynamicselectorwillbeinstalledforeachcombinationofsourceand
destinationsubnets.Eachdynamicselectorwillinherittheauto-negotiateoptionfromthetemplateselectorand
beginSAnegotiation.Phase2selectorsourcesfromdial-upclientswillallestablishSAswithouttrafficbeing
initiatedfromtheclientsubnetstothehub.
AddVXLANoverIPsec(265556)
PacketswithVXLANheaderareencapsulatedwithinIPsectunnelmode.NewattributesinIPsecphase1settings
havebeenadded.
config vpn ipsec phase1-interface/phase1
edit ipsec
set interface <name>
set encapsulation vxlan/gre (new)
set encapsulation-address ike/ipv4/ipv6 (New)
set encap-local-gw4 xxx.xxx.xxx.xxx (New)
set encap-remote-gw xxx.xxx.xxx.xxx (New)
next
end
Abilitytoenable/disableIPsecASIC-offloading(269555)
MuchlikeNPU-offloadinIKEphase1configuration,thisfeatureenables/disablestheusageofASIChardwarefor
IPsecDiffie-HellmankeyexchangeandIPsecESPtraffic.Currentlybydefaulthardwareoffloadingisused.For
debuggingpurposes,sometimeswewantallthetraffictobeprocessedbysoftware.
config sys global
set ipsec-asic-offload [enable | disable]
end
AddedanoptiontoforceIPsectouseNATTraversal(275010)
AddedanewoptionforNAT.IfNATissettoForced,thentheFGTwilluseaportvalueofzerowhenconstructing
theNATdiscoveryhashforthepeer.ThiscausesthepeertothinkitisbehindaNATdevice,anditwilluseUDP
encapsulationforIPsec,evenifnoNATispresent.ThisapproachmaintainsinteroperabilitywithanyIPsec
implementationthatsupportstheNAT-TRFC.
AddafeaturetosupportIKEv2SessionResumptiondescribedinRFC5723(289914)
Ifagatewaylosesconnectivitytothenetwork,clientscanattempttore-establishthelostsessionbypresenting
thetickettothegateway.Asaresult,sessionscanberesumedmuchfaster,asDHexchangethatisnecessaryto

establishabrandnewconnectionisskipped.Thisfeatureimplements"ticket-by-value",wherebyallinformation
necessarytorestorethestateofaparticularIKESAisstoredintheticketandsenttotheclient.
AddedsupportforIKEv2QuickCrashDetection(298970)
AnewfeaturehasbeenaddedtosupportIKEv2QuickCrashDetectionasdescribedinRFC6290.
RFC6290describesamethodinwhichanIKEpeercanquicklydetectthatthegatewaypeerthatithasand
establishedIKEsessionwith,hasrebooted,crashed,orotherwiselostIKEstate.WhenthegatewayreceivesIKE
messagesorESPpacketswithunknownIKEorIPsecSPIs,theIKEv2protocolallowsthegatewaytosendthe
peeranunprotectedIKEmessagecontainingINVALID_IKE_SPIorINVALID_SPInotificationpayloads.
RFC6290introducestheconceptofaQCDtoken,whichisgeneratedfromtheIKESPIsandaprivateQCD
secret,andexchangedbetweenpeersduringtheprotectedIKEAUTHexchange.
CLISyntax
config system settings
set ike-quick-crash-detect [enable | disable]
end
l IfupdatingtoFortiOS5.4.1,seeabove(304612).
Removedsupportforauto-IPsec(300893)
IPsecauto-VPNsupport(auto-IPsec)hasbeenremoved.ThisfeaturewasaddedinFortiOS5.0priortoany
usableVPNcreationsupportontheGUI.Asof5.2,andnowin5.4,thewizardsolvesmanyoftheproblems
introducedbytheauto-IPsecfeature,andsoauto-IPsechasbeendeprecated.
ImprovedscalabilityforIPsecDPD(292500)
Onadial-upserver,ifamultitudeofVPNconnectionsareidle,theincreasedDPDexchangecouldnegatively
impacttheperformance/loadofthedaemon.Forthisreason,anoptionhasbeenaddedtosendDPDpassivelyin
amodecalled"on-demand".
edit <value>
set dpd [disable | on-idle | on-demand]
next
end
Notes
l WhenthereisnotrafficandthelastDPD-ACKhadbeenreceived,IKEwillnotsendDPDsperiodically.
l IKEwillonlysendoutDPDsifthereareoutgoingpacketstosendbutnoinboundpacketshadsincebeenreceived.
Syntax
Theset dpd enablecommandhaschangedtoset dpd on-idle(totriggerDPDwhenIPsecisidle).Set

DPDtoon-demandtotriggerDPDwhenIPsectrafficissentbutnoreplyisreceivedfromthepeer.
configure vpn ipsec phase1-interface

edit <value>
set dpd [on-idle|on-demand]
next
end

IPsecVPNconcepts
VirtualPrivateNetwork(VPN)technologyenablesremoteuserstoconnecttoprivatecomputernetworkstogain
accesstotheirresourcesinasecureway.Forexample,anemployeetravelingorworkingfromhomecanusea
VPNtosecurelyaccesstheofficenetworkthroughtheInternet.
InsteadofremotelyloggingontoaprivatenetworkusinganunencryptedandunsecureInternetconnection,the
useofaVPNensuresthatunauthorizedpartiescannotaccesstheofficenetworkandcannotinterceptanyofthe
informationthatisexchangedbetweentheemployeeandtheoffice.ItisalsocommontouseaVPNtoconnect
theprivatenetworksoftwoormoreoffices.
FortinetoffersVPNcapabilitiesintheFortiGateUnifiedThreatManagement(UTM)applianceandinthe
FortiClientEndpointSecuritysuiteofapplications.AFortiGateunitcanbeinstalledonaprivatenetwork,and
FortiClientsoftwarecanbeinstalledontheuserscomputer.ItisalsopossibletouseaFortiGateunittoconnect
totheprivatenetworkinsteadofusingFortiClientsoftware.
ThischapterdiscussesVPNtermsandconceptsincluding:
VPNtunnels
VPNgateways
Clients,servers,andpeers
Encryption
Authentication
Phase1andPhase2settings
IKEandIPsecpacketprocessing
VPNtunnels
ThedatapathbetweenauserscomputerandaprivatenetworkthroughaVPNisreferredtoasatunnel.Likea
physicaltunnel,thedatapathisaccessibleonlyatbothends.Inthetelecommutingscenario,thetunnelruns
betweentheFortiClientapplicationontheusersPC,oraFortiGateunitorothernetworkdeviceandthe
FortiGateunitontheofficeprivatenetwork.
Encapsulationmakesthispossible.IPsecpacketspassfromoneendofthetunneltotheotherandcontaindata
packetsthatareexchangedbetweenthelocaluserandtheremoteprivatenetwork.Encryptionofthedata
packetsensuresthatanythird-partywhointerceptstheIPsecpacketscannotaccessthedata.

VPN tunnels IPsec VPN concepts
EncodeddatagoingthroughaVPNtunnel
YoucancreateaVPNtunnelbetween:
l APCequippedwiththeFortiClientapplicationandaFortiGateunit
l TwoFortiGateunits
l Third-partyVPNsoftwareandaFortiGateunit
Formoreinformationonthird-partyVPNsoftware,refertotheFortinetKnowledgeBaseformoreinformation.
Tunneltemplates
SeveraltunneltemplatesareavailableintheIPsecVPNWizardthatcoveravarietyofdifferenttypesofIPsec
VPN.AlistofthesetemplatesappearonthefirstpageoftheWizard,locatedatVPN>IPsecWizard.The
tunneltemplatelistfollows.
IPsecVPNWizardoptions
VPNType RemoteDeviceType NATOptions Description
SitetoSite FortiGate l NoNATbetweensites Statictunnelbetween

l ThissiteisbehindNAT thisFortiGateanda
remoteFortiGate.
l Theremotesiteis
behindNAT
Cisco l NoNATbetweensites Statictunnelbetween

l ThissiteisbehindNAT thisFortiGateanda
remoteCiscofirewall.
l Theremotesiteis
behindNAT

IPsec VPN concepts VPN gateways
VPNType RemoteDeviceType NATOptions Description
RemoteAccess FortiClientVPNforOSX, N/A On-demandtunnelfor

Windows,andAndroid usersusingthe
FortiClientsoftware.
iOSNative N/A On-demandtunnelfor

iPhone/iPadusersusing
thenativeiOSIPsec
client.
AndroidNative N/A On-demandtunnelfor

Androidusersusingthe
nativeL2TP/IPsecclient.
WindowsNative N/A On-demandtunnelfor

Androidusersusingthe
nativeL2TP/IPsecclient.
CiscoClient N/A On-demandtunnelfor

usersusingtheCisco
IPsecclient.
Custom N/A N/A NoTemplate.
VPNtunnellist
OnceyoucreateanIPsecVPNtunnel,itappearsintheVPNtunnellistatVPN>IPsecTunnels.Bydefault,the
tunnellistindicatesthenameofthetunnel,itsinterfacebinding,thetunneltemplateused,andthetunnelstatus.
Ifyouright-clickonthetableheaderrow,youcanincludecolumnsforcomments,IKEversion,mode(aggressive
vsmain),phase2proposals,andreferencenumber.Thetunnellistpagealsoincludestheoptiontocreateanew
tunnel,aswellastheoptionstoeditordeleteahighlightedtunnel.
VPNgateways
Agatewayisarouterthatconnectsthelocalnetworktoothernetworks.Thedefaultgatewaysettinginyour
computersTCP/IPpropertiesspecifiesthegatewayforyourlocalnetwork.
AVPNgatewayfunctionsasoneendofaVPNtunnel.ItreceivesincomingIPsecpackets,decryptsthe
encapsulateddatapacketsandpassesthedatapacketstothelocalnetwork.Also,itencryptsdatapackets
destinedfortheotherendoftheVPNtunnel,encapsulatesthem,andsendstheIPsecpacketstotheotherVPN
gateway.TheVPNgatewayisaFortiGateunitbecausetheprivatenetworkbehinditisprotected,ensuringthe
securityoftheunencryptedVPNdata.ThegatewaycanalsobeFortiClientsoftwarerunningonaPCsincethe
unencrypteddataissecureonthePC.
TheIPaddressofaVPNgatewayisusuallytheIPaddressofthenetworkinterfacethatconnectstotheInternet.
Optionally,youcandefineasecondaryIPaddressfortheinterfaceandusethataddressasthelocalVPN
gatewayaddress.ThebenefitofdoingthisisthatyourexistingsetupisnotaffectedbytheVPNsettings.

VPN gateways IPsec VPN concepts
ThefollowingdiagramshowsaVPNconnectionbetweentwoprivatenetworkswithFortiGateunitsactingasthe
VPNgateways.ThisconfigurationiscommonlyreferredtoasGateway-to-GatewayIPsecVPN.
VPNtunnelbetweentwoprivatenetworks
AlthoughtheIPsectrafficmayactuallypassthroughmanyInternetrouters,youcanvisualizetheVPNtunnelasa
simplesecureconnectionbetweenthetwoFortiGateunits.
UsersonthetwoprivatenetworksdonotneedtobeawareoftheVPNtunnel.Theapplicationsontheir
computersgeneratepacketswiththeappropriatesourceanddestinationaddresses,astheynormallydo.The
FortiGateunitsmanageallthedetailsofencrypting,encapsulating,andsendingthepacketstotheremoteVPN
gateway.
ThedataisencapsulatedinIPsecpacketsonlyintheVPNtunnelbetweenthetwoVPNgateways.Betweenthe
userscomputerandthegateway,thedataisonthesecureprivatenetworkanditisinregularIPpackets.
ForexampleUser1ontheSiteAnetwork,atIPaddress10.10.1.7,sendspacketswithdestinationIPaddress
192.168.10.8,theaddressofUser2ontheSiteBnetwork.TheSiteAFortiGateunitisconfiguredtosendpackets
withdestinationsonthe192.168.10.0networkthroughtheVPN,encryptedandencapsulated.Similarly,theSite
BFortiGateunitisconfiguredtosendpacketswithdestinationsonthe10.10.1.0networkthroughtheVPNtunnel
totheSiteAVPNgateway.
Inthesite-to-site,orgateway-to-gatewayVPNshownbelow,theFortiGateunitshavestatic(fixed)IPaddresses
andeitherunitcaninitiatecommunication.
YoucanalsocreateaVPNtunnelbetweenanindividualPCrunningFortiClientandaFortiGateunit,asshown
below.ThisiscommonlyreferredtoasClient-to-GatewayIPsecVPN.

IPsec VPN concepts Clients, servers, and peers
VPNtunnelbetweenaFortiClientPCandaFortiGateunit
OnthePC,theFortiClientapplicationactsasthelocalVPNgateway.Packetsdestinedfortheofficenetworkare
encrypted,encapsulatedintoIPsecpackets,andsentthroughtheVPNtunneltotheFortiGateunit.Packetsfor
otherdestinationsareroutedtotheInternetasusual.IPsecpacketsarrivingthroughthetunnelaredecryptedto
recovertheoriginalIPpackets.
Clients,servers,andpeers
AFortiGateunitinaVPNcanhaveoneofthefollowingroles:
l ServerrespondstoarequesttoestablishaVPNtunnel.
l ClientcontactsaremoteVPNgatewayandrequestsaVPNtunnel.
l PeerbringsupaVPNtunnelorrespondstoarequesttodoso.
Thesite-to-siteVPNshownaboveisapeer-to-peerrelationship.EitherFortiGateunitVPNgatewaycanestablish
thetunnelandinitiatecommunications.TheFortiClient-to-FortiGateVPNshownbelowisaclient-server
relationship.TheFortiGateunitestablishesatunnelwhentheFortiClientPCrequestsone.
AFortiGateunitcannotbeaVPNserverifithasadynamically-assignedIPaddress.VPNclientsneedtobe
configuredwithastaticIPaddressfortheserver.AFortiGateunitactsasaserveronlywhentheremoteVPN
gatewayhasadynamicIPaddressorisaclient-onlydeviceorapplication,suchasFortiClient.
AsaVPNserver,aFortiGateunitcanalsoofferautomaticconfigurationforFortiClientPCs.Theuserneedsto
knowonlytheIPaddressoftheFortiGateVPNserverandavalidusername/password.FortiClientdownloadsthe
VPNconfigurationsettingsfromtheFortiGateVPNserver.ForinformationaboutconfiguringaFortiGateunitas
aVPNserver,seetheFortiClientAdministrationGuide.

Encryption IPsec VPN concepts
Encryption
Encryptionmathematicallytransformsdatatoappearasmeaninglessrandomnumbers.Theoriginaldatais
calledplaintextandtheencrypteddataiscalledciphertext.Theoppositeprocess,calleddecryption,performsthe
inverseoperationtorecovertheoriginalplaintextfromtheciphertext.
Theprocessbywhichtheplaintextistransformedtociphertextandbackagainiscalledanalgorithm.All
algorithmsuseasmallpieceofinformation,akey,inthearithmeticprocessofconvertedplaintexttociphertext,
orvice-versa.IPsecusessymmetricalalgorithms,inwhichthesamekeyisusedtobothencryptanddecryptthe
data.Thesecurityofanencryptionalgorithmisdeterminedbythelengthofthekeythatituses.FortiGateIPsec
VPNsofferthefollowingencryptionalgorithms,indescendingorderofsecurity:
AES-GCM Galois/CounterMode(GCM),ablockciphermodeofoperationproviding
bothc onfidentialityanddataoriginauthentication.
AES256 A128-bitblockalgorithmthatusesa256-bitkey.
3DES Triple-DES,inwhichplaintextisDES-encryptedthreetimesbythreekeys.
DES DigitalEncryptionStandard,a64-bitblockalgorithmthatusesa56-bitkey
ThedefaultencryptionalgorithmsprovidedonFortiGateunitsmakerecoveryofencrypteddataalmost
impossiblewithouttheproperencryptionkeys.
Thereisahumanfactorinthesecurityofencryption.Thekeymustbekeptsecret,knownonlytothesenderand
receiverofthemessages.Also,thekeymustnotbesomethingthatunauthorizedpartiesmighteasilyguess,
suchasthesendersname,birthdayorsimplesequencesuchas123456.
IPsecoverheads
TheFortiGatesetsanIPsectunnelMaximumTransmissionUnit(MTU)of1436for3DES/SHA1andanMTUof
1412forAES128/SHA1,asseenwithdiag vpn tunnel list.ThisindicatesthattheFortiGateallocates64
bytesofoverheadfor3DES/SHA1and88bytesforAES128/SHA1,whichisthedifferenceifyousubtractthis
MTUfromatypicalethernetMTUof1500bytes.
Duringtheencryptionprocess,AES/DESoperatesusingaspecificsizeofdatawhichisblocksize.Ifdatais
smallerthanthat,itwillbepaddedfortheoperation.MD5/SHA-1HMACalsooperatesusingaspecificblocksize.
ThefollowingtabledescribesthepotentialmaximumoverheadforeachIPsecencryption:
IPsecTransformSet IPsecOverhead(Max.bytes)
ESP-AES(256,192,or128),ESP-SHA-HMAC,orMD5 73
ESP-AES(256,192,or128) 61

IPsec VPN concepts Authentication
IPsecTransformSet IPsecOverhead(Max.bytes)
ESP-3DES,ESP-DES 45
ESP-(DESor3DES),ESP-SHA-HMAC,orMD5 57
ESP-Null,ESP-SHA-HMAC,orMD5 45
AH-SHA-HMACorMD5 44
Authentication
Toprotectdataviaencryption,aVPNmustensurethatonlyauthorizeduserscanaccesstheprivatenetwork.You
mustuseeitherapresharedkeyonbothVPNgatewaysorRSAX.509securitycertificates.Theexamplesinthis
guideuseonlypresharedkeyauthentication.RefertotheFortinetKnowledgeBaseforarticlesonRSAX.509
securitycertificates.
Presharedkeys
Apresharedkeycontainsatleastsixrandomalphanumericcharacters.UsersoftheVPNmustobtainthe
presharedkeyfromthepersonwhomanagestheVPNserverandaddthepresharedkeytotheirVPNclient
configuration.
Althoughitlookslikeapassword,thepresharedkey,alsoknownasasharedsecret,isneversentbyeither
gateway.Thepresharedkeyisusedinthecalculationsateachendthatgeneratetheencryptionkeys.Assoonas
theVPNpeersattempttoexchangeencrypteddata,presharedkeysthatdonotmatchwillcausetheprocessto
fail.
Additionalauthentication
Toincreasesecurity,youcanrequireadditionalmeansofauthenticationfromusers,suchas:
l Anidentifier,calledapeerIDoralocalID.
l Extendedauthentication(XAUTH)whichimposesanadditionalusername/passwordrequirement.
ALocalIDisanalphanumericvalueassignedinthePhase1configuration.TheLocalIDofapeeriscalledaPeer
ID.
InFortiOS5.2,newauthenticationmethodshavebeenimplementedforIKE:ECDSA-256,ECDSA-384,and
ECDSA-521.However,AES-XCBCisnotsupported.
Phase1andPhase2settings
AVPNtunnelisestablishedintwophases:Phase1andPhase2.Severalparametersdeterminehowthisisdone.
ExceptforIPaddresses,thesettingssimplyneedtomatchatbothVPNgateways.Therearedefaultsthatare
appropriateformostcases.

Phase 1 and Phase 2 settings IPsec VPN concepts
FortiClientdistinguishesbetweenPhase1andPhase2onlyintheVPNAdvancedsettingsandusesdifferent
terms.Phase1iscalledtheIKEPolicy.Phase2iscalledtheIPsecPolicy.
Phase1
InPhase1,thetwoVPNgatewaysexchangeinformationabouttheencryptionalgorithmsthattheysupportand
thenestablishatemporarysecureconnectiontoexchangeauthenticationinformation.
WhenyouconfigureyourFortiGateunitorFortiClientapplication,youmustspecifythefollowingsettingsfor
Phase1:
Remotegateway TheremoteVPNgatewaysaddress.
FortiGateunitsalsohavetheoptionofoperatingonlyasaserverby
selectingtheDialupUseroption.
Thismustbethesameatbothends.ItisusedtoencryptPhase1
Presharedkey
authenticationinformation.
Localinterface ThenetworkinterfacethatconnectstotheotherVPNgateway.This
appliesonaFortiGateunitonly.
AllotherPhase1settingshavedefaultvalues.Thesesettingsmainlyconfigurethetypesofencryptiontobe
used.ThedefaultsettingsonFortiGateunitsandintheFortiClientapplicationarecompatible.Theexamplesin
thisguideusethesedefaults.
FormoredetailedinformationaboutPhase1settings,seePhase1parametersonpage47.
Phase2
SimilartothePhase1process,thetwoVPNgatewaysexchangeinformationabouttheencryptionalgorithmsthat
theysupportforPhase2.YoumaychoosedifferentencryptionforPhase1andPhase2.Ifbothgatewayshaveat
leastoneencryptionalgorithmincommon,aVPNtunnelcanbeestablished.Keepinmindthatmorealgorithms
eachphasedoesnotsharewiththeothergateway,thelongernegotiationswilltake.Inextremecasesthismay
causetimeoutsduringnegotiations.
ToconfiguredefaultPhase2settingsonaFortiGateunit,youneedonlyselectthenameofthecorresponding
Phase1configuration.InFortiClient,noactionisrequiredtoenabledefaultPhase2settings.
FormoredetailedinformationaboutPhase2settings,seePhase2parametersonpage65.
SecurityAssociation
TheestablishmentofaSecurityAssociation(SA)isthesuccessfuloutcomeofPhase1negotiations.Eachpeer
maintainsadatabaseofinformationaboutVPNconnections.TheinformationineachSAcaninclude
cryptographicalgorithmsandkeys,keylife,andthecurrentpacketsequencenumber.Thisinformationiskept
synchronizedastheVPNoperates.EachSAhasaSecurityParameterIndex(SPI)thatisprovidedtotheremote
peeratthetimetheSAisestablished.SubsequentIPsecpacketsfromthepeeralwaysreferencetherelevant
SPI.ItispossibleforpeerstohavemultipleVPNsactivesimultaneously,andcorrespondinglymultipleSPIs.

IPsec VPN concepts IKE and IPsec packet processing
IKEandIPsecpacketprocessing
InternetKeyExchange(IKE)istheprotocolusedtosetupSAsinIPsecnegotiation.AsdescribedinPhase1
parametersonpage47,youcanoptionallychooseIKEv2overIKEv1ifyouconfigurearoute-basedIPsecVPN.
IKEv2simplifiesthenegotiationprocess,inthatitprovidesnochoiceofAggressiveorMainmodeinPhase1.
IKEv2alsouseslessbandwidth.
ThefollowingsectionsidentifyhowIKEversions1and2operateanddifferentiate.
IKEv1
Phase1
Apeer,identifiedintheIPsecpolicyconfiguration,beginstheIKEnegotiationprocess.ThisIKESecurity
Association(SA)agreementisknownasPhase1.ThePhase1parametersidentifytheremotepeerorclientsand
supportsauthenticationthroughpre-sharedkey(PSK)ordigitalcertificate.Youcanincreaseaccesssecurity
furtherusingpeeridentifiers,certificatedistinguishednames,groupnames,ortheFortiGateextended
authentication(XAuth)optionforauthenticationpurposes.Basically,Phase1authenticatesaremotepeerand
setsupasecurecommunicationchannelforestablishingPhase2,whichnegotiatestheIPsecSA.
IKEPhase1canoccurineitherMainmodeorAggressivemode.Formoreinformation,seePhase1parameters
onpage47.
IKEPhase1issuccessfulonlywhenthefollowingaretrue:
l EachpeernegotiatesamatchingIKESApolicy.
l Eachpeerisauthenticatedandtheiridentitiesprotected.
l TheDiffie-Hellmanexchangeisauthenticated(thepre-sharedsecretkeysmatch).
FormoreinformationonPhase1,seePhase1parametersonpage47.
Phase2
Phase2parametersdefinethealgorithmsthattheFortiGateunitcanusetoencryptandtransferdataforthe
remainderofthesessioninanIPsecSA.ThebasicPhase2settingsassociateIPsecPhase2parameterswitha
Phase1configuration.
InPhase2,theVPNpeerorclientandtheFortiGateunitexchangekeysagaintoestablishamoresecure
communicationchannel.ThePhase2Proposalparametersselecttheencryptionandauthenticationalgorithms
neededtogeneratekeysforprotectingtheimplementationdetailsoftheSA.Thekeysaregenerated
automaticallyusingaDiffie-Hellmanalgorithm.
InPhase2,QuickmodeselectorsdeterminewhichIPaddressescanperformIKEnegotiationstoestablisha
tunnel.ByonlyallowingauthorizedIPaddressesaccesstotheVPNtunnel,thenetworkismoresecure.Formore
information,seePhase2parametersonpage65.
IKEPhase2issuccessfulonlywhenthefollowingaretrue:
l TheIPsecSAisestablishedandprotectedbytheIKESA.
l TheIPsecSAisconfiguredtorenegotiateaftersetdurations(seePhase2parametersonpage65andPhase2
parametersonpage65).

IKE and IPsec packet processing IPsec VPN concepts
l Optional:ReplayDetectionisenabled.Replayattacksoccurwhenanunauthorizedpartyinterceptsaseriesof
IPsecpacketsandreplaysthembackintothetunnel.SeePhase2parametersonpage65.
l Optional:PerfectForwardSecrecy(PFS)isenabled.PFSimprovessecuritybyforcinganewDiffie-Hellman
exchangewheneverkeylifeexpires.SeePhase2parametersonpage65.
FormoreinformationonPhase2,seePhase2parametersonpage65.
WithPhase2established,theIPsectunnelisfullynegotiatedandtrafficbetweenthepeersisalloweduntilthe
SAterminates(foranynumberofreasons;time-out,interruption,disconnection,etc).
TheentireIKEv1processisdemonstratedinthefollowingdiagram:
IKEv2
Phase1
UnlikePhase1ofIKEv1,IKEv2doesnotprovideoptionsforAggressiveorMainmode.Furthermore,Phase1of
IKEv2beginsimmediatelywithanIKESAinitiation,consistingofonlytwopackets(containingalltheinformation
typicallycontainedinfourpacketsforIKEv1),securingthechannelsuchthatallfollowingtransactionsare
encrypted(seePhase1parametersonpage47).
TheencryptedtransactionscontaintheIKEauthentication,sinceremotepeershaveyettobeauthenticated.This
stageofIKEauthenticationinIKEv2canlooselybecalledPhase1.5.

IPsec VPN concepts IKE and IPsec packet processing
Phase1.5
Aspartofthisphase,IKEauthenticationmustoccur.IKEauthenticationconsistsofthefollowing:
l TheauthenticationpayloadsandInternetSecurityAssociationandKeyManagementProtocol(ISAKMP)identifier.
l Theauthenticationmethod(RSA,PSK,ECDSA,orEAP).
l TheIPsecSAparameters.
Duetothenumberofauthenticationmethodspotentiallyused,andSAsestablished,theoverallIKEv2
negotiationcanrangefrom4packets(noEAPexchangeatall)tomanymore.
Atthispoint,bothpeershaveasecurityassociationcompleteandreadytoencrypttraffic.
Phase2
InIKEv1,Phase2usesQuickmodetonegotiateanIPsecSAbetweenpeers.InIKEv2,sincetheIPsecSAis
alreadyestablished,Phase2isessentiallyonlyusedtonegotiatechildSAs,ortore-keyanIPsecSA.Thatsaid,
thereareonlytwopacketsforeachexchangeofthistype,similartotheexchangeattheoutsetofPhase1.5.
TheentireIKEv2processisdemonstratedinthefollowingdiagram:
SupportforIKEv2sessionresumption
Ifagatewaylosesconnectivitytothenetwork,clientscanattempttore-establishthelostsessionbypresenting
thetickettothegateway(asdescribedinRFC5723).Asaresult,sessionscanberesumedmuchfaster,asDH
exchangethatisnecessarytoestablishabrandnewconnectionisskipped.Thisfeatureimplements"ticket-by-
value",wherebyallinformationnecessarytorestorethestateofaparticularIKESAisstoredintheticketandsent
totheclient.

IPsecVPNoverview
ThissectionprovidesabriefoverviewofIPsectechnologyandincludesgeneralinformationabouthowto
configureIPsecVPNsusingthisguide.
Thefollowingtopicsareincludedinthissection:
TypesofVPNs
PlanningyourVPN
Generalpreparationsteps
HowtousethisguidetoconfigureanIPsecVPN
VPNconfigurationsinteractwiththefirewallcomponentoftheFortiGateunit.Theremustbeasecuritypolicyin
placetopermittraffictopassbetweentheprivatenetworkandtheVPNtunnel.
SecuritypoliciesforVPNsspecify:
l TheFortiGateinterfacethatprovidesthephysicalconnectiontotheremoteVPNgateway,usuallyaninterface
connectedtotheInternet
l TheFortiGateinterfacethatconnectstotheprivatenetwork
l IPaddressesassociatedwithdatathathastobeencryptedanddecrypted
l Optionally,aschedulethatrestrictswhentheVPNcanoperate
l Optionally,theservices(typesofdata)thatcanbesent
WhenthefirstpacketofdatathatmeetsalloftheconditionsofthesecuritypolicyarrivesattheFortiGateunit,a
VPNtunnelmaybeinitiatedandtheencryptionordecryptionofdataisperformedautomaticallyafterward.For
moreinformation,seeDefiningVPNsecuritypoliciesonpage1.
Wherepossible,youshouldcreateroute-basedVPNs.Generally,route-basedVPNsaremoreflexibleandeasier
toconfigurethanpolicy-basedVPNsbydefaulttheyaretreatedasinterfaces.However,thesetwoVPNtypes
havedifferentrequirementsthatlimitwheretheycanbeused.
TypesofVPNs
FortiGateunitVPNscanbepolicy-basedorroute-based.Thereislittledifferencebetweenthetwotypes.Inboth
cases,youspecifyPhase1andPhase2settings.Howeverthereisadifferenceinimplementation.Aroute-based
VPNcreatesavirtualIPsecnetworkinterfacethatappliesencryptionordecryptionasneededtoanytrafficthatit
carries.Thatiswhyroute-basedVPNsarealsoknownasinterface-basedVPNs.Apolicy-basedVPNis
implementedthroughaspecialsecuritypolicythatappliestheencryptionyouspecifiedinthePhase1andPhase
2settings.
Route-basedVPNs
Foraroute-basedVPN,youcreatetwosecuritypoliciesbetweenthevirtualIPsecinterfaceandtheinterfacethat
connectstotheprivatenetwork.Inonepolicy,thevirtualinterfaceisthesource.Intheotherpolicy,thevirtual
interfaceisthedestination.Thiscreatesbidirectionalpoliciesthatensuretrafficwillflowinbothdirectionsover
theVPN.
Aroute-basedVPNisalsoknownasaninterface-basedVPN.

IPsec VPN overview Types of VPNs
Eachroute-basedIPsecVPNtunnelrequiresavirtualIPsecinterface.Assuch,the
amountofpossibleroute-basedIPsecVPNsislimitedbythesystem.interfacetable
size.Thesystem.interfacetablesizeformostdevicesis8192.
Foracompletelistoftablesizesforalldevices,refertotheMaximumValuestable.
Policy-basedVPNs
Forapolicy-basedVPN,onesecuritypolicyenablescommunicationinbothdirections.Youenableinboundand
outboundtrafficasneededwithinthatpolicy,orcreatemultiplepoliciesofthistypetohandledifferenttypesof
trafficdifferently.ForexampleHTTPStrafficmaynotrequirethesamelevelofscanningasFTPtraffic.
Apolicy-basedVPNisalsoknownasatunnel-modeVPN.
Comparingpolicy-basedorroute-basedVPNs
ForbothVPNtypesyoucreatePhase1andPhase2configurations.Bothtypesarehandledinthestateful
inspectionsecuritylayer,assumingthereisnoIPSorAV.Formoreinformationonthethreesecuritylayers,see
theFortiOSTroubleshootingguide.
Themaindifferenceisinthesecuritypolicy.
Youcreateapolicy-basedVPNbydefininganIPSECsecuritypolicybetweentwonetworkinterfacesand
associatingitwiththeVPNtunnel(Phase1)configuration.
Youcreatearoute-basedVPNbycreatingavirtualIPsecinterface.YouthendefinearegularACCEPTsecurity
policytopermittraffictoflowbetweenthevirtualIPsecinterfaceandanothernetworkinterface.Andlastly,
configureastaticroutetoallowtrafficovertheVPN.
Wherepossible,youshouldcreateroute-basedVPNs.Generally,route-basedVPNsaremoreflexibleandeasier
toconfigurethanpolicy-basedVPNsbydefaulttheyaretreatedasinterfaces.However,thesetwoVPNtypes
havedifferentrequirementsthatlimitwheretheycanbeused.
Comparisonofpolicy-basedandroute-basedVPNs
Features Policy-based Route-based
BothNATandtransparent Yes NATmodeonly

modesavailable
L2TP-over-IPsecsupported Yes Yes
GRE-over-IPsecsupported No Yes
Requiresasecuritypolicywith
Requiresonlyasimplesecurity
securitypolicyrequirements IPSECactionthatspecifiesthe
policywithACCEPTaction
VPNtunnel
NumberofpoliciesperVPN Onepolicycontrolsconnectionsin Aseparatepolicyisrequiredfor

bothdirections connectionsineachdirection

Planning your VPN IPsec VPN overview
PlanningyourVPN
ItisagoodideatoplantheVPNconfigurationaheadoftime.Thiswillsavetimelaterandhelpyouconfigureyour
VPNcorrectly.
AllVPNconfigurationsarecomprisedofnumerousrequiredandoptionalparameters.Beforeyoubegin,youneed
todetermine:
l WheretheIPtrafficoriginatesandwhereitneedstobedelivered
l Whichhosts,servers,ornetworkstoincludeintheVPN
l WhichVPNdevicestoincludeintheconfiguration
l ThroughwhichinterfacestheVPNdevicescommunicate
l ThroughwhichinterfacesdoprivatenetworksaccesstheVPNgateways
Onceyouhavethisinformation,youcanselectaVPNtopologythatsuitsthenetworkenvironment.
Networktopologies
ThetopologyofyournetworkwilldeterminehowremotepeersandclientsconnecttotheVPNandhowVPN
trafficisrouted.
VPNnetworktopologiesandbriefdescriptions
Topology Description
Gateway-to-gateway Standardone-to-oneVPNbetweentwoFortiGateunits.SeeGateway-to-
configurations gatewayconfigurationsonpage1.
OnecentralFortiGateunithasmultipleVPNstootherremoteFortiGate
Hub-and-spokeconfigurations
units.SeeHub-and-spokeconfigurationsonpage1.
DynamicDNSconfiguration OneendoftheVPNtunnelhasachangingIPaddressandtheotherend
mustgotoadynamicDNSserverforthecurrentIPaddressbefore
establishingatunnel.SeeDynamicDNSconfigurationonpage1.
TypicallyremoteFortiClientdialup-clientsusedynamicIPaddresses
FortiClientdialup-client throughNATdevices.TheFortiGateunitactsasadialupserverallowing
configurations dialupVPNconnectionsfrommultiplesources.SeeFortiClientdialup-client
configurationsonpage1.
FortiGatedialup-client SimilartoFortiClientdialup-clientconfigurationsbutwithmoregateway-to-
configurations gatewaysettingssuchasuniqueuserauthenticationformultipleusersona
singleVPNtunnel.SeeFortiGatedialup-clientconfigurationsonpage1.
Internet-browsing SecurewebbrowsingperformedbydialupVPNclients,and/orhostsbehind
configuration aremoteVPNpeer.SeeInternet-browsingconfigurationonpage1.

IPsec VPN overview General preparation steps
Topology Description
RedundantVPN OptionsforsupportingredundantandpartiallyredundantIPsecVPNs,
configurations usingroute-basedapproaches.SeeRedundantVPNconfigurationson
page1.
Intransparentmode,theFortiGateactsasabridgewithallincomingtraffic
TransparentmodeVPNs beingbroadcastbackoutonallotherinterfaces.RoutingandNATmustbe
performedonexternalrouters.SeeTransparentmodeVPNsonpage1.
L2TPandIPsec(Microsoft ConfigureVPNforMicrosoftWindowsdialupclientsusingthebuiltinL2TP
VPN) software.UsersdonothavetoinstallanySeeL2TPandIPsec(Microsoft
VPN)onpage1.
Thesesectionscontainhigh-levelconfigurationguidelineswithcross-referencestodetailedconfiguration
procedures.Ifyouneedmoredetailtocompleteastep,selectthecross-referenceinthesteptodrill-downto
moredetail.Returntotheoriginalproceduretocompletetheprocedure.Forageneraloverviewofhowto
configureaVPN,seePlanningyourVPN.
Generalpreparationsteps
AVPNconfigurationdefinesrelationshipsbetweentheVPNdevicesandtheprivatehosts,servers,ornetworks
makinguptheVPN.ConfiguringaVPNinvolvesgatheringandrecordingthefollowinginformation.Youwillneed
thisinformationtoconfiguretheVPN.
l TheprivateIPaddressesofparticipatinghosts,servers,and/ornetworks.TheseIPaddressesrepresent
thesourceaddressesoftrafficthatispermittedtopassthroughtheVPN.AIPsourceaddresscanbeanindividual
IPaddress,anaddressrange,orasubnetaddress.
l ThepublicIPaddressesoftheVPNend-pointinterfaces.TheVPNdevicesestablishtunnelswitheachother
throughtheseinterfaces.
l TheprivateIPaddressesassociatedwiththeVPN-deviceinterfacestotheprivatenetworks.Computers
ontheprivatenetworksbehindtheVPNgatewayswillconnecttotheirVPNgatewaysthroughtheseinterfaces.
HowtousethisguidetoconfigureanIPsecVPN
Thisguideusesatask-basedapproachtoprovidealloftheproceduresneededtocreatedifferenttypesofVPN
configurations.Followthestep-by-stepconfigurationproceduresinthisguidetosetuptheVPN.
ThefollowingconfigurationproceduresarecommontoallIPsecVPNs:
1. DefinethePhase1parametersthattheFortiGateunitneedstoauthenticateremotepeersorclientsandestablish
asecureaconnection.SeePhase1parametersonpage47.
2. DefinethePhase2parametersthattheFortiGateunitneedstocreateaVPNtunnelwitharemotepeerordialup
client.SeePhase2parametersonpage65.
3. SpecifythesourceanddestinationaddressesofIPpacketsthataretobetransportedthroughtheVPNtunnel.See
Definingpolicyaddressesonpage1.

How to use this guide to configure an IPsec VPN IPsec VPN overview
4. CreateanIPsecsecuritypolicytodefinethescopeofpermittedservicesbetweentheIPsourceanddestination
addresses.SeeDefiningVPNsecuritypoliciesonpage1.
ThesestepsassumeyouconfiguretheFortiGateunittogenerateuniqueIPsec
encryptionandauthenticationkeysautomatically.InsituationswherearemoteVPN
peerorclientrequiresaspecificIPsecencryptionandauthenticationkey,youmust
configuretheFortiGateunittousemanualkeysinsteadofperformingSteps1and2.

IPsecVPNintheweb-basedmanager
ToconfigureanIPsecVPN,usethegeneralprocedurebelow.Withthesesteps,yourFortiGateunitwill
automaticallygenerateuniqueIPsecencryptionandauthenticationkeys.IfaremoteVPNpeerorclientrequiresa
specificIPsecencryptionorauthenticationkey,youmustconfigureyourFortiGateunittousemanualkeys
instead.
1. DefinePhase1parameterstoauthenticateremotepeersandclientsforasecureconnection.SeeIPsecVPNin
theweb-basedmanageronpage34.
2. DefinePhase2parameterstocreateaVPNtunnelwitharemotepeerordialupclient.SeeIPsecVPNintheweb-
basedmanageronpage34.
3. CreateasecuritypolicytopermitcommunicationbetweenyourprivatenetworkandtheVPN.Policy-basedVPNs
haveanactionofIPSEC,whereforinterface-basedVPNsthesecuritypolicyactionisACCEPT.SeeDefiningVPN
securitypoliciesonpage1.
TheFortiGateunitimplementstheEncapsulatedSecurityPayload(ESP)protocol.InternetKeyExchange(IKE)is
performedautomaticallybasedonpre-sharedkeysorX.509digitalcertificates.Interfacemode,supportedinNAT
modeonly,createsavirtualinterfaceforthelocalendofaVPNtunnel.
Thischaptercontainsthefollowingsections:
Phase1configuration
Phase2configuration
Concentrator
IPsecMonitor
Phase1configuration
TobegindefiningthePhase1configuration,gotoVPN>IPsecTunnelsandselectCreateNew.Entera
uniquedescriptivenamefortheVPNtunnelandfollowtheinstructionsintheVPNCreationWizard.
ThePhase1configurationmainlydefinestheendsoftheIPsectunnel.Theremoteendistheremotegateway
withwhichtheFortiGateunitexchangesIPsecpackets.ThelocalendistheFortiGateinterfacethatsendsand
receivesIPsecpackets.
IfyouwanttocontrolhowtheIKEnegotiationisprocessedwhenthereisnotraffic,aswellasthelengthoftime
theFortiGateunitwaitsfornegotiationstooccur,youcanusethenegotiation-timeoutandauto-
negotiatecommandsintheCLI.
Formoreinformation,refertoPhase2parametersonpage65andPhase2parametersonpage65.

Phase 1 configuration IPsec VPN in the web-based manager
Name TypeanameforthePhase1definition.Themaximumnamelengthis15
charactersforaninterfacemodeVPN,35charactersforapolicy-based
VPN.IfRemoteGatewayisDialupUser,themaximumnamelengthis
furtherreduceddependingonthenumberofdialuptunnelsthatcanbe
established:by2forupto9tunnels,by3forupto99tunnels,4forupto
999tunnels,andsoon.
ForatunnelmodeVPN,thenamenormallyreflectswheretheremote
connectionoriginates.Foraroute-basedtunnel,theFortiGateunitalso
usesthenameforthevirtualIPsecinterfacethatitcreatesautomatically.
Selectthecategoryoftheremoteconnection:
StaticIPAddressIftheremotepeerhasastaticIPaddress.
RemoteGateway DialupUserIfoneormoreFortiClientorFortiGatedialupclientswith
dynamicIPaddresseswillconnecttotheFortiGateunit.
DynamicDNSIfaremotepeerthathasadomainnameand
subscribestoadynamicDNSservicewillconnecttotheFortiGateunit.
IPAddress IfyouselectedStaticIPAddress,entertheIPaddressoftheremote
peer.
IfyouselectedDynamic DNS,enterthedomainnameoftheremote
DynamicDNS
peer.
LocalInterface ThisoptionisavailableinNATmodeonly.Selectthenameoftheinterface
throughwhichremotepeersordialupclientsconnecttotheFortiGateunit.
Bydefault,thelocalVPNgatewayIPaddressistheIPaddressofthe
interfacethatyouselected.
MainmodethePhase1parametersareexchangedinmultiplerounds
withencryptedauthenticationinformation.
AggressivemodethePhase1parametersareexchangedinsingle
messagewithauthenticationinformationthatisnotencrypted.
WhentheremoteVPNpeerhasadynamicIPaddressandisauthenticated
Mode byapre-sharedkey,youmustselectAggressivemodeifthereismorethan
onedialupphase1configurationfortheinterfaceIPaddress.
WhentheremoteVPNpeerhasadynamicIPaddressandisauthenticated
byacertificate,youmustselectAggressivemodeifthereismorethanone
Phase1configurationfortheinterfaceIPaddressandthesePhase1
configurationsusedifferentproposals.
AuthenticationMethod SelectPresharedKeyorRSASignature.

IPsec VPN in the web-based manager Phase 1 configuration
IfyouselectedPre-sharedKey,enterthepre-sharedkeythatthe
FortiGateunitwillusetoauthenticateitselftotheremotepeerordialup
clientduringPhase1negotiations.Youmustdefinethesamekeyatthe
Pre-sharedKey
remotepeerorclient.Thekeymustcontainatleast6printablecharacters.
Foroptimumprotectionagainstcurrentlyknownattacks,thekeymust
consistofaminimumof16randomlychosenalphanumericcharacters.
CertificateName IfyouselectedRSASignature,selectthenameoftheservercertificate
thattheFortiGateunitwillusetoauthenticateitselftotheremotepeeror
dialupclientduringPhase1negotiations.Forinformationaboutobtaining
andloadingtherequiredservercertificate,seetheFortiOSUser
Authenticationguide.
PeeroptionsareavailabletoauthenticateVPNpeersorclients,depending
PeerOptions
ontheRemoteGatewayandAuthenticationMethodsettings.
AnypeerID AcceptthelocalIDofanyremoteVPNpeerorclient.TheFortiGateunit
doesnotcheckidentifiers(localIDs).YoucansetModetoAggressiveor
Main.
YoucanusethisoptionwithRSASignatureauthentication.But,forhighest
security,configureaPKIuser/groupforthepeerandsetPeerOptionsto
Acceptthispeercertificateonly.
ThisoptionisavailablewhenAggressiveModeisenabled.Enterthe
identifierthatisusedtoauthenticatetheremotepeer.Thisidentifiermust
matchtheLocalIDthattheremotepeersadministratorhasconfigured.
IftheremotepeerisaFortiGateunit,theidentifierisspecifiedintheLocal
ThispeerID
IDfieldoftheAdvancedPhase1configuration.
IftheremotepeerisaFortiClientuser,theidentifierisspecifiedinthe
LocalIDfield,accessedbyselectingConfiginthePolicysectionofthe
VPNconnectionsAdvancedSettings.
PeerIDfromdialupgroup AuthenticatemultipleFortiGateorFortiClientdialupclientsthatuseunique
identifiersanduniquepre-sharedkeys(oruniquepre-sharedkeysonly)
throughthesameVPNtunnel.
Youmustcreateadialupusergroupforauthenticationpurposes.Select
thegroupfromthelistnexttothePeerIDfromdialupgroupoption.
YoumustsetModetoAggressivewhenthedialupclientsuseunique
identifiersanduniquepre-sharedkeys.Ifthedialupclientsuseuniquepre-
sharedkeysonly,youcansetModetoMainifthereisonlyonedialup
Phase1configurationforthisinterfaceIPaddress.

Phase1advancedconfigurationsettings
Youcanusethefollowingadvancedparameterstoselecttheencryptionandauthenticationalgorithmsthatthe
FortiGateunitusestogeneratekeysfortheIKEexchange.Youcanalsousethefollowingadvancedparameters
toensurethesmoothoperationofPhase1negotiations.
ThesesettingsaremainlyconfiguredintheCLI,althoughsomeoptionsareavailableafterthetunneliscreated
usingtheVPNCreationWizard(usingtheConverttoCustomTunneloption).
VXLANoverIPsec PacketswithVXLANheaderareencapsulatedwithinIPsectunnelmode.
NewattributesinIPsecphase1settingshavebeenadded.
ToconfigureVXLANoverIPsec-CLI:
config vpn ipsec phase1-interface/phase1
edit ipsec
set interface <name>
set encapsulation vxlan/gre (new)
set encapsulation-address ike/ipv4/ipv6 (New)
set encap-local-gw4 xxx.xxx.xxx.xxx (New)
set encap-remote-gw xxx.xxx.xxx.xxx (New)
next
end
YoucandefineanidletimerforIPsectunnels.Whennotraffichaspassed
throughthetunnelfortheconfiguredidle-timeoutvalue,theIPsectunnel
willbeflushed.
ToconfigureIPsectunnelidletimeout-CLI:
IPsectunnelidletimer config vpn ipsec phase1-interface

edit p1
set idle-timeout [enable | disable]
set idle-timeoutinterval <integer> //IPsectunnel
idletimeoutinminutes(10-43200).
end
end
IPv6Version SelectifyouwanttouseIPv6addressesfortheremotegatewayand
interfaceIPaddresses.
SpecifyanIPaddressforthelocalendoftheVPNtunnel.Selectoneofthe
following:
MainInterfaceIPTheFortiGateunitobtainstheIPaddressofthe
LocalGatewayIP interfacefromthenetworkinterfacesettings.
SpecifyEnterasecondaryaddressoftheinterfaceselectedinthe
Phase1LocalInterfacefield.
YoucannotconfigureInterfacemodeinatransparentmodeVDOM.

Phase1Proposal Selecttheencryptionandauthenticationalgorithmsusedtogeneratekeys
forprotectingnegotiationsandaddencryptionandauthentication
algorithmsasrequired.
Youneedtoselectaminimumofoneandamaximumofthree
combinations.Theremotepeerorclientmustbeconfiguredtouseatleast
oneoftheproposalsthatyoudefine.
Selectoneofthefollowingsymmetric-keyencryptionalgorithms:
DESDigitalEncryptionStandard,a64-bitblockalgorithmthatusesa
56-bitkey.
3DESTriple-DES;plaintextisencryptedthreetimesbythreekeys.
AES128A128-bitblockalgorithmthatusesa128-bitkey.
Youcanselecteitherofthefollowingmessagedigeststocheckthe
authenticityofmessagesduringanencryptedsession:
MD5MessageDigest5.
SHA1SecureHashAlgorithm1-a160-bitmessagedigest.

Tospecifyonecombinationonly,settheEncryptionandAuthentication
optionsofthesecondcombinationtoNULL.Tospecifyathird
combination,usetheAddbuttonbesidethefieldsforthesecond
combination.
Diffie-HellmanGroup SelectoneormoreDiffie-HellmangroupsfromDHgroups1,2,5,and14
through21.AtleastoneoftheDiffie-HellmanGroupsettingsonthe
remotepeerorclientmustmatchonetheselectionsontheFortiGateunit.
FailuretomatchoneormoreDHgroupswillresultinfailednegotiations.
Enterthetime(inseconds)thatmustpassbeforetheIKEencryptionkey
Keylife expires.Whenthekeyexpires,anewkeyisgeneratedwithoutinterrupting
service.Thekeylifecanbefrom120to172800seconds.

LocalID IftheFortiGateunitwillactasaVPNclientandyouareusingpeerIDsfor
authenticationpurposes,entertheidentifierthattheFortiGateunitwill
supplytotheVPNserverduringthePhase1exchange.
IftheFortiGateunitwillactasaVPNclient,andyouareusingsecurity
certificatesforauthentication,selectthedistinguishedname(DN)ofthe
localservercertificatethattheFortiGateunitwilluseforauthentication
purposes.
IftheFortiGateunitisadialupclientandwillnotbesharingatunnelwith
otherdialupclients(thatis,thetunnelwillbededicatedtothisFortinet
dialupclient),setModetoAggressive.
NotethatthisLocalIDvaluemustmatchthepeerIDvaluegivenforthe
remoteVPNpeersPeerOptions.
Thisoptionsupportstheauthenticationofdialupclients.Itisavailablefor
IKEv1only.
DisableSelectifyoudonotuseXAuth.
EnableasClientIftheFortiGateunitisadialupclient,entertheuser
nameandpasswordthattheFortiGateunitwillneedtoauthenticateitself
totheremoteXAuthserver.
EnableasServerThisisavailableonlyifRemoteGatewayissetto
DialupUser.Dialupclientsauthenticateasmembersofadialupuser
XAuth group.Youmustfirstcreateausergroupforthedialupclientsthatneed
accesstothenetworkbehindtheFortiGateunit.
YoumustalsoconfiguretheFortiGateunittoforwardauthentication
requeststoanexternalRADIUSorLDAPauthenticationserver.
SelectaServerTypesettingtodeterminethetypeofencryptionmethod
tousebetweentheFortiGateunit,theXAuthclientandtheexternal
authenticationserver,andthenselecttheusergroupfromtheUserGroup
list.
Username Entertheusernamethatisusedforauthentication.
Password Enterthepasswordthatisusedforauthentication.

NATTraversal SelectthecheckboxifaNATdeviceexistsbetweenthelocalFortiGate
unitandtheVPNpeerorclient.ThelocalFortiGateunitandtheVPNpeer
orclientmusthavethesameNATtraversalsetting(bothselectedorboth
cleared)toconnectreliably.
Additionally,youcanforceIPsectouseNATtraversal.IfNATissetto
Forced,theFortiGatewilluseaportvalueofzerowhenconstructingthe
NATdiscoveryhashforthepeer.Thiscausesthepeertothinkitisbehinda
NATdevice,anditwilluseUDPencapsulationforIPsec,evenifnoNATis
present.ThisapproachmaintainsinteroperabilitywithanyIPsec
implementationthatsupportstheNAT-TRFC.
KeepaliveFrequency IfyouenabledNAT-traversal,enterakeepalivefrequencysetting.
DeadPeerDetection SelectthischeckboxtoreestablishVPNtunnelsonidleconnectionsand
cleanupdeadIKEpeersifrequired.Youcanusethisoptiontoreceive
notificationwheneveratunnelgoesupordown,ortokeepthetunnel
connectionopenwhennotrafficisbeinggeneratedinsidethetunnel.For
example,inscenarioswhereadialupclientordynamicDNSpeerconnects
fromanIPaddressthatchangesperiodically,trafficmaybesuspended
whiletheIPaddresschanges.
WithDeadPeerDetectionselected,youcanusetheconfig vpn
ipsec phase1(tunnelmode)orconfig vpn ipsec phase1-
interface(interfacemode)CLIcommandtooptionallyspecifyaretry
countandaretryinterval.
IKEfragmentation
UDPfragmentationcancauseissuesinIPsecwheneithertheISPorperimeterfirewall(s)cannotpassor
fragmenttheoversizedUDPpacketsthatoccurwhenusingaverylargepublicsecuritykey(PSK).Theresultis
thatIPsectunnelsdonotcomeup.ThesolutionisIKEfragmentation.
Formostconfigurations,enablingIKEfragmentationallowsconnectionstoautomaticallyestablishwhenthey
otherwisemighthavefailedduetointermediatenodesdroppingIKEmessagescontaininglargecertificates,
whichtypicallypushthepacketsizeover1500bytes.
FortiOSwillfragmentapacketonsendingif,andonlyif,allthefollowingaretrue:
l Phase1contains"set fragmentation enable".

l ThepacketislargerthantheminimumMTU(576forIPv4,1280forIPv6).
l Thepacketisbeingre-transmitted.
Bydefault,IKEfragmentationisenabled,butuponupgrading,anyexistingphase1-interfacemayhavehave"set
fragmentation disable"addedinordertopreservetheexistingbehaviourofnotsupportingfragmentation.
EnablingordisablingIKEfragmentation-CLI
edit 1
set fragmentation [enable | disable]
next
end

Phase2configuration
AfterIPsecPhase1negotiationsendsuccessfully,youbeginPhase2.YoucanconfigurethePhase2parameters
todefinethealgorithmsthattheFortiGateunitmayusetoencryptandtransferdatafortheremainderofthe
session.DuringPhase2,youselectspecificIPsecsecurityassociationsneededtoimplementsecurityservices
andestablishatunnel.
ThebasicPhase2settingsassociateIPsecPhase2parameterswiththePhase1configurationthatspecifiesthe
remoteendpointoftheVPNtunnel.Inmostcases,youneedtoconfigureonlybasicPhase2settings.
ThesesettingsaremainlyconfiguredintheCLI,althoughsomeoptionsareavailableafterthetunneliscreated
usingtheVPNCreationWizard(usingtheConverttoCustomTunneloption).
Name TypeanametoidentifythePhase2configuration.
Phase1 SelectthePhase1tunnelconfiguration.Formoreinformationon
configuringPhase1,seePhase1configurationonpage34.ThePhase1
configurationdescribeshowremoteVPNpeersorclientswillbe
authenticatedonthistunnel,andhowtheconnectiontotheremotepeeror
clientwillbesecured.
Advanced DefineadvancedPhase2parameters.Formoreinformation,seePhase2
advancedconfigurationsettingsbelow.
Phase2advancedconfigurationsettings
InPhase2,theFortiGateunitandtheVPNpeerorclientexchangekeysagaintoestablishasecure
communicationchannelbetweenthem.Youselecttheencryptionandauthenticationalgorithmsneededto
generatekeysforprotectingtheimplementationdetailsofSecurityAssociations(SAs).ThesearecalledPhase2
Proposalparameters.ThekeysaregeneratedautomaticallyusingaDiffie-Hellmanalgorithm.
YoucanuseanumberofadditionaladvancedPhase2settingstoenhancetheoperationofthetunnel.
Phase2Proposal Selecttheencryptionandauthenticationalgorithmsthatwillbeproposed
totheremoteVPNpeer.Youcanspecifyuptothreeproposals.To
establishaVPNconnection,atleastoneoftheproposalsthatyouspecify
mustmatchconfigurationontheremotepeer.
Initiallytherearetwoproposals.AddandDeleteiconsarenexttothe
secondAuthenticationfield.
ItisinvalidtosetbothEncryptionandAuthenticationtoNULL.

Encryption Selectasymmetric-keyalgorithms:
NULLDonotuseanencryptionalgorithm.
56-bitkey.
Authentication Youcanselecteitherofthefollowingmessagedigeststocheckthe
NULLDonotuseamessagedigest.
MD5MessageDigest5.
combination.
Replayattacksoccurwhenanunauthorizedpartyinterceptsaseriesof
Enablereplaydetection
IPsecpacketsandreplaysthembackintothetunnel.
Enableperfectforward Perfectforwardsecrecy(PFS)improvessecuritybyforcinganew
secrecy(PFS) Diffie-Hellmanexchangewheneverkeylifeexpires.
Diffie-HellmanGroup SelectoneDiffie-Hellmangroup(1,2,5,or14through21).Thismust
matchtheDHGroupthattheremotepeerordialupclientuses.
Keylife SelectthemethodfordeterminingwhenthePhase2keyexpires:
Seconds,KBytes,orBoth.IfyouselectBoth,thekeyexpireswhen
eitherthetimehaspassedorthenumberofKBhavebeenprocessed.
AutokeyKeepAlive Selectthecheckboxifyouwantthetunneltoremainactivewhennodata
isbeingprocessed.
Auto-negotiate Enabletheoptionifyouwantthetunneltobeautomaticallyrenegotiated
whenthetunnelexpires.

DHCP-IPsec ProvideIPaddressesdynamicallytoVPNclients.Thisisavailablefor
Phase2configurationsassociatedwithadialupPhase1configuration.
YoualsoneedconfigureaDHCPserverorrelayontheprivatenetwork
interface.YoumustconfiguretheDHCPparametersseparately.
IfyouconfiguretheDHCPservertoassignIPaddressesbasedonRADIUS
usergroupattributes,youmustalsosetthePhase1PeerOptionstoPeer
IDfromdialupgroupandselecttheappropriateusergroup.SeePhase
1configurationonpage34.
IftheFortiGateunitactsasadialupserverandyoumanuallyassigned
FortiClientdialupclientsVIPaddressesthatmatchthenetworkbehindthe
dialupserver,selectingthecheckboxwillcausetheFortiGateunittoactas
aproxyforthedialupclients.
QuickModeSelector SpecifythesourceanddestinationIPaddressestobeusedasselectorsfor
IKEnegotiations.IftheFortiGateunitisadialupserver,keepthedefault
valueof0.0.0.0/0unlessyouneedtocircumventproblemscausedby
ambiguousIPaddressesbetweenoneormoreoftheprivatenetworks
makinguptheVPN.YoucanspecifyasinglehostIPaddress,anIP
addressrange,oranetworkaddress.Youmayoptionallyspecifysource
anddestinationportnumbersandaprotocolnumber.
IfyouareeditinganexistingPhase2configuration,theSourceaddress
andDestinationaddressfieldsareunavailableifthetunnelhasbeen
configuredtousefirewalladdressesasselectors.Thisoptionexistsonlyin
theCLI.
Sourceaddress IftheFortiGateunitisadialupserver,enterthesourceIPaddressthat
correspondstothelocalsendersornetworkbehindthelocalVPNpeer(for
example,172.16.5.0/24or172.16.5.0/255.255.255.0fora
subnet,or172.16.5.1/32or172.16.5.1/255.255.255.255fora
serverorhost,or192.168.10.[80-100]or192.168.10.80-
192.168.10.100foranaddressrange).Avalueof0.0.0.0/0means
allIPaddressesbehindthelocalVPNpeer.
IftheFortiGateunitisadialupclient,sourceaddressmustrefertothe
privatenetworkbehindtheFortinetdialupclient.
Sourceport EntertheportnumberthatthelocalVPNpeerusestotransporttraffic
relatedtothespecifiedservice(protocolnumber).Therangeisfrom0to
65535.Tospecifyallports,type0.
Destinationaddress EnterthedestinationIPaddressthatcorrespondstotherecipientsor
networkbehindtheremoteVPNpeer(forexample,192.168.20.0/24
forasubnet,or172.16.5.1/32foraserverorhost,or192.168.10.
[80-100]foranaddressrange).Avalueof0.0.0.0/0meansallIP
addressesbehindtheremoteVPNpeer.

Destinationport EntertheportnumberthattheremoteVPNpeerusestotransporttraffic
relatedtothespecifiedservice(protocolnumber).Tospecifyallports,
enter0.
Protocol EntertheIPprotocolnumberoftheservice.Tospecifyallservices,enter0.
FortiClientVPN
UsetheFortiClientVPNforOSX,Windows,andAndroidVPNWizardoptionwhenconfiguringanIPsec
VPNforremoteuserstoconnecttotheVPNtunnelusingFortiClient.
WhenconfiguringaFortiClientVPNconnection,thesettingsforPhase1andPhase2settingsareautomatically
configuredbytheFortiGateunit.Theyaresetto:
l RemoteGatewayDialupUser
l ModeAggressive
l DefaultsettingsforPhase1and2Proposals
l XAUTHEnableasServer(Auto)
l IKEmode-configwillbeenabled
l PeerOptionAnypeerID
TheremainderofthesettingsusethecurrentFortiGatedefaults.NotethatFortiClientsettingsneedtomatch
theseFortiGatedefaults.IfyouneedtoconfigureadvancedsettingsfortheFortiClientVPN,youmustdoso
usingtheCLI.
Name EnteranamefortheFortiClientVPN.
LocalOutgoingInterface SelectthelocaloutgoinginterfacefortheVPN.
AuthenticationMethod SelectthetypeofauthenticationusedwhenloggingintotheVPN.
IfPre-sharedKeywasselectedinAuthenticationMethod,enterthe
PresharedKey
pre-sharedkeyinthefieldprovided.
UserGroup Selectausergroup.Youcanalsocreateausergroupfromthedrop-down
listbyselectingCreateNew.
AddressRangeStartIP EnterthestartIPaddressfortheDHCPaddressrangefortheclient.
AddressRangeEndIP EntertheendIPaddressfortheaddressrange.
SubnetMask Enterthesubnetmask.
EnableIPv4SplitTunnel Enabledbydefault,thisoptionenablestheFortiClientusertousetheVPN
toaccessinternalresourceswhileotherInternetaccessisnotsentoverthe
VPN,alleviatingpotentialtrafficbottlenecksintheVPNconnection.
DisablethisoptiontohavealltrafficsentthroughtheVPNtunnel.

Concentrator IPsec VPN in the web-based manager
AccessibleNetworks SelectfromalistofinternalnetworksthattheFortiClientusercanaccess.
ClientOptions TheseoptionsaffecthowtheFortiClientapplicationbehaveswhen
connectedtotheFortiGateVPNtunnel.Whenenabled,acheckboxforthe
correspondingoptionappearsontheVPNloginscreeninFortiClient,andis
notenabledbydefault.
SavePassword-Whenenabled,iftheuserselectsthisoption,their
passwordisstoredontheuserscomputerandwillautomaticallypopulate
eachtimetheyconnecttotheVPN.
AutoConnect-Whenenabled,iftheuserselectsthisoption,whenthe
FortiClientapplicationislaunched,forexampleafterarebootorsystem
startup,FortiClientwillautomaticallyattempttoconnecttotheVPNtunnel.
AlwaysUp(KeepAlive)-Whenenabled,iftheuserselectsthisoption,
theFortiClientconnectionwillnotshutdown.Whennotselected,during
periodsofinactivity,FortiClientwillattempttostayconnectedeverythree
minutesforamaximumof10minutes.
EndpointRegistration Whenselected,theFortiGateunitrequestsaregistrationkeyfrom
FortiClientbeforeaconnectioncanbeestablished.Aregistrationkeyis
definedbygoingtoSystem>Advanced.
FormoreinformationonFortiClientVPNconnectionstoaFortiGateunit,
seetheFortiClientAdministrationGuide.
DNSServer SelectwhichDNSservertouseforthisVPN:
UseSystemDNSUsethesameDNSserversastheFortiGateunit.
TheseareconfiguredatNetwork>DNS.Thisisthedefaultoption.
SpecifySpecifytheIPaddressofadifferentDNSserver.
Concentrator
Inahub-and-spokeconfiguration,policy-basedVPNconnectionstoanumberofremotepeersradiatefroma
single,centralFortiGateunit.Site-to-siteconnectionsbetweentheremotepeersdonotexist;however,youcan
establishVPNtunnelsbetweenanytwooftheremotepeersthroughtheFortiGateunitshub.
Inahub-and-spokenetwork,allVPNtunnelsterminateatthehub.Thepeersthatconnecttothehubareknown
asspokes.Thehubfunctionsasaconcentratoronthenetwork,managingallVPNconnectionsbetweenthe
spokes.VPNtrafficpassesfromonetunneltotheotherthroughthehub.
Youdefineaconcentratortoincludespokesinthehub-and-spokeconfiguration.Youcreatetheconcentratorin
VPN>IPsecConcentratorandselectCreateNew.Aconcentratorconfigurationspecifieswhichspokesto
includeinanIPsechub-and-spokeconfiguration.
ConcentratorName Typeanamefortheconcentrator.

IPsec VPN in the web-based manager IPsec Monitor
AvailableTunnels AlistofdefinedIPsecVPNtunnels.Selectatunnelfromthelistandthen
selecttherightarrow.
Members Alistoftunnelsthataremembersoftheconcentrator.Toremoveatunnel
fromtheconcentrator,selectthetunnelandselecttheleftarrow.
IPsecMonitor
YoucanusetheIPsecMonitortoviewactivityonIPsecVPNtunnelsandstartorstopthosetunnels.Thedisplay
providesalistofaddresses,proxyIDs,andtimeoutinformationforallactivetunnels,includingtunnelmodeand
route-based(interfacemode)tunnels.
ToviewtheIPsecmonitor,gotoMonitor>IPsecMonitor.
FordialupVPNs,thelistprovidesstatusinformationabouttheVPNtunnelsestablishedbydialupclients,and
theirIPaddresses.
ForstaticIPordynamicDNSVPNs,thelistprovidesstatusandIPaddressinginformationaboutVPNtunnels,
activeornot,toremotepeersthathavestaticIPaddressesordomainnames.Youcanalsostartandstop
individualtunnelsfromthelist.

Phase1parameters
Thischapterprovidesdetailedstep-by-stepproceduresforconfiguringaFortiGateunittoacceptaconnection
fromaremotepeerordialupclient.ThePhase1parametersidentifytheremotepeerorclientsandsupports
authenticationthroughpresharedkeysordigitalcertificates.Youcanincreaseaccesssecurityfurtherusingpeer
identifiers,certificatedistinguishednames,groupnames,ortheFortiGateextendedauthentication(XAuth)
optionforauthenticationpurposes.
FormoreinformationonPhase1parametersintheweb-basedmanager,seeIPsecVPNintheweb-based
manageronpage34.
TheinformationandproceduresinthissectiondonotapplytoVPNpeersthatperformnegotiationsusingmanual
keys.
Overview
Definingthetunnelends
ChoosingMainmodeorAggressivemode
ChoosingtheIKEversion
AuthenticatingtheFortiGateunit
Authenticatingremotepeersandclients
DefiningIKEnegotiationparameters
UsingXAuthauthentication
DynamicIPsecroutecontrol
Overview
ToconfigureIPsecPhase1settings,gotoVPN>IPsecTunnelsandeditthePhase1Proposal(ifitisnot
available,youmayneedtoclicktheConverttoCustomTunnelbutton).
IPsecPhase1settingsdefine:
l TheremoteandlocalendsoftheIPsectunnel
l IfPhase1parametersareexchangedinmultipleroundswithencryptedauthenticationinformation(mainmode)or
inasinglemessagewithauthenticationinformationthatisnotencrypted(aggressivemode)
l IfapresharedkeyordigitalcertificateswillbeusedtoauthenticatetheFortiGateunittotheVPNpeerordialup
client
l IftheVPNpeerordialupclientisrequiredtoauthenticatetotheFortiGateunit.Aremotepeerordialupclientcan
authenticatebypeerIDor,iftheFortiGateunitauthenticatesbycertificate,itcanauthenticatebypeercertificate.
l TheIKEnegotiationproposalsforencryptionandauthentication
l OptionalXAuthauthentication,whichrequirestheremoteusertoenterausernameandpassword.AFortiGate
VPNservercanactasanXAuthservertoauthenticatedialupusers.AFortiGateunitthatisadialupclientcanalso
beconfiguredasanXAuthclienttoauthenticateitselftotheVPNserver.
ForallthePhase1web-basedmanagerfields,seeIPsecVPNintheweb-basedmanageronpage34.

Phase 1 parameters Defining the tunnel ends
IfyouwanttocontrolhowIKEisnegotiatedwhenthereisnotraffic,aswellasthelengthoftimetheunitwaitsfor
negotiationstooccur,usethenegotiation-timeoutandauto-negotiatecommandsintheCLI.
Definingthetunnelends
TobegindefiningthePhase1configuration,gotoVPN>IPsecTunnelsandselectCreateNew.Entera
uniquedescriptivenamefortheVPNtunnelandfollowtheinstructionsintheVPNCreationWizard.
ThePhase1configurationmainlydefinestheendsoftheIPsectunnel.Theremoteendistheremotegateway
withwhichtheFortiGateunitexchangesIPsecpackets.ThelocalendistheFortiGateinterfacethatsendsand
receivesIPsecpackets.
Theremotegatewaycanbe:
l AstaticIPaddress
l AdomainnamewithadynamicIPaddress
l Adialupclient
Astaticallyaddressedremotegatewayisthesimplesttoconfigure.YouspecifytheIPaddress.Unlessrestricted
inthesecuritypolicy,eithertheremotepeerorapeeronthenetworkbehindtheFortiGateunitcanbringupthe
tunnel.
IftheremotepeerhasadomainnameandsubscribestoadynamicDNSservice,youneedtospecifyonlythe
domainname.TheFortiGateunitperformsaDNSquerytodeterminetheappropriateIPaddress.Unless
restrictedinthesecuritypolicy,eithertheremotepeerorapeeronthenetworkbehindtheFortiGateunitcan
bringupthetunnel.
Iftheremotepeerisadialupclient,onlythedialupclientcanbringupthetunnel.TheIPaddressoftheclientis
notknownuntilitconnectstotheFortiGateunit.ThisconfigurationisatypicalwaytoprovideaVPNforclient
PCsrunningVPNclientsoftwaresuchastheFortiClientEndpointSecurityapplication.
ThelocalendoftheVPNtunnel,theLocalInterface,istheFortiGateinterfacethatsendsandreceivestheIPsec
packets.ThisisusuallythepublicinterfaceoftheFortiGateunitthatisconnectedtotheInternet(typicallythe
WAN1port).Packetsfromthisinterfacepasstotheprivatenetworkthroughasecuritypolicy.
Bydefault,thelocalVPNgatewayistheIPaddressoftheselectedLocalInterface.Ifyouareconfiguringan
interfacemodeVPN,youcanoptionallyuseasecondaryIPaddressoftheLocalInterfaceasthelocalgateway.
ChoosingMainmodeorAggressivemode
TheFortiGateunitandtheremotepeerordialupclientexchangePhase1parametersineitherMainmodeor
Aggressivemode.ThischoicedoesnotapplyifyouuseIKEversion2,whichisavailableonlyforroute-based
configurations.
l InMainmode,thePhase1parametersareexchangedinmultipleroundswithencryptedauthenticationinformation
l InAggressivemode,thePhase1parametersareexchangedinasinglemessagewithunencryptedauthentication
information.
AlthoughMainmodeismoresecure,youmustselectAggressivemodeifthereismorethanonedialupPhase1
configurationfortheinterfaceIPaddress,andtheremoteVPNpeerorclientisauthenticatedusinganidentifier
localID.AggressivemodemightnotbeassecureasMainmode,buttheadvantagetoAggressivemodeisthatit

Choosing the IKE version Phase 1 parameters
isfasterthanMainmode(sincefewerpacketsareexchanged).Aggressivemodeistypicallyusedforremote
accessVPNs.ButyouwouldalsouseaggressivemodeifoneorbothpeershavedynamicexternalIPaddresses.
DescriptionsofthepeeroptionsinthisguideindicatewhetherMainorAggressivemodeisrequired.
ChoosingtheIKEversion
Ifyoucreatearoute-basedVPN,youhavetheoptionofselectingIKEversion2.Otherwise,IKEversion1isused.
IKEv2,definedinRFC4306,simplifiesthenegotiationprocessthatcreatesthesecurityassociation(SA).
IfyouselectIKEv2:
l ThereisnochoiceinPhase1ofAggressiveorMainmode.
l FortiOSdoesnotsupportPeerOptionsorLocalID.
l ExtendedAuthentication(XAUTH)isnotavailable.
l YoucanselectonlyoneDiffie-HellmanGroup.
l YoucanutilizeEAPandMOBIKE.
IKEv2cookienotificationforIKE_SA_INIT
IKEv2offersanoptionalexchangewithinIKE_SA_INIT(theinitialexchangebetweenpeerswhenestablishinga
securetunnel)asareusltofaninherentvulnerabilityinIPsecimplementations,asdescribedinRFC5996.
TwoexpectedattacksagainstIKEarestateandCPUexhaustion,wherethetargetisfloodedwithsession
initiationrequestsfromforgedIPaddresses.Theseattackscanbemadelesseffectiveifaresponderuses
minimalCPUandcommitsnostatetoanSAuntilitknowstheinitiatorcanreceivepacketsattheaddressfrom
whichitclaimstobesendingthem.
IftheIKE_SA_INITresponseincludesthecookienotification,theinitiatorMUSTthenretrytheIKE_SA_INIT
request,andincludethecookienotificationcontainingthereceiveddataasthefirstpayload,andallother
payloadsunchanged.
Upondetectingthatthenumberofhalf-openIKEv2SAsisabovethethresholdvalue,theVPNdialupserver
requiresallfutureSA_INITrequeststoincludeavalidcookienotificationpayloadthattheserversendsback,in
ordertopreserveCPUandmemoryresources.
Formostdevices,thethresholdvalueissetto500,halfofthemaximum1,000connections.
ThisfeatureisenabledbydefaultinFortiOS5.4.
IKEv2QuickCrashDetection
ThereissupportforIKEv2QuickCrashDetectionasdescribedinRFC6290.
RFC6290describesamethodinwhichanIKEpeercanquicklydetectthatthegatewaypeerthatithasand
establishedanIKEsessionwithhasrebooted,crashed,orotherwiselostIKEstate.Whenthegatewayreceives
IKEmessagesorESPpacketswithunknownIKEorIPsecSPIs,theIKEv2protocolallowsthegatewaytosend
thepeeranunprotectedIKEmessagecontainingINVALID_IKE_SPIorINVALID_SPInotificationpayloads.
RFC6290introducestheconceptofaQCDtoken,whichisgeneratedfromtheIKESPIsandaprivateQCD
secret,andexchangedbetweenpeersduringtheprotectedIKEAUTHexchange.

Phase 1 parameters Authenticating the FortiGate unit
AddingQuickCrashDetection-CLISyntax
set ike-quick-crash-detect [enable | disable]
end
AuthenticatingtheFortiGateunit
TheFortiGateunitcanauthenticateitselftoremotepeersordialupclientsusingeitherapre-sharedkeyoran
RSASignature(certificate).
AuthenticatingtheFortiGateunitwithdigitalcertificates
ToauthenticatetheFortiGateunitusingdigitalcertificates,youmusthavetherequiredcertificatesinstalledon
theremotepeerandontheFortiGateunit.Thesignedservercertificateononepeerisvalidatedbythepresence
oftherootcertificateinstalledontheotherpeer.IfyouusecertificatestoauthenticatetheFortiGateunit,youcan
alsorequiretheremotepeersordialupclientstoauthenticateusingcertificates.
Formoreinformationaboutobtainingandinstallingcertificates,seetheFortiOSUserAuthenticationguide.
AuthenticatingtheFortiGateunitusingdigitalcertificates
1. GotoVPN>IPsecTunnelsandcreatethenewcustomtunneloreditanexistingtunnel.
2. EditthePhase1Proposal(ifitisnotavailable,youmayneedtoclicktheConverttoCustomTunnelbutton):
Name Enteranamethatreflectstheoriginationoftheremoteconnection.For
interfacemode,thenamecanbeupto15characterslong.
RemoteGateway Selectthenatureoftheremoteconnection.
Eachoptionchangestheavailablefieldsyoumustconfigure.Formore
information,seeAuthenticatingtheFortiGateunitonpage50.
LocalInterface SelecttheinterfacethatisthelocalendoftheIPsectunnel.Formore
information,seeAuthenticatingtheFortiGateunitonpage50.Thelocal
interfaceistypicallytheWAN1port.
Mode Selectamode.ItiseasiertouseAggressivemode.
InMainmode,parametersareexchangedinmultipleencryptedrounds.
InAggressivemode,parametersareexchangedinasingleunencrypted
message.
AggressivemodemustbeusedwhentheremoteVPNpeerorclienthasa
dynamicIPaddress,ortheremoteVPNpeerorclientwillbeauthenticated
usinganidentifier(localID).
Formoreinformation,seeAuthenticatingtheFortiGateunitonpage50.

Authenticating the FortiGate unit Phase 1 parameters
AuthenticationMethod SelectSignature.
CertificateName SelectthenameoftheservercertificatethattheFortiGateunitwilluseto
authenticateitselftotheremotepeerordialupclientduringPhase1
negotiations.
Youmustobtainandloadtherequiredservercertificatebeforethis
selection.SeetheFortiOSUserAuthenticationguide.Ifyouhavenot
loadedanycertificates,usethecertificatenamedFortinet_Factory.
PeerOptions Peeroptionsdefinetheauthenticationrequirementsforremotepeersor
dialupclients.TheyarenotforyourFortiGateunititself.
SeeAuthenticatingtheFortiGateunitonpage50.
Advanced YoucanusethedefaultsettingsformostPhase1configurations.Changes
arerequiredonlyifyournetworkrequiresthem.Thesesettingsincludes
IKEversion,DNSserver,P1proposalencryptionandauthentication
settings,andXAuthsettings.SeeAuthenticatingtheFortiGateuniton
page50.
3. Ifyouareconfiguringauthenticationparametersforadialupusergroup,optionallydefineextendedauthentication
(XAuth)parametersintheAdvancedsection.SeeAuthenticatingtheFortiGateunitonpage50.
4. SelectOK.
AuthenticatingtheFortiGateunitwithapre-sharedkey
ThesimplestwaytoauthenticateaFortiGateunittoitsremotepeersordialupclientsisbymeansofapre-shared
key.Thisislesssecurethanusingcertificates,especiallyifitisusedalone,withoutrequiringpeerIDsor
extendedauthentication(XAuth).Also,youneedtohaveasecurewaytodistributethepre-sharedkeytothe
peers.
Ifyouusepre-sharedkeyauthenticationalone,allremotepeersanddialupclientsmustbeconfiguredwiththe
samepre-sharedkey.Optionally,youcanconfigureremotepeersanddialupclientswithuniquepre-sharedkeys.
OntheFortiGateunit,theseareconfiguredinuseraccounts,notinthephase_1settings.Formoreinformation,
seeAuthenticatingtheFortiGateunitonpage50.
Thepre-sharedkeymustcontainatleast6printablecharactersandbestpracticesdictatethatitbeknownonlyto
networkadministrators.Foroptimumprotectionagainstcurrentlyknownattacks,thekeymustconsistofa
minimumof16randomlychosenalphanumericcharacters.
IfyouauthenticatetheFortiGateunitusingapre-sharedkey,youcanrequireremotepeersordialupclientsto
authenticateusingpeerIDs,butnotclientcertificates.
AuthenticatingtheFortiGateunitwithapre-sharedkey
2. EditthePhase1Proposal(ifitisnotavailable,youmayneedtoclicktheConverttoCustomTunnelbutton):
Name Enteranamethatreflectstheoriginationoftheremoteconnection.

Phase 1 parameters Authenticating remote peers and clients
RemoteGateway Selectthenatureoftheremoteconnection.Formoreinformation,see
AuthenticatingtheFortiGateunitonpage50.
LocalInterface SelecttheinterfacethatisthelocalendoftheIPsectunnel.Formore
information,seeAuthenticatingtheFortiGateunitonpage50.Thelocal
interfaceistypicallytheWAN1port.
Mode SelectMainorAggressivemode.
InMainmode,thePhase1parametersareexchangedinmultiplerounds
withencryptedauthenticationinformation.
InAggressivemode,thePhase1parametersareexchangedinsingle
messagewithauthenticationinformationthatisnotencrypted.
WhentheremoteVPNpeerorclienthasadynamicIPaddress,orthe
remoteVPNpeerorclientwillbeauthenticatedusinganidentifier(local
ID),youmustselectAggressivemodeifthereismorethanonedialup
Phase1configurationfortheinterfaceIPaddress.
Formoreinformation,seeAuthenticatingtheFortiGateunitonpage50.
AuthenticationMethod SelectPre-sharedKey.
Pre-sharedKey EnterthepresharedkeythattheFortiGateunitwillusetoauthenticate
itselftotheremotepeerordialupclientduringPhase1negotiations.You
mustdefinethesamevalueattheremotepeerorclient.Thekeymust
containatleast6printablecharactersandbestpracticesdictatethatitonly
beknownbynetworkadministrators.Foroptimumprotectionagainst
currentlyknownattacks,thekeymustconsistofaminimumof16randomly
chosenalphanumericcharacters.
Peeroptions Peeroptionsdefinetheauthenticationrequirementsforremotepeersor
dialupclients,notfortheFortiGateunititself.Youcanrequiretheuseof
peerIDs,butnotclientcertificates.Formoreinformation,see
AuthenticatingtheFortiGateunitonpage50.
Advanced Youcanretainthedefaultsettingsunlesschangesareneededtomeet
yourspecificrequirements.SeeAuthenticatingtheFortiGateunitonpage
50.
3. Ifyouareconfiguringauthenticationparametersforadialupusergroup,optionallydefineextendedauthentication
(XAuth)parameters.SeeAuthenticatingtheFortiGateunitonpage50.
4. SelectOK.
Authenticatingremotepeersandclients
Certificatesorpre-sharedkeysrestrictwhocanaccesstheVPNtunnel,buttheydonotidentifyorauthenticate
theremotepeersordialupclients.Youhavethefollowingoptionsforauthentication:

Authenticating remote peers and clients Phase 1 parameters
MethodsofauthenticatingremoteVPNpeers
Useraccountpre-shared
CertificatesorPre-sharedkey LocalID Reference
keys
Certificates SeeEnablingVPN
accessforspecific
certificateholderson
page53.
SeeEnablingVPN
Either X accessbypeeridentifier
onpage55.
Pre-sharedkey X SeeEnablingVPN
accesswithuser
accountsandpre-shared
keysonpage56.
SeeEnablingVPN
accesswithuser
Pre-sharedkey X X
accountsandpre-shared
keysonpage56.
RepeatedAuthenticationinInternetKeyExchange(IKEv2)Protocol
Thisfeatureprovidestheoptiontocontrolwhetheradevicerequiresitspeertore-authenticateorwhetherre-key
issufficient.Itdoesnotinfluencethere-authenticationorre-keybehaviorofthedeviceitself,whichiscontrolled
bythepeer(withthedefaultbeingtore-key).
ThissolutionisinresponsetoRFC4478.Thissolutionisintendedtolimitthetimethatsecurityassociations
(SAs)canbeusedbyathirdpartywhohasgainedcontroloftheIPsecpeer.
CLISyntax:
edit p1
set reauth [enable | disable]
next
end
disable:DisableIKESAre-authentication.
enable:EnableIKESAre-authentication.
EnablingVPNaccessforspecificcertificateholders
WhenaVPNpeerordialupclientisconfiguredtoauthenticateusingdigitalcertificates,itsendstheDistinguished
Name(DN)ofitscertificatetotheFortiGateunit.ThisDNcanbeusedtoallowVPNaccessforthecertificate
holder.Thatis,aFortiGateunitcanbeconfiguredtodenyconnectionstoallremotepeersanddialupclients
excepttheonehavingthespecifiedDN.

Beforeyoubegin
ThefollowingproceduresassumethatyoualreadyhaveanexistingPhase1configuration(seeAuthenticating
remotepeersandclientsonpage52).Followtheproceduresbelowtoaddcertificate-basedauthentication
parameterstotheexistingconfiguration.
Beforeyoubegin,youmustobtainthecertificateDNoftheremotepeerordialupclient.Ifyouareusingthe
FortiClientapplicationasadialupclient,refertoFortiClientonlinehelpforinformationabouthowtoviewthe
certificateDN.ToviewthecertificateDNofaFortiGateunit,seeViewingservercertificateinformationand
obtainingthelocalDNonpage54.
Usetheconfig user peerCLIcommandtoloadtheDNvalueintotheFortiGateconfiguration.For

example,ifaremoteVPNpeerusesservercertificatesissuedbyyourownorganization,youwouldenter
informationsimilartothefollowing:
config user peer
edit DN_FG1000
set cn 192.168.2.160
set cn-type ipv4
end
Thevaluethatyouspecifytoidentifytheentry(forexample,DN_FG1000)isdisplayedintheAcceptthispeer
certificateonlylistintheIPsecPhase1configurationwhenyoureturntotheweb-basedmanager.
IftheremoteVPNpeerhasaCA-issuedcertificatetosupportahigherlevelofcredibility,youwouldenter
informationsimilartothefollowingintheCLI:
config user peer
edit CA_FG1000
set ca CA_Cert_1
set subject FG1000_at_site1
end
Thevaluethatyouspecifytoidentifytheentry(forexample,CA_FG1000)isdisplayedintheAcceptthispeer
certificateonlylistintheIPsecPhase1configurationwhenyoureturntotheweb-basedmanager.Formore
informationabouttheseCLIcommands,seetheuserchapteroftheFortiGateCLIReference.
Agroupofcertificateholderscanbecreatedbasedonexistinguseraccountsfordialupclients.Tocreatetheuser
accountsfordialupclients,seetheUserchapteroftheFortiGateAdministrationGuide.Tocreatethecertificate
groupafterward,usetheconfig user peergrpCLIcommand.SeetheuserchapteroftheFortiGateCLI
Reference.
ViewingservercertificateinformationandobtainingthelocalDN
1. GotoSystem>Certificates.
2. NotetheCNvalueintheSubjectfield(forexample,CN = 172.16.10.125,CN = info@fortinet.com,
orCN = www.example.com).
ViewingCArootcertificateinformationandobtainingtheCAcertificatename
1. GotoSystem>Certificates>CACertificates.
2. NotethevalueintheNamecolumn(forexample,CA_Cert_1).

ConfiguringcertificateauthenticationforaVPN
Withpeercertificatesloaded,peerusersandpeergroupsdefined,youcanconfigureyourVPNtoauthenticate
usersbycertificate.
Enablingaccessforaspecificcertificateholderoragroupofcertificateholders
1. AttheFortiGateVPNserver,gotoVPN>IPsecTunnelsandcreatethenewcustomtunneloreditanexisting
tunnel.
2. EditthePhase1Proposal(ifitisnotavailable,youmayneedtoclicktheConverttoCustomTunnelbutton).
3. FromtheAuthenticationMethodlist,selectRSASignature.
4. FromtheCertificateNamelist,selectthenameoftheservercertificatethattheFortiGateunitwilluseto
authenticateitselftotheremotepeerordialupclient
5. UnderPeerOptions,selectoneoftheseoptions:
l Toacceptaspecificcertificateholder,selectAcceptthispeercertificateonlyandselectthenameofthe
certificatethatbelongstotheremotepeerordialupclient.ThecertificateDNmustbeaddedtotheFortiGate
configurationthroughCLIcommandsbeforeitcanbeselectedhere.SeeBeforeyoubeginonpage54.
l Toacceptdialupclientswhoaremembersofacertificategroup,selectAcceptthispeercertificategroup
onlyandselectthenameofthegroup.ThegroupmustbeaddedtotheFortiGateconfigurationthroughCLI
commandsbeforeitcanbeselectedhere.SeeBeforeyoubeginonpage54.
6. IfyouwanttheFortiGateVPNservertosupplytheDNofalocalservercertificateforauthenticationpurposes,
selectAdvancedandthenfromtheLocalIDlist,selecttheDNofthecertificatethattheFortiGateVPNserveris
touse.
7. SelectOK.
EnablingVPNaccessbypeeridentifier
Whetheryouusecertificatesorpre-sharedkeystoauthenticatetheFortiGateunit,youcanrequirethatremote
peersorclientshaveaparticularpeerID.Thisaddsanotherpieceofinformationthatisrequiredtogainaccessto
theVPN.MorethanoneFortiGate/FortiClientdialupclientmayconnectthroughthesameVPNtunnelwhenthe
dialupclientsshareapresharedkeyandassumethesameidentifier.
ApeerID,alsocalledlocalID,canbeupto63characterslongcontainingstandardregularexpressioncharacters.
LocalIDissetinphase1AggressiveModeconfiguration.
YoucannotrequireapeerIDforaremotepeerorclientthatusesapre-sharedkeyandhasastaticIPaddress.
AuthenticatingremotepeersordialupclientsusingonepeerID
tunnel.
3. SelectAggressivemodeinanyofthefollowingcases:
l TheFortiGateVPNserverauthenticatesaFortiGatedialupclientthatusesadedicatedtunnel
l AFortiGateunithasadynamicIPaddressandsubscribestoadynamicDNSservice
l FortiGate/FortiClientdialupclientssharingthesamepresharedkeyandlocalIDconnectthroughthesame
VPNtunnel
4. ForthePeerOptions,selectThispeerIDandtypetheidentifierintothecorrespondingfield.
5. SelectOK.

Assigninganidentifier(localID)toaFortiGateunit
UsethisproceduretoassignapeerIDtoaFortiGateunitthatactsasaremotepeerordialupclient.
3. SelectAdvanced.
4. IntheLocalIDfield,typetheidentifierthattheFortiGateunitwillusetoidentifyitself.
5. SetModetoAggressiveifanyofthefollowingconditionsapply:
l TheFortiGateunitisadialupclientthatwilluseauniqueIDtoconnecttoaFortiGatedialupserverthrougha
dedicatedtunnel.
l TheFortiGateunithasadynamicIPaddress,subscribestoadynamicDNSservice,andwilluseauniqueIDto
connecttotheremoteVPNpeerthroughadedicatedtunnel.
l TheFortiGateunitisadialupclientthatsharesthespecifiedIDwithmultipledialupclientstoconnecttoa
FortiGatedialupserverthroughthesametunnel.
6. SelectOK.
ConfiguringtheFortiClientapplication
FollowthisproceduretoaddapeerIDtoanexistingFortiClientconfiguration:
1. StarttheFortiClientapplication.
2. GotoVPN>Connections,selecttheexistingconfiguration.
3. SelectAdvanced>Edit>Advanced.
4. UnderPolicy,selectConfig.
5. IntheLocalIDfield,typetheidentifierthatwillbesharedbyalldialupclients.ThisvaluemustmatchtheThis
peerIDvaluethatyouspecifiedpreviouslyinthePhase1gatewayconfigurationontheFortiGateunit.
6. SelectOKtoclosealldialogboxes.
7. ConfigurealldialupclientsthesamewayusingthesamepresharedkeyandlocalID.
EnablingVPNaccesswithuseraccountsandpre-sharedkeys
Youcanpermitaccessonlytoremotepeersordialupclientsthathavepre-sharedkeysand/orpeerIDs
configuredinuseraccountsontheFortiGateunit.
IfyouwanttwoVPNpeers(oraFortiGateunitandadialupclient)toacceptreciprocalconnectionsbasedonpeer
IDs,youmustenabletheexchangeoftheiridentifierswhenyoudefinethePhase1parameters.
ThefollowingproceduresassumethatyoualreadyhaveanexistingPhase1configuration(seeAuthenticating
remotepeersandclientsonpage52).FollowtheproceduresbelowtoaddIDcheckingtotheexisting
configuration.
Beforeyoubegin,youmustobtaintheidentifier(localID)oftheremotepeerordialupclient.Ifyouareusingthe
FortiClientEndpointSecurityapplicationasadialupclient,refertotheAuthenticatingFortiClientDialupClients
TechnicalNotetovieworassignanidentifier.ToassignanidentifiertoaFortiGatedialupclientoraFortiGate
unitthathasadynamicIPaddressandsubscribestoadynamicDNSservice,seeAssigninganidentifier(localID)
toaFortiGateunitonpage56.
Ifrequired,adialupusergroupcanbecreatedfromexistinguseraccountsfordialupclients.Tocreatetheuser
accountsandusergroups,seetheUserAuthenticationhandbookchapter.

ThefollowingproceduresupportsFortiGate/FortiClientdialupclientsthatuseuniquepresharedkeysand/orpeer
IDs.TheclientmusthaveanaccountontheFortiGateunitandbeamemberofthedialupusergroup.
ThedialupusergroupmustbeaddedtotheFortiGateconfigurationbeforeitcanbeselected.Formore
information,seetheUserAuthenticationhandbookchapter.
TheFortiGatedialupservercomparesthelocalIDthatyouspecifyateachdialupclienttotheFortiGateuser-
accountusername.Thedialup-clientpresharedkeyiscomparedtoaFortiGateuser-accountpassword.
Authenticatingdialupclientsusinguniquepresharedkeysand/orpeerIDs
tunnel.
3. IftheclientshaveuniquepeerIDs,setModetoAggressive.
4. ClearthePre-sharedKeyfield.
Theuseraccountpasswordwillbeusedasthepresharedkey.
5. SelectPeerIDfromdialupgroupandthenselectthegroupnamefromthelistofusergroups.
6. SelectOK.
Followthisproceduretoaddauniquepre-sharedkeyanduniquepeerIDtoanexistingFortiClientconfiguration.
ConfiguringFortiClient-pre-sharedkeyandpeerID
1. StarttheFortiClientEndpointSecurityapplication.
2. GotoVPN>Connections,selecttheexistingconfiguration.
3. SelectAdvanced>Edit.
4. InthePresharedKeyfield,typetheFortiGatepasswordthatbelongstothedialupclient(forexample,
1234546).
Theuseraccountpasswordwillbeusedasthepresharedkey.
5. SelectAdvanced.
6. UnderPolicy,selectConfig.
7. IntheLocalIDfield,typetheFortiGateusernamethatyouassignedpreviouslytothedialupclient(forexample,
FortiC1ient1).
ConfigureallFortiClientdialupclientsthiswayusinguniquepresharedkeysandlocalIDs.
Followthisproceduretoaddauniquepre-sharedkeytoanexistingFortiClientconfiguration.
ConfiguringFortiClient-presharedkeyonly
1. StarttheFortiClientEndpointSecurityapplication.
2. GotoVPN>Connections,selecttheexistingconfiguration
3. SelectAdvanced>Edit.
4. InthePresharedKeyfield,typetheusername,followedbya+sign,followedbythepasswordthatyou
specifiedpreviouslyintheuseraccountsettingsontheFortiGateunit(forexample,FC2+1FG6LK)
ConfigurealltheFortiClientdialupclientsthiswayusingtheiruniquepeerIDandpre-sharedkeyvalues.

Phase 1 parameters Defining IKE negotiation parameters
InPhase1,thetwopeersexchangekeystoestablishasecurecommunicationchannelbetweenthem.Aspartof
thePhase1process,thetwopeersauthenticateeachotherandnegotiateawaytoencryptfurther
communicationsforthedurationofthesession.FormoreinformationseeDefiningIKEnegotiationparameters
onpage58.ThePhase1Proposalparametersselecttheencryptionandauthenticationalgorithmsthatareused
togeneratekeysforprotectingnegotiations.
TheIKEnegotiationparametersdetermine:
l Whichencryptionalgorithmsmaybeappliedforconvertingmessagesintoaformthatonlytheintendedrecipient
canread
l Whichauthenticationhashmaybeusedforcreatingakeyedhashfromapresharedorprivatekey
l WhichDiffie-Hellmangroup(DHGroup)willbeusedtogenerateasecretsessionkey
Phase1negotiations(inmainmodeoraggressivemode)beginassoonasaremoteVPNpeerorclientattempts
toestablishaconnectionwiththeFortiGateunit.Initially,theremotepeerordialupclientsendstheFortiGate
unitalistofpotentialcryptographicparametersalongwithasessionID.TheFortiGateunitcomparesthose
parameterstoitsownlistofadvancedPhase1parametersandrespondswithitschoiceofmatchingparameters
touseforauthenticatingandencryptingpackets.Thetwopeershandletheexchangeofencryptionkeysbetween
them,andauthenticatetheexchangethroughapresharedkeyoradigitalsignature.
Generatingkeystoauthenticateanexchange
TheFortiGateunitsupportsthegenerationofsecretsessionkeysautomaticallyusingaDiffie-Hellmanalgorithm.
ThesealgorithmsaredefinedinRFC2409.TheKeylifesettinginthePhase1Proposalareadeterminesthe
amountoftimebeforethePhase1keyexpires.Phase1negotiationsarere-keyedautomaticallywhenthereisan
activesecurityassociation.SeeDeadpeerdetectiononpage61.
Youcanenableordisableautomaticre-keyingbetweenIKEpeersthroughthephase1-rekeyattributeofthe
config system globalCLIcommand.Formoreinformation,seetheSystemchapteroftheFortiGateCLI
Reference.
WheninFIPS-CCmode,theFortiGateunitrequiresDHkeyexchangetousevalues
atleast3072bitslong.Howevermostbrowsersneedthekeysizesetto1024.You
cansettheminimumsizeoftheDHkeysintheCLI.
config system global

set dh-params 3072
end
Whenyouuseapresharedkey(sharedsecret)tosetuptwo-partyauthentication,theremoteVPNpeerorclient
andtheFortiGateunitmustbothbeconfiguredwiththesamepresharedkey.Eachpartyusesasessionkey
derivedfromtheDiffie-Hellmanexchangetocreateanauthenticationkey,whichisusedtosignaknown
combinationofinputsusinganauthenticationalgorithm(suchasHMAC-MD5,HMAC-SHA-1,orHMAC-SHA-
256).Hash-basedMessageAuthenticationCode(HMAC)isamethodforcalculatinganauthenticationcode
usingahashfunctionplusasecretkey,andisdefinedinRFC2104.Eachpartysignsadifferentcombinationof
inputsandtheotherpartyverifiesthatthesameresultcanbecomputed.

Defining IKE negotiation parameters Phase 1 parameters
ForinformationregardingNPacceleratedoffloadingofIPsecVPNauthentication
algorithms,pleaserefertotheHardwareAccelerationhandbookchapter.
WhenyouusepresharedkeystoauthenticateVPNpeersorclients,youmustdistributematchinginformationto
allVPNpeersand/orclientswheneverthepresharedkeychanges.
Asanalternative,theremotepeerordialupclientandFortiGateunitcanexchangedigitalsignaturestovalidate
eachothersidentitywithrespecttotheirpublickeys.Inthiscase,therequireddigitalcertificatesmustbe
installedontheremotepeerandontheFortiGateunit.ByexchangingcertificateDNs,thesignedserver
certificateononepeerisvalidatedbythepresenceoftherootcertificateinstalledontheotherpeer.
ThefollowingprocedureassumesthatyoualreadyhaveaPhase1definitionthatdescribeshowremoteVPN
peersandclientswillbeauthenticatedwhentheyattempttoconnecttoalocalFortiGateunit.Forinformation
abouttheLocalIDandXAuthoptions,seeDefiningIKEnegotiationparametersonpage58andDefiningIKE
negotiationparametersonpage58.FollowthisproceduretoaddIKEnegotiationparameterstotheexisting
definition.
3. SelectPhase1Proposalandincludetheappropriateentriesasfollows:
Phase1Proposal Selecttheencryptionandauthenticationalgorithmsthatwillbeusedto
generatekeysforprotectingnegotiations.
Addordeleteencryptionandauthenticationalgorithmsasrequired.Select
aminimumofoneandamaximumofthreecombinations.Theremote
peermustbeconfiguredtouseatleastoneoftheproposalsthatyou
define.
ItisinvalidtosetbothEncryptionandAuthenticationtonull.
56-bitkey.

Phase 1 parameters Defining IKE negotiation parameters
MD5MessageDigest5.
combination.
ForinformationregardingNPacceleratedoffloadingofIPsecVPN
authenticationalgorithms,pleaserefertotheHardwareAcceleration
handbookchapter.
Diffie-HellmanGroup SelectoneormoreDiffie-HellmangroupsfromDHgroups1,2,5,and14
through21.Whenusingaggressivemode,DHgroupscannotbe
negotiated.Bydefault,DHgroup14isselected,toprovidesufficient
protectionforstrongerciphersuitesthatincludeAESandSHA2.Ifyou
selectmultipleDHgroups,theordertheyappearintheconfigurationisthe
orderinwhichtheyarenegotiates.
IfbothVPNpeers(oraVPNserveranditsclient)havestaticIPaddresses
anduseaggressivemode,selectasingleDHgroup.Thesettingonthe
FortiGateunitmustbeidenticaltothesettingontheremotepeerordialup
client.
WhentheremoteVPNpeerorclienthasadynamicIPaddressanduses
aggressivemode,selectuptothreeDHgroupsontheFortiGateunitand
oneDHgroupontheremotepeerordialupclient.Thesettingonthe
remotepeerordialupclientmustbeidenticaltooneoftheselectionson
theFortiGateunit.
IftheVPNpeerorclientemploysmainmode,youcanselectmultipleDH
groups.Atleastoneofthesettingsontheremotepeerordialupclientmust
beidenticaltotheselectionsontheFortiGateunit.
Keylife Typetheamountoftime(inseconds)thatwillbeallowedtopassbefore
theIKEencryptionkeyexpires.Whenthekeyexpires,anewkeyis
generatedwithoutinterruptingservice.Thekeylifecanbefrom120to
172800seconds.
Nat-traversal EnablethisoptionifaNATdeviceexistsbetweenthelocalFortiGateunit
andtheVPNpeerorclient.ThelocalFortiGateunitandtheVPNpeeror
clientmusthavethesameNATtraversalsetting(bothselectedorboth
cleared).Whenindoubt,enableNAT-traversal.SeeNATtraversalonpage
61.

Defining IKE negotiation parameters Phase 1 parameters
KeepaliveFrequency IfyouenabledNATtraversal,enterakeepalivefrequencysetting.The
valuerepresentsanintervalfrom0to900secondswheretheconnection
willbemaintainedwithnoactivity.Foradditionalsecuritythisvaluemust
beaslowaspossible.SeeNATkeepalivefrequencyonpage61.
DeadPeerDetection EnablethisoptiontoreestablishVPNtunnelsonidleconnectionsandclean
updeadIKEpeersifrequired.Thisfeatureminimizesthetrafficrequiredto
checkifaVPNpeerisavailableorunavailable(dead).SeeDeadpeer
detectiononpage61.
NATtraversal
NetworkAddressTranslation(NAT)isawaytoconvertprivateIPaddressestopubliclyroutableInternet
addressesandviseversa.WhenanIPpacketpassesthroughaNATdevice,thesourceordestinationaddressin
theIPheaderismodified.FortiGateunitssupportNATversion1(encapsulateonport500withnon-IKEmarker),
version3(encapsulateonport4500withnon-ESPmarker),andcompatibleversions.
NATcannotbeperformedonIPsecpacketsinESPtunnelmodebecausethepacketsdonotcontainaport
number.Asaresult,thepacketscannotbedemultiplexed.Toworkaroundthis,theFortiGateunitprovidesaway
toprotectIPsecpacketheadersfromNATmodifications.WhentheNat-traversaloptionisenabled,outbound
encryptedpacketsarewrappedinsideaUDPIPheaderthatcontainsaportnumber.Thisextraencapsulation
allowsNATdevicestochangetheportnumberwithoutmodifyingtheIPsecpacketdirectly.
ToprovidetheextralayerofencapsulationonIPsecpackets,theNat-traversaloptionmustbeenabledwhenever
aNATdeviceexistsbetweentwoFortiGateVPNpeersoraFortiGateunitandadialupclientsuchasFortiClient.
Onthereceivingend,theFortiGateunitorFortiClientremovestheextralayerofencapsulationbeforedecrypting
thepacket.
Additionally,youcanforceIPsectouseNATtraversal.IfNATissettoForced,theFortiGatewilluseaportvalue
ofzerowhenconstructingtheNATdiscoveryhashforthepeer.ThiscausesthepeertothinkitisbehindaNAT
device,anditwilluseUDPencapsulationforIPsec,evenifnoNATispresent.Thisapproachmaintains
interoperabilitywithanyIPsecimplementationthatsupportstheNAT-TRFC.
NATkeepalivefrequency
WhenaNATdeviceperformsnetworkaddresstranslationonaflowofpackets,theNATdevicedetermineshow
longthenewaddresswillremainvalidiftheflowoftrafficstops(forexample,theconnectedVPNpeermaybe
idle).ThedevicemayreclaimandreuseaNATaddresswhenaconnectionremainsidlefortoolong.
Toworkaroundthis,whenyouenableNATtraversalspecifyhowoftentheFortiGateunitsendsperiodic
keepalivepacketsthroughtheNATdeviceinordertoensurethattheNATaddressmappingdoesnotchange
duringthelifetimeofasession.Tobeeffective,thekeepaliveintervalmustbesmallerthanthesessionlifetime
valueusedbytheNATdevice.
Thekeepalivepacketisa138-byteISAKMPexchange.
Deadpeerdetection
Sometimes,duetoroutingissuesorotherdifficulties,thecommunicationlinkbetweenaFortiGateunitanda
VPNpeerorclientmaygodown.Packetscouldbelostiftheconnectionislefttotimeoutonitsown.The
FortiGateunitprovidesamechanismcalledDeadPeerDetection,sometimesreferredtoasgatewaydetectionor
pingserver,topreventthissituationandreestablishIKEnegotiationsautomaticallybeforeaconnectiontimes

Phase 1 parameters Using XAuth authentication
out:theactivePhase1securityassociationsarecaughtandrenegotiated(rekeyed)beforethePhase1
encryptionkeyexpires.
Bydefault,DeadPeerDetectionsendsprobemessageseveryfivesecondsbydefault(seedpd-
retryintervalintheFortiGateCLIReference).Ifyouareexperiencinghighnetworktraffic,youcan
experimentwithincreasingthepinginterval.Howeverlongerintervalswillrequiremoretraffictodetectdead
peerswhichwillresultinmoretraffic.
Intheweb-basedmanager,theDeadPeerDetectionoptioncanbeenabledwhenyoudefineadvancedPhase1
options.Theconfig vpn ipsec phase1CLIcommandsupportsadditionaloptionsforspecifyingaretry
countandaretryinterval.
Formoreinformationaboutthesecommandsandtherelatedconfig router gwdetectCLIcommand,see

theFortiGateCLIReference.
Forexample,enterthefollowingCLIcommandstoconfiguredeadpeerdetectionontheexistingIPsecPhase1
configurationcalledtesttouse15secondintervalsandtowaitfor3missedattemptsbeforedeclaringthepeer
deadandtakingaction.
config vpn ipsec phase1
edit test
set dpd-retryinveral 15
set dpd-retrycount 3
next
end
UsingXAuthauthentication
Extendedauthentication(XAuth)increasessecuritybyrequiringtheremotedialupclientusertoauthenticateina
separateexchangeattheendofPhase1.XAuthdrawsonexistingFortiGateusergroupdefinitionsanduses
establishedauthenticationmechanismssuchasPAP,CHAP,RADIUS,andLDAPtoauthenticatedialupclients.
YoucanconfigureaFortiGateunittofunctioneitherasanXAuthserveroranXAuthclient.Iftheserverorclientis
attemptingaconnectionusingXAuthandtheotherendisnotusingXAuth,thefailedconnectionattemptsthat
areloggedwillnotspecifyXAuthasthereason.
UsingtheFortiGateunitasanXAuthserver
AFortiGateunitcanactasanXAuthserverfordialupclients.WhenthePhase1negotiationcompletes,the
FortiGateunitchallengestheuserforausernameandpassword.Itthenforwardstheuserscredentialstoan
externalRADIUSorLDAPserverforverification.
IftheuserrecordsontheRADIUSserverhavesuitablyconfiguredFramed-IP-Addressfields,youcanassign
clientvirtualIPaddressesbyXAuthinsteadoffromaDHCPaddressrange.SeeAssigningVIPsbyRADIUSuser
grouponpage1.
TheauthenticationprotocoltouseforXAuthdependsonthecapabilitiesoftheauthenticationserverandthe
XAuthclient:
l SelectPAPServerwheneverpossible.
l YoumustselectPAPServerforallimplementationsofLDAPandsomeimplementationsofMicrosoftRADIUS.

Using XAuth authentication Phase 1 parameters
l SelectAutoServerwhentheauthenticationserversupportsCHAPServerbuttheXAuthclientdoesnot.The
FortiGateunitwillusePAPtocommunicatewiththeXAuthclientandCHAPtocommunicatewiththe
authenticationserver.YoucanalsouseAutoServertoallowsmultiplesourceinterfacestobedefinedinan
IPsec/IKEpolicy
Beforeyoubegin,createuseraccountsandusergroupstoidentifythedialupclientsthatneedtoaccessthe
networkbehindtheFortiGatedialupserver.IfpasswordprotectionwillbeprovidedthroughanexternalRADIUS
orLDAPserver,youmustconfiguretheFortiGatedialupservertoforwardauthenticationrequeststothe
authenticationserver.Forinformationaboutthesetopics,seetheFortiGateUserAuthenticationGuide.
AuthenticatingadialupusergroupusingXAuthsettings
1. AttheFortiGatedialupserver,gotoVPN>IPsecTunnelsandcreatethenewcustomtunneloreditanexisting
tunnel.
2. SelectConvertToCustomTunnel.
3. EditXAUTH ,selecttheTypesetting,whichdeterminesthetypeofencryptionmethodtousebetweentheXAuth
client,theFortiGateunitandtheauthenticationserver.Selectoneofthefollowingoptions:
l DisabledDisablesXAuthsettings.
l PAPServerPasswordAuthenticationProtocol.
l CHAPServerChallenge-HandshakeAuthenticationProtocol.
l AutoServerUsePAPbetweentheXAuthclientandtheFortiGateunit,andCHAPbetweentheFortiGate
unitandtheauthenticationserver.
4. FromtheUserGrouplist,selecttheusergroupthatneedstoaccesstheprivatenetworkbehindtheFortiGate
unit.ThegroupmustbeaddedtotheFortiGateconfigurationbeforeitcanbeselectedhere.Formultipleuser
groupstobedefinedintheIPsec/IKEpolicy,selectInheritfrompolicy.
4. SelectOK.
5. Createasmanypoliciesasneeded,specifyingSourceUser(s)andDestinationAddress.
Forexample,onepolicycouldhaveuser1haveaccesstotest_local_subnet_1,whileuser2hasaccesstotest_
local_subnet_2.
AsofFortiOS5.4.1,whenXAuthsettingsareenabled,Inheritfrompolicyisonly
availableunderPAPServerandCHAPServer,notAutoServer.Becauseofthis,
onlyoneusergroupmaybedefinedforAutoServer.
UsingtheFortiGateunitasanXAuthclient
IftheFortiGateunitactsasadialupclient,theremotepeer,actingasanXAuthserver,mightrequireausername
andpassword.YoucanconfiguretheFortiGateunitasanXAuthclient,withitsownusernameandpassword,
whichitprovideswhenchallenged.
ConfiguringtheFortiGatedialupclientasanXAuthclient
1. AttheFortiGatedialupclient,gotoVPN>IPsecTunnelsandcreatethenewcustomtunneloreditanexisting
tunnel.
3. UnderXAuth,selectEnableasClient.
4. IntheUsernamefield,typetheFortiGatePAP,CHAP,RADIUS,orLDAPusernamethattheFortiGateXAuth
serverwillcomparetoitsrecordswhentheFortiGateXAuthclientattemptstoconnect.

Phase 1 parameters Dynamic IPsec route control
5. InthePasswordfield,typethepasswordtoassociatewiththeusername.
6. SelectOK.
DynamicIPsecroutecontrol
Youcanaddaroutetoapeerdestinationselectorbyusingtheadd-route option,whichisavailableforall
dynamicIPsecPhases1and2,forbothpolicy-basedandroute-basedIPsecVPNs.Thisoptionwaspreviously
onlyavailablewhenmode-cfgwasenabledinPhase1.
Theadd-routeoptionaddsaroutetotheFortiGateunitsroutinginformationbasewhenthedynamictunnelis
negotiated.Youcanusethedistanceandpriorityoptionstosetthedistanceandpriorityofthisroute.Ifthis
resultsinaroutewiththelowestdistance,itisaddedtotheFortiGateunitsforwardinginformationbase.
Youcanalsoenableadd-routeinanypolicy-basedorroute-basedPhase2configurationthatisassociatedwitha
dynamic(dialup)Phase1.InPhase2,add-routecanbeenabled,disabled,orsettousethesamerouteasPhase
1.
Theadd-routefeatureisenabledbydefaultandisconfiguredintheCLI.
Syntax
Phase 1
config vpn ipsec
edit <name>
set type dynamic
set add-route {enable | disable}
end
end
Phase 2
config vpn ipsec {phase2 | phase2-interface}
edit <name>
set add-route {phase1 | enable | disable}
end
end
BlockingIPsecSANegotiation
Forinterface-basedIPsec,IPsecSAnegotiationblockingcanonlyberemovedifthepeeroffersawildcard
selector.Ifawildcardselectorisofferedthenthewildcardroutewillbeaddedtotheroutingtablewiththe
distance/priorityvalueconfiguredinPhase1and,ifthatistheroutewiththelowestdistance,itisinstalledinto
theforwardinginformationbase.
Incaseswherethisoccurs,itisimportanttoensurethatthedistancevalueconfiguredonPhase1isset
appropriately.

Phase2parameters
ThissectiondescribesthePhase2parametersthatarerequiredtoestablishcommunicationthroughaVPN.
Phase2settings
ConfiguringthePhase2parameters
Phase2settings
AfterIPsecVPNPhase1negotiationscompletesuccessfully,Phase2negotiationbegins.Phase2parameters
definethealgorithmsthattheFortiGateunitcanusetoencryptandtransferdatafortheremainderofthe
session.ThebasicPhase2settingsassociateIPsecPhase2parameterswithaPhase1configuration.
WhendefiningPhase2parameters,youcanchooseanysetofPhase1parameterstosetupasecureconnection
andauthenticatetheremotepeer.
FormoreinformationonPhase2settingsintheweb-basedmanager,seeIPsecVPNintheweb-basedmanager
onpage34.
TheinformationandproceduresinthissectiondonotapplytoVPNpeersthatperformnegotiationsusingmanual
keys.
Phase2Proposals
InPhase2,theVPNpeerorclientandtheFortiGateunitexchangekeysagaintoestablishasecure
communicationchannel.ThePhase2Proposalparametersselecttheencryptionandauthenticationalgorithms
neededtogeneratekeysforprotectingtheimplementationdetailsofSecurityAssociations(SAs).Thekeysare
generatedautomaticallyusingaDiffie-Hellmanalgorithm.
ReplayDetection
IPsectunnelscanbevulnerabletoreplayattacks.ReplayDetectionenablestheFortiGateunittocheckallIPsec
packetstoseeiftheyhavebeenreceivedbefore.Ifanyencryptedpacketsarriveoutoforder,theFortiGateunit
discardsthem.
IKE/IPsecExtendedSequenceNumber(ESN)support
64-bitExtendedSequencenumbers(asdescribedinRFC4303,RFC4304asanadditiontoIKEv1,andRFC
5996forIKEv2.)aresupportedforIPsecwhenReplayDetectionisenabled.
PerfectForwardSecrecy(PFS)
Bydefault,Phase2keysarederivedfromthesessionkeycreatedinPhase1.PerfectForwardSecrecy(PFS)
forcesanewDiffie-HellmanexchangewhenthetunnelstartsandwheneverthePhase2keylifeexpires,causing
anewkeytobegeneratedeachtime.ThisexchangeensuresthatthekeyscreatedinPhase2areunrelatedto
thePhase1keysoranyotherkeysgeneratedautomaticallyinPhase2.

Phase 2 parameters Phase 2 settings
Keylife
TheKeylifesettingsetsalimitonthelengthoftimethataPhase2keycanbeused.Thedefaultunitsare
seconds.Alternatively,youcansetalimitonthenumberofkilobytes(KB)ofprocesseddata,orboth.Ifyouselect
both,thekeyexpireswheneitherthetimehaspassedorthenumberofKBhavebeenprocessed.Whenthe
Phase2keyexpires,anewkeyisgeneratedwithoutinterruptingservice.
Quickmodeselectors
QuickmodeselectorsdeterminewhichIPaddressescanperformIKEnegotiationstoestablishatunnel.Byonly
allowingauthorizedIPaddressesaccesstotheVPNtunnel,thenetworkismoresecure.
Thedefaultsettingsareasbroadaspossible:anyIPaddressorconfiguredaddressobject,usinganyprotocol,on
anyport.
Whilethedropdownmenusforspecifyinganaddressalsoshowaddressgroups,theuseof
addressgroupsmaynotbesupportedonaremoteendpointdevicethatisnotaFortiGate.
Theaddressgroupsareatthebottomofthelisttomakeiteasytodistinguishbetween
addressesandaddressgroups.
WhenconfiguringQuickModeselectorSourceaddressandDestinationaddress,validoptionsincludeIPv4
andIPv6singleaddresses,IPv4subnet,orIPv6subnet.FormoreinformationonIPv6IPsecVPN,seeOverview
ofIPv6IPsecsupportonpage1.
Therearesomeconfigurationsthatrequirespecificselectors:
l TheVPNpeerisathird-partydevicethatusesspecificphase2selectors.
l TheFortiGateunitconnectsasadialupclienttoanotherFortiGateunit,inwhichcase(usually)youmustspecifya
sourceIPaddress,IPaddressrange,orsubnet.However,thisisnotrequiredifyouareusingdynamicroutingand
mode-cfg.
WithFortiOSVPNs,yournetworkhasmultiplelayersofsecurity,withquickmodeselectorsbeinganimportant
lineofdefence.
l RoutesguidetrafficfromoneIPaddresstoanother.
l Phase1andPhase2connectionsettingsensurethereisavalidremoteendpointfortheVPNtunnelthatagreeson
theencryptionandparameters.
l QuickmodeselectorsallowIKEnegotiationsonlyforallowedpeers.
l SecuritypoliciescontrolwhichIPaddressescanconnecttotheVPN.
l SecuritypoliciesalsocontrolwhatprotocolsareallowedovertheVPNalongwithanybandwidthlimiting.
FortiOSislimitedwithIKEv2selectormatching.WhenusingIKEv2withanamed
trafficselector,nomorethan32subnetspertrafficselectorareadded,sinceFortiOS
doesn'tfullyimplementtheIKEv2selectormatchingrules.
TheworkaroundistousemultiplePhase2s.IftheconfigurationisFGT<->FGT,then
thebetteralternativeistojustuse0.0.0.0<->0.0.0.0andusethefirewallpolicyfor
enforcement.

Configuring the Phase 2 parameters Phase 2 parameters
Usingtheadd-routeoption
Considerusingtheadd-routeoptiontoaddaroutetoapeerdestinationselector.Phase2includestheoption
ofallowingtheadd-routetoautomaticallymatchthesettingsinPhase1.Formoreinformation,refertoPhase
1parametersonpage47.
Syntax
Phase2
config vpn ipsec {phase2 | phase2-interface}
edit <name>
set add-route {phase1 | enable | disable}
end
end
ConfiguringthePhase2parameters
Ifyouarecreatingahub-and-spokeconfigurationoranInternet-browsingconfiguration,youmayhavealready
starteddefiningsomeoftherequiredPhase2parameters.Ifso,edittheexistingdefinitiontocompletethe
configuration.
SpecifyingthePhase2parameters
2. OpenthePhase2Selectorspanel(ifitisnotavailable,youmayneedtoclicktheConverttoCustomTunnel
button).
3. EnteraNameforthePhase2configuration,andselectaPhase1configurationfromthedrop-downlist.
4. SelectAdvanced.
5. Includetheappropriateentriesasfollows:
Phase2Proposal Selecttheencryptionandauthenticationalgorithmsthatwillbeusedto
changedataintoencryptedcode.
Addordeleteencryptionandauthenticationalgorithmsasrequired.Select
aminimumofoneandamaximumofthreecombinations.Theremote
peermustbeconfiguredtouseatleastoneoftheproposalsthatyou
define.
ItisinvalidtosetbothEncryptionandAuthenticationtonull.

Phase 2 parameters Configuring the Phase 2 parameters
56-bitkey.
MD5MessageDigest5.
combination.
ForinformationregardingNPacceleratedoffloadingofIPsecVPN
authenticationalgorithms,pleaserefertotheHardwareAcceleration
handbookchapter.
Enablereplaydetection Optionallyenableordisablereplaydetection.Replayattacksoccurwhen
anunauthorizedpartyinterceptsaseriesofIPsecpacketsandreplays
thembackintothetunnel.
Enableperfectforward EnableordisablePFS.Perfectforwardsecrecy(PFS)improvessecurityby
secrecy(PFS) forcinganewDiffie-Hellmanexchangewheneverkeylifeexpires.
Diffie-HellmanGroup SelectoneDiffie-Hellmangroup(1,2,5,or14through21).Theremote
peerordialupclientmustbeconfiguredtousethesamegroup.
Keylife SelectthemethodfordeterminingwhenthePhase2keyexpires:
Seconds,KBytes,orBoth.IfyouselectBoth,thekeyexpireswhen
eitherthetimehaspassedorthenumberofKBhavebeenprocessed.The
rangeisfrom120to172800seconds,orfrom5120to2147483648KB.
AutokeyKeepAlive Enabletheoptionifyouwantthetunneltoremainactivewhennodatais
beingprocessed.
Auto-negotiate Enabletheoptionifyouwantthetunneltobeautomaticallyrenegotiated
whenthetunnelexpires.

Configuring the Phase 2 parameters Phase 2 parameters
DHCP-IPsec SelectEnableiftheFortiGateunitactsasadialupserverandFortiGate
DHCPserverorrelaywillbeusedtoassignVIPaddressestoFortiClient
dialupclients.TheDHCPserverorrelayparametersmustbeconfigured
separately.
IftheFortiGateunitactsasadialupserverandtheFortiClientdialupclient
VIPaddressesmatchthenetworkbehindthedialupserver,selectEnable
tocausetheFortiGateunittoactasaproxyforthedialupclients.
ThisisavailableonlyforPhase2configurationsassociatedwithadialup
Phase1configuration.Itworksonlyonpolicy-basedVPNs.
AutokeyKeepAlive
ThePhase2SAhasafixedduration.IfthereistrafficontheVPNastheSAnearsexpiry,anewSAisnegotiated
andtheVPNswitchestothenewSAwithoutinterruption.Ifthereisnotraffic,however,theSAexpires(by
default)andtheVPNtunnelgoesdown.AnewSAwillnotbegenerateduntilthereistraffic.
TheAutokeyKeepAliveoptionensuresthatanewPhase2SAisnegotiated,evenifthereisnotraffic,sothatthe
VPNtunnelstaysup.
Auto-negotiate
Bydefault,thePhase2securityassociation(SA)isnotnegotiateduntilapeerattemptstosenddata.The
triggeringpacketandsomesubsequentpacketsaredroppeduntiltheSAisestablished.Applicationsnormally
resendthisdata,sothereisnoloss,buttheremightbeanoticeabledelayinresponsetotheuser.
Ifthetunnelgoesdown,theauto-negotiatefeature(whenenabled)attemptstore-establishthetunnel.Auto-
negotiateinitiatesthePhase2SAnegotiationautomatically,repeatingeveryfivesecondsuntiltheSAis
established.
AutomaticallyestablishingtheSAcanbeimportantforadialuppeer.ItensuresthattheVPNtunnelisavailable
forpeersattheserverendtoinitiatetraffictothedialuppeer.Otherwise,theVPNtunneldoesnotexistuntilthe
dialuppeerinitiatestraffic.
Theauto-negotiatefeatureisavailablethroughtheCommandLineInterface(CLI)viathefollowingcommands:
edit <phase2_name>
set auto-negotiate enable
end
Installingdynamicselectorsviaauto-negotiate
TheIPsecSAconnectmessagegeneratedisusedtoinstalldynamicselectors.Theseselectorscannowbe
installedviatheauto-negotiatemechanism.Whenphase2hasauto-negotiateenabled,andphase1hasmesh-
selector-typesettosubnet,anewdynamicselectorwillbeinstalledforeachcombinationofsourceand
destinationsubnets.Eachdynamicselectorwillinherittheauto-negotiateoptionfromthetemplateselectorand
beginSAnegotiation.Phase2selectorsourcesfromdial-upclientswillallestablishSAswithouttrafficbeing
initiatedfromtheclientsubnetstothehub.

Phase 2 parameters Configuring the Phase 2 parameters
DHCP-IPsec
SelectthisoptioniftheFortiGateunitassignsVIPaddressestoFortiClientdialupclientsthroughaDHCPserver
orrelay.ThisoptionisavailableonlyiftheRemoteGatewayinthePhase1configurationissettoDialupUser
anditworksonlyonpolicy-basedVPNs.
WiththeDHCP-IPsecoption,theFortiGatedialupserveractsasaproxyforFortiClientdialupclientsthathave
VIPaddressesonthesubnetoftheprivatenetworkbehindtheFortiGateunit.Inthiscase,theFortiGatedialup
serveractsasaproxyonthelocalprivatenetworkfortheFortiClientdialupclient.Whenahostonthenetwork
behindthedialupserverissuesanARPrequestthatcorrespondstothedeviceMACaddressoftheFortiClient
host(whenaremoteserversendsanARPtothelocalFortiClientdialupclient),theFortiGateunitanswersthe
ARPrequestonbehalfoftheFortiClienthostandforwardstheassociatedtraffictotheFortiClienthostthrough
thetunnel.
ThisfeaturepreventstheVIPaddressassignedtotheFortiClientdialupclientfromcausingpossiblearp
broadcastproblemsthenormalandVIPaddressescanconfusesomenetworkswitchesbytwoaddresses
havingthesameMACaddress.

DefiningVPNsecuritypolicies
ThissectionexplainshowtospecifythesourceanddestinationIPaddressesoftraffictransmittedthroughan
IPsecVPN,andhowtodefineappropriatesecuritypolicies.
Definingpolicyaddresses
Definingsecuritypoliciesforpolicy-basedandroute-basedVPNs
Definingpolicyaddresses
AVPNtunnelhastwoendpoints.TheseendpointsmaybeVPNpeerssuchastwoFortiGategateways.
Encryptedpacketsaretransmittedbetweentheendpoints.AteachendoftheVPNtunnel,aVPNpeerintercepts
encryptedpackets,decryptsthepackets,andforwardsthedecryptedIPpacketstotheintendeddestination.
Youneedtodefinefirewalladdressesfortheprivatenetworksbehindeachpeer.Youwillusetheseaddressesas
thesourceordestinationaddressdependingonthesecuritypolicy.

Defining VPN security policies Defining policy addresses
Exampletopologyforthefollowingpolicies
Ingeneral:
l Inagateway-to-gateway,hub-and-spoke,dynamicDNS,redundant-tunnel,ortransparentconfiguration,youneed
todefineapolicyaddressfortheprivateIPaddressofthenetworkbehindtheremoteVPNpeer(forexample,
192.168.10.0/255.255.255.0or192.168.10.0/24).
l Inapeer-to-peerconfiguration,youneedtodefineapolicyaddressfortheprivateIPaddressofaserverorhost
behindtheremoteVPNpeer(forexample,172.16.5.1/255.255.255.255or172.16.5.1/32or
172.16.5.1).
ForaFortiGatedialupserverinadialup-clientorInternet-browsingconfiguration:
l IfyouarenotusingVIPaddresses,oriftheFortiGatedialupserverassignsVIPaddressestoFortiClientdialup
clientsthroughFortiGateDHCPrelay,selectthepredefineddestinationaddressallinthesecuritypolicytoreferto
thedialupclients.
l IfyouassignVIPaddressestoFortiClientdialupclientsmanually,youneedtodefineapolicyaddressfortheVIP
addressassignedtothedialupclient(forexample,10.254.254.1/32),orasubnetaddressfromwhichtheVIP
addressesareassigned(forexample,10.254.254.0/24or10.254.254.0/255.255.255.0).
l ForaFortiGatedialupclientinadialup-clientorInternet-browsingconfiguration,youneedtodefineapolicy
addressfortheprivateIPaddressofahost,server,ornetworkbehindtheFortiGatedialupserver.

Defining security policies for policy-based and route-based VPNs Defining VPN security policies
DefiningasecurityIPaddress
1. GotoPolicy&Objects>AddressesandselectCreateNew.
2. IntheNamefield,typeadescriptivenamethatrepresentsthenetwork,server(s),orhost(s).
3. InType,selectSubnet.
4. IntheSubnet/IPRangefield,typethecorrespondingIPaddressandsubnetmask.
Forasubnetyoucouldusetheformat172.16.5.0/24oritsequivalent172.16.5.0/255.255.255.0.For
aserverorhostitwouldlikelybe172.16.5.1/32.AlternatelyyoucanuseanIPaddressrangesuchas
192.168.10.[80-100]or192.168.10.80-192.168.10.100.
5. SelectOK.
Definingsecuritypoliciesforpolicy-basedandroute-basedVPNs
SecuritypoliciesallowIPtraffictopassbetweeninterfacesonaFortiGateunit.Youcanlimitcommunicationto
particulartrafficbyspecifyingsourceaddressanddestinationaddresses.Thenonlytrafficfromthoseaddresses
willbeallowed.
Policy-basedandroute-basedVPNsrequiredifferentsecuritypolicies.
l Apolicy-basedVPNrequiresanIPsecsecuritypolicy.Youspecifytheinterfacetotheprivatenetwork,theinterface
totheremotepeerandtheVPNtunnel.Asinglepolicycanenabletrafficinbound,outbound,orinbothdirections.
l Aroute-basedVPNrequiresanAcceptsecuritypolicyforeachdirection.Assourceanddestinationinterfaces,you
specifytheinterfacetotheprivatenetworkandthevirtualIPsecinterface(Phase1configuration)oftheVPN.The
IPsecinterfaceisthedestinationinterfacefortheoutboundpolicyandthesourceinterfacefortheinboundpolicy.
OnesecuritypolicymustbeconfiguredforeachdirectionofeachVPNinterface.
Thereareexamplesofsecuritypoliciesforbothpolicy-basedandroute-basedVPNsthroughoutthisguide.See
Route-basedorpolicy-basedVPNonpage112.
Ifthesecuritypolicy,whichgrantstheVPNConnectionislimitedtocertainservices,
DHCPmustbeincluded,otherwisetheclientwontbeabletoretrievealeasefromthe
FortiGates(IPsec)DHCPserver,becausetheDHCPRequest(comingoutofthe
tunnel)willbeblocked.
Policy-basedVPN
AnIPsecsecuritypolicyenablesthetransmissionandreceptionofencryptedpackets,specifiesthepermitted
directionofVPNtraffic,andselectstheVPNtunnel.Inmostcases,asinglepolicyisneededtocontrolboth
inboundandoutboundIPtrafficthroughaVPNtunnel.Beawareofthefollowingconsiderationsbelowbefore
creatinganIPsecsecuritypolicy.
Allowtraffictobeinitiatedfromtheremotesite
SecuritypoliciesspecifywhichIPaddressescaninitiateatunnel.Bydefault,trafficfromthelocalprivatenetwork
initiatesthetunnel.WhentheAllowtraffictobeinitiatedformtheremotesiteoptionisselected,traffic
fromadialupclient,oracomputeronaremotenetwork,initiatesthetunnel.Bothcanbeenabledatthesame
timeforbi-directionalinitiationofthetunnel.

Defining VPN security policies Defining security policies for policy-based and route-based VPNs
OutboundandinboundNAT
WhenaFortiGateunitoperatesinNATmode,youcanalsoenableinboundoroutboundNAT.OutboundNAT
maybeperformedonoutboundencryptedpacketsorIPpacketsinordertochangetheirsourceaddressbefore
theyaresentthroughthetunnel.InboundNATisperformedtointerceptanddecryptemergingIPpacketsfrom
thetunnel.
Bydefault,theseoptionsarenotselectedinsecuritypoliciesandcanonlybesetthroughtheCLI.Formore
informationonthis,seetheconfigfirewallchapteroftheFortiGateCLIReference.
Sourceanddestinationaddresses
MostsecuritypoliciescontroloutboundIPtraffic.AVPNoutboundpolicyusuallyhasasourceaddressoriginating
ontheprivatenetworkbehindthelocalFortiGateunit,andadestinationaddressbelongingtoadialupVPNclient
oranetworkbehindtheremoteVPNpeer.Thesourceaddressthatyouchooseforthesecuritypolicyidentifies
fromwhereoutboundcleartextIPpacketsmayoriginate,andalsodefinesthelocalIPaddressoraddressesthat
aremoteserverorclientwillbeallowedtoaccessthroughtheVPNtunnel.Thedestinationaddressthatyou
chooseidentifieswhereIPpacketsmustbeforwardedaftertheyaredecryptedatthefarendofthetunnel,and
determinestheIPaddressoraddressesthatthelocalnetworkwillbeabletoaccessatthefarendofthetunnel.
Enablingotherpolicyfeatures
Youcanfine-tuneapolicyforservicessuchasHTTP,FTP,andPOP3,enablelogging,trafficshaping,antivirus
protection,webfiltering,emailfiltering,filetransfer,emailservices,andoptionallyallowconnectionsaccordingto
apredefinedschedule.
Asanoption,differentiatedservices(diffservorDSCP)forthesecuritypolicycanbeenabledthroughtheCLI.For
moreinformationonthisfeature,seetheTrafficShapinghandbookchapter,orthefirewallchapterofthe
FortiGateCLIReference.
Beforeyoubegin
BeforeyoudefinetheIPsecpolicy,youmust:
l DefinetheIPsourceanddestinationaddresses.SeeDefiningpolicyaddressesonpage71.
l SpecifythePhase1authenticationparameters.SeePhase1parametersonpage47.
l SpecifythePhase2parameters.SeePhase2parametersonpage65.
DefininganIPsecsecuritypolicy
1. GotoPolicy&Objects>IPv4Policy.
2. SelectCreateNewandsetthefollowingoptions:
Name Enteranameforthesecuritypolicy.
IncomingInterface Selectthelocalinterfacetotheinternal(private)network.
OutgoingInterface Selectthelocalinterfacetotheexternal(public)network.
Source Selectthenamethatcorrespondstothelocalnetwork,server(s),orhost(s)
fromwhichIPpacketsmayoriginate.

Defining security policies for policy-based and route-based VPNs Defining VPN security policies
DestinationAddress Selectthenamethatcorrespondstotheremotenetwork,server(s),orhost
(s)towhichIPpacketsmaybedelivered.
Schedule Keepthedefaultsetting(always)unlesschangesareneededtomeet
specificrequirements.
Service Keepthedefaultsetting(ANY)unlesschangesareneededtomeetyour
specificrequirements.
Action Forthepurposeofthisconfiguration,setActiontoIPsec.Doingthiswill
closeFirewall/NetworkOptionsandopenVPNTunneloptions.Selectthe
VPNtunnelofyourchoice,andselectAllowtraffictobeinitiatedfrom
theremotesite,whichwillallowtrafficfromtheremotenetworktoinitiate
thetunnel.
3. YoumayenableUTMfeatures,and/oreventlogging,orselectadvancedsettingstoauthenticateausergroup,or
shapetraffic.Formoreinformation,seetheFirewallhandbookchapter.
4. SelectOK.
5. Placethepolicyinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestinationaddresses.
DefiningmultipleIPsecpoliciesforthesametunnel
YoumustdefineatleastoneIPsecpolicyforeachVPNtunnel.Ifthesameremoteserverorclientrequiresaccess
tomorethanonenetworkbehindalocalFortiGateunit,theFortiGateunitmustbeconfiguredwithanIPsec
policyforeachnetwork.Multiplepoliciesmayberequiredtoconfigureredundantconnectionstoaremote
destinationorcontrolaccesstodifferentservicesatdifferenttimes.
Toensureasecureconnection,theFortiGateunitmustevaluatepolicieswithActionsettoIPsecbefore
ACCEPTandDENY.BecausetheFortiGateunitreadspoliciesstartingatthetopofthelist,youmustmoveall
IPsecpoliciestothetopofthelist,andbesuretoreorderyourmultipleIPsecpoliciesthatapplytothetunnelso
thatspecificconstraintscanbeevaluatedbeforegeneralconstraints.
AddingmultipleIPsecpoliciesforthesameVPNtunnelcancauseconflictsifthe
policiesspecifysimilarsourceanddestinationaddresses,buthavedifferentsettings
forthesameservice.Whenpoliciesoverlapinthismanner,thesystemmayapplythe
wrongIPsecpolicyorthetunnelmayfail.
Forexample,ifyoucreatetwoequivalentIPsecpoliciesfortwodifferenttunnels,itdoesnotmatterwhichone
comesfirstinthelistofIPsecpoliciesthesystemwillselectthecorrectpolicybasedonthespecifiedsource
anddestinationaddresses.IfyoucreatetwodifferentIPsecpoliciesforthesametunnel(thatis,thetwopolicies
treattrafficdifferentlydependingonthenatureoftheconnectionrequest),youmighthavetoreordertheIPsec
policiestoensurethatthesystemselectsthecorrectIPsecpolicy.
Route-basedVPN
Whenyoudefinearoute-basedVPN,youcreateavirtualIPsecinterfaceonthephysicalinterfacethatconnects
totheremotepeer.YoucreateordinaryAcceptsecuritypoliciestoenabletrafficbetweentheIPsecinterfaceand
theinterfacethatconnectstotheprivatenetwork.Thismakesconfigurationsimplerthanforpolicy-basedVPNs,
whichrequireIPsecsecuritypolicies.

Defining VPN security policies Defining security policies for policy-based and route-based VPNs
Definingsecuritypoliciesforaroute-basedVPN
2. SelectCreateNewanddefineanACCEPTsecuritypolicytopermitcommunicationbetweenthelocalprivate
networkandtheprivatenetworkbehindtheremotepeer.Enterthesesettingsinparticular:
IncomingInterface Selecttheinterfacethatconnectstotheprivatenetworkbehindthis
FortiGateunit.
OutgoingInterface SelecttheIPsecInterfaceyouconfigured.
Source Selecttheaddressnamethatyoudefinedfortheprivatenetworkbehind
thisFortiGateunit.
DestinationAddress Selecttheaddressnamethatyoudefinedfortheprivatenetworkbehind
theremotepeer.
Action SelectACCEPT.
NAT DisableNAT.
Topermittheremoteclienttoinitiatecommunication,youneedtodefineasecuritypolicyfor
communicationinthatdirection.
3. SelectCreateNewandenterthesesettingsinparticular:
IncomingInterface SelecttheIPsecInterfaceyouconfigured.
OutgoingInterface Selecttheinterfacethatconnectstotheprivatenetworkbehindthis
FortiGateunit.
theremotepeer.
thisFortiGateunit.
NAT DisableNAT.

Gateway-to-gateway
Thissectionexplainshowtosetupabasicgateway-to-gateway(site-to-site)IPsecVPN.
Configurationoverview
Gateway-to-gatewayconfiguration
Howtoworkwithoverlappingsubnets
Testing
Inagateway-to-gatewayconfiguration,twoFortiGateunitscreateaVPNtunnelbetweentwoseparateprivate
networks.AlltrafficbetweenthetwonetworksisencryptedandprotectedbyFortiGatesecuritypolicies.
Examplegateway-to-gatewayconfiguration
Insomecases,computersontheprivatenetworkbehindoneVPNpeermay(byco-incidence)haveIPaddresses
thatarealreadyusedbycomputersonthenetworkbehindtheotherVPNpeer.Inthistypeofsituation
(ambiguousrouting),conflictsmayoccurinoneorbothoftheFortiGateroutingtablesandtrafficdestinedforthe
remotenetworkthroughthetunnelmaynotbesent.Toresolveissuesrelatedtoambiguousrouting,see
Configurationoverviewonpage77.

Gateway-to-gateway Configuration overview
Inothercases,computersontheprivatenetworkbehindoneVPNpeermayobtainIPaddressesfromalocal
DHCPserver.However,unlessthelocalandremotenetworksusedifferentprivatenetworkaddressspaces,
unintendedambiguousroutingand/orIP-addressoverlapissuesmayarise.Foradiscussionoftherelatedissues,
seeFortiGatedialup-clientconfigurationsonpage1.

Configuration overview Gateway-to-gateway
Youcansetupafullymeshedorpartiallymeshedconfiguration(seebelow).
Fullymeshedconfiguration
Inafullymeshednetwork,allVPNpeersareconnectedtoeachother,withonehopbetweenpeers.Thistopology
isthemostfault-tolerant:ifonepeergoesdown,therestofthenetworkisnotaffected.Thistopologyisdifficult
toscalebecauseitrequiresconnectionsbetweenallpeers.Inaddition,unnecessarycommunicationcanoccur
betweenpeers.Bestpracticesdictatesahub-and-spokeconfigurationinstead(seeHub-and-spokeconfigurations
onpage1).

Gateway-to-gateway Gateway-to-gateway configuration
Partiallymeshedconfiguration
Apartiallymeshednetworkissimilartoafullymeshednetwork,butinsteadofhavingtunnelsbetweenallpeers,
tunnelsareonlyconfiguredbetweenpeersthatcommunicatewitheachotherregularly.
Gateway-to-gatewayconfiguration
TheFortiGateunitsatbothendsofthetunnelmustbeoperatinginNATmodeandhavestaticpublicIP
addresses.
WhenaFortiGateunitreceivesaconnectionrequestfromaremoteVPNpeer,itusesIPsecPhase1parameters
toestablishasecureconnectionandauthenticatethatVPNpeer.Then,ifthesecuritypolicypermitsthe
connection,theFortiGateunitestablishesthetunnelusingIPsecPhase2parametersandappliestheIPsec
securitypolicy.Keymanagement,authentication,andsecurityservicesarenegotiateddynamicallythroughthe
IKEprotocol.
Tosupportthesefunctions,thefollowinggeneralconfigurationstepsmustbeperformedbybothFortiGateunits:
l DefinethePhase1parametersthattheFortiGateunitneedstoauthenticatetheremotepeerandestablisha
secureconnection.
l DefinethePhase2parametersthattheFortiGateunitneedstocreateaVPNtunnelwiththeremotepeer.
l CreatesecuritypoliciestocontrolthepermittedservicesandpermitteddirectionoftrafficbetweentheIPsource
anddestinationaddresses.

Gateway-to-gateway configuration Gateway-to-gateway
ConfiguringPhase1andPhase2forbothpeers
Thisprocedureappliestobothpeers.RepeattheprocedureoneachFortiGateunit,usingthecorrectIPaddress
foreach.YoumaywishtovarythePhase1namesbutthisisoptional.Otherwiseallstepsarethesameforeach
peer.
ThePhase1configurationdefinestheparametersthatFortiGate_1willusetoauthenticateFortiGate_2and
establishasecureconnection.Forthepurposesofthisexample,apresharedkeywillbeusedtoauthenticate
FortiGate_2.ThesamepresharedkeymustbespecifiedatbothFortiGateunits.
BeforeyoudefinethePhase1parameters,youneedto:
l Reserveanamefortheremotegateway.
l ObtaintheIPaddressofthepublicinterfacetotheremotepeer.
l Reserveauniquevalueforthepresharedkey.
Thekeymustcontainatleast6printablecharactersandbestpracticesdictatethatitonlybeknownbynetwork
administrators.Foroptimumprotectionagainstcurrentlyknownattacks,thekeymusthaveaminimumof16
randomlychosenalphanumericcharacters.
AtthelocalFortiGateunit,definethePhase1configurationneededtoestablishasecureconnectionwiththe
remotepeer.SeeIPsecVPNintheweb-basedmanageronpage34.
3. Enterthefollowinginformation,andselectOK.
Name Enterpeer_1.
AnametoidentifytheVPNtunnel.ThisnameappearsinPhase2
configurations,securitypoliciesandtheVPNmonitor.
RemoteGateway SelectStaticIPAddress.
IPAddress Enter172.20.0.2whenconfiguringFortiGate_1.
Enter172.18.0.2whenconfiguringFortiGate_2.
TheIPaddressoftheremotepeerpublicinterface.
LocalInterface Selectwan1.
ThebasicPhase2settingsassociateIPsecPhase2parameterswiththePhase1configurationandspecifythe
remoteendpointoftheVPNtunnel.BeforeyoudefinethePhase2parameters,youneedtoreserveanamefor
thetunnel.SeeIPsecVPNintheweb-basedmanageronpage34.
button).
2. EnteraNameofpeer_1_p2.
3. Selectpeer_1fromthePhase1drop-downmenu.
Creatingsecuritypolicies
SecuritypoliciescontrolallIPtrafficpassingbetweenasourceaddressandadestinationaddress.

AnIPsecsecuritypolicyisneededtoallowthetransmissionofencryptedpackets,specifythepermitteddirection
ofVPNtraffic,andselecttheVPNtunnelthatwillbesubjecttothepolicy.Asinglepolicyisneededtocontrolboth
inboundandoutboundIPtrafficthroughaVPNtunnel.
Beforeyoudefinesecuritypolicies,youmustfirstspecifytheIPsourceanddestinationaddresses.Inagateway-
to-gatewayconfiguration:
l TheIPsourceaddresscorrespondstotheprivatenetworkbehindthelocalFortiGateunit.
l TheIPdestinationaddressreferstotheprivatenetworkbehindtheremoteVPNpeer.
Whenyouarecreatingsecuritypolicies,chooseoneofeitherroute-basedorpolicy-basedmethodsandfollowit
forbothVPNpeers.DONOTconfigurebothroute-basedandpolicy-basedpoliciesonthesameFortiGateunitfor
thesameVPNtunnel.
TheconfigurationofFortiGate_2issimilartothatofFortiGate_1.Youmust:
l DefinethePhase1parametersthatFortiGate_2needstoauthenticateFortiGate_1andestablishasecure
connection.
l DefinethePhase2parametersthatFortiGate_2needstocreateaVPNtunnelwithFortiGate_1.
l CreatethesecuritypolicyanddefinethescopeofpermittedservicesbetweentheIPsourceanddestination
addresses.
Whencreatingsecuritypoliciesitisgoodpracticetoincludeacommentdescribingwhatthepolicydoes.
Creatingfirewalladdresses
DefinenamesfortheaddressesoraddressrangesoftheprivatenetworksthattheVPNlinks.Theseaddresses
areusedinthesecuritypoliciesthatpermitcommunicationbetweenthenetworks.
TodefinetheIPaddressofthenetworkbehindFortiGate_1
2. EntertheNameofFinance_network.
3. SelectaTypeofSubnet.
4. EntertheSubnetof10.21.101.0/24.
5. SelectOK.
TospecifytheaddressofthenetworkbehindFortiGate_2
2. EntertheNameofHR_network.
3. SelectaTypeofSubnet.
4. EntertheSubnet/IPRangeof10.31.101.0/24.
5. SelectOK.
Creatingroute-basedVPNsecuritypolicies
DefineanACCEPTsecuritypolicytopermitcommunicationsbetweenthesourceanddestinationaddresses.
Tocreateroute-basedVPNsecuritypolicies
1. GotoPolicy&Objects>IPv4PolicyandselectCreateNew
2. LeavethePolicyTypeasFirewallandleavethePolicySubtypeasAddress.

Gateway-to-gateway configuration Gateway-to-gateway
3. Enterthefollowing,andselectOK.
IncomingInterface Selectinternal.
TheinterfacethatconnectstotheprivatenetworkbehindthisFortiGate
unit.
SourceAddress SelectFinance_networkwhenconfiguringFortiGate_1.
SelectHR_networkwhenconfiguringFortiGate_2.
TheaddressnamefortheprivatenetworkbehindthisFortiGateunit.
OutgoingInterface Selectpeer_1.
TheVPNTunnel(IPsecInterface)youconfiguredearlier.
DestinationAddress SelectHR_networkwhenconfiguringFortiGate_1.
SelectFinance_networkwhenconfiguringFortiGate_2.
Theaddressnamethatyoudefinedfortheprivatenetworkbehindthe
remotepeer.
EnableNAT Disable.
Comments AllowInternaltoremoteVPNnetworktraffic.
4. Optionally,configureanyadditionalfeaturesyoumaywant,suchasUTMortrafficshaping.
5. SelectCreateNewtocreateanotherpolicyfortheotherdirection.
IncomingInterface Selectpeer_1.
TheVPNTunnel(IPsecInterface)youconfigured.
SourceAddress SelectHR_networkwhenconfiguringFortiGate_1.
SelectFinance_NetworkwhenconfiguringFortiGate_2.
Theaddressnamedefinedfortheprivatenetworkbehindtheremote
peer.
OutgoingInterface Selectinternal.
unit.

DestinationAddress SelectFinance_NetworkwhenconfiguringFortiGate_1.
TheaddressnamedefinedfortheprivatenetworkbehindthisFortiGate
unit.
EnableNAT Disable.
Comments AllowremoteVPNnetworktraffictoInternal.
8. ConfigureanyadditionalfeaturessuchasUTMortrafficshapingyoumaywant.(optional).
Allnetworktrafficmusthaveastaticroutetodirectitstraffictotheproperdestination.Withoutaroute,trafficwill
notflowevenifthesecuritypoliciesareconfiguredproperly.Youmayneedtocreateastaticrouteentryforboth
directionsofVPNtrafficifyoursecuritypoliciesallowbi-directionaltunnelinitiation.
Toconfiguretherouteforaroute-basedVPN:
1. OnFortiGate_2,gotoNetwork>StaticRoutesandselectCreateNew.
2. Enterthefollowinginformation,andthenselectOK:
DestinationIP/Mask 10.21.101.0/24
Device FGT2_to_FGT1_Tunnel
Gateway Leaveasdefault:0.0.0.0.
Distance(Advanced) Leavethisatitsdefault.
IfthereareotherroutesonthisFortiGateunit,youmayneedtosetthe
distanceonthisroutesotheVPNtrafficwilluseitasthedefaultroute.
However,thisnormallyhappensbydefaultbecausethisrouteistypicallya
bettermatchthanthegenericdefaultroute.
Creatingpolicy-basedVPNsecuritypolicy
DefineanIPsecsecuritypolicytopermitcommunicationsbetweenthesourceanddestinationaddresses.
2. Completethefollowing:
unit.

How to work with overlapping subnets Gateway-to-gateway
SourceAddress SelectFinance_networkwhenconfiguringFortiGate_1.
TheaddressnamedefinedfortheprivatenetworkbehindthisFortiGate
unit.
OutgoingInterface Selectwan1.
TheFortiGateunitspublicinterface.
DestinationAddress SelectHR_networkwhenconfiguringFortiGate_1.
SelectFinance_networkwhenconfiguringFortiGate_2.
VPNTunnel SelectUseExistingandselectpeer_1fromtheVPNTunneldrop-down
list.
SelectAllowtraffictobeinitiatedfromtheremotesitetoenable
trafficfromtheremotenetworktoinitiatethetunnel.
Comments Bidirectionalpolicy-basedVPNpolicy.
PlaceVPNpoliciesinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestinationaddresses.
Howtoworkwithoverlappingsubnets
Asite-to-siteVPNconfigurationsometimeshastheproblemthattheprivatesubnetaddressesateachendare
thesame.YoucanresolvethisproblembyremappingtheprivateaddressesusingvirtualIPaddresses(VIP).
VIPsallowcomputersonthoseoverlappingprivatesubnetstoeachhaveanothersetofIPaddressesthatcanbe
usedwithoutconfusion.TheFortiGateunitmapstheVIPaddressestotheoriginaladdresses.ThismeansifPC1
startsasessionwithPC2at10.31.101.10,FortiGate_2directsthatsessionto10.11.101.10theactualIP
addressofPC2.ThefigurebelowdemonstratesthisFinancenetworkVIPis10.21.101.0/24andtheHR
networkis10.31.101.0/24.

Gateway-to-gateway How to work with overlapping subnets
Overlappedsubnetsexample
Solutionforroute-basedVPN
Youneedto:
l ConfigureIPsecPhase1andPhase2asyouusuallywouldforaroute-basedVPN.Inthisexample,theresulting
IPsecinterfaceisnamedFGT1_to_FGT2.
l ConfigurevirtualIP(VIP)mapping:
l the10.21.101.0/24networkmappedtothe10.11.101.0/24networkonFortiGate_1
l the10.31.101.0/24networkmappedtothe10.11.101.0/24networkonFortiGate_2
l ConfigureanoutgoingsecuritypolicywithordinarysourceNATonbothFortiGates.
l ConfigureanincomingsecuritypolicywiththeVIPasthedestinationonbothFortiGates.
l ConfigurearoutetotheremoteprivatenetworkovertheIPsecinterfaceonbothFortiGates.
ToconfigureVIPmappingonbothFortiGates
1. GotoPolicy&Objects>VirtualIPsandcreateanewVirtualIP.
2. Enterthefollowinginformation,andselectOK:
Name Enteraname,forexample,my_vip.
ExternalInterface SelectFGT1_to_FGT2.TheIPsecinterface.

VIPType DependingonbothFortiGates,selectoneofthefollowingoptions:
l IPv4:IfbothFortiGatesuseIPv4(StaticNAT).
l IPv6:IfbothFortiGatesuseIPv6(StaticNAT).
l NAT46:MapstheIPv4addressintoanIPv6prefix.
l NAT64:MapstheIPv6addressintoanIPv4prefix.
ExternalIPAddress/Range FortheExternalIPAddressfieldenter:
10.21.101.1whenconfiguringFortiGate_1,or
10.31.101.1whenconfiguringFortiGate_2.
MappedIPAddress/Range FortheMappedIPAddressenter10.11.101.1.
FortheRangeenter10.11.101.254.
PortForwarding Disable
3. RepeatthisprocedureonbothFortiGate_1andFortiGate_2.
ToconfiguretheoutboundsecuritypolicyonbothFortiGates
1. GotoPolicy&Objects>IPv4PolicyandselectCreateNew.
IncomingInterface SelectPort1.
OutgoingInterface SelectFGT1_to_FGT2.
TheIPsecinterface.
Source Selectall.
DestinationAddress Selectall.
Action SelectACCEPT
NAT EnableNAT.
ToconfiguretheinboundsecuritypolicyonbothFortiGates
IncomingInterface SelectFGT1_to_FGT2.

Gateway-to-gateway How to work with overlapping subnets
OutgoingInterface SelectPort1.
TheIPsecinterface.
Source Selectall.
DestinationAddress Selectmy-vip.
Action SelectACCEPT
NAT DisableNAT.
ToconfigurethestaticrouteforbothFortiGates
1. GotoNetwork>StaticRoutesandcreateanewRoute(orIPv6Routeasnecessary).
Destination Enterasubnetof10.31.101.0/24 whenconfiguringFortiGate_1.
Enterasubnetof10.21.101.0/24 whenconfiguringFortiGate_2.
Device SelectFGT1_to_FGT2.
Gateway Leaveasdefault:0.0.0.0.
AdministrativeDistance Leaveatdefault(10).
Ifyouhaveadvancedroutingonyournetwork,youmayhavetochangethis
value.
AdvancedOptions Ifyouhaveadvancedroutingonyournetwork,enableAdvancedOptions
andenteraPriority.
Solutionforpolicy-basedVPN
Aswiththeroute-basedsolution,userscontacthostsattheotherendoftheVPNusinganalternatesubnet
address.PC1communicateswithPC2usingIPaddress10.31.101.10,andPC2communicateswithPC1usingIP
address10.21.101.10.
Inthissolutionhowever,outboundNATisusedtotranslatethesourceaddressofpacketsfromthe
10.11.101.0/24networktothealternatesubnetaddressthathostsattheotherendoftheVPNusetoreply.
Inboundpacketsfromtheremoteendhavetheirdestinationaddressestranslatedbacktothe10.11.101.0/24
network.
Forexample,PC1usesthedestinationaddress10.31.101.10tocontactPC2.OutboundNATonFortiGate_1
translatesthePC1sourceaddressto10.21.101.10.AttheFortiGate_2endofthetunnel,theoutboundNAT
configurationtranslatesthedestinationaddresstotheactualPC2addressof10.11.101.10.Similarly,PC2replies
toPC1usingdestinationaddress10.21.101.10,withthePC2sourceaddresstranslatedto10.31.101.10.PC1
andPC2cancommunicateovertheVPNeventhoughtheybothhavethesameIPaddress.
Youneedto:

l ConfigureIPsecPhase1asyouusuallywouldforapolicy-basedVPN.
l ConfigureIPsecPhase2withtheuse-natip disable CLIoption.
l Defineafirewalladdressforthelocalprivatenetwork,10.11.101.0/24.
l Defineafirewalladdressfortheremoteprivatenetwork:
l Defineafirewalladdressfor10.31.101.0/24onFortiGate_1
l Defineafirewalladdressfor10.21.101.0/24onFortiGate_2
l ConfigureanoutgoingIPsecsecuritypolicywithoutboundNATtomap10.11.101.0/24sourceaddresses:
l Tothe10.21.101.0/24networkonFortiGate_1
l Tothe10.31.101.0/24networkonFortiGate_2
ToconfigureIPsecPhase2-CLI
edit "FGT1_FGT2_p2"
set keepalive enable
set pfs enable
set phase1name FGT1_to_FGT2
set proposal 3des-sha1 3des-md5
set replay enable
set use-natip disable
end
Inthisexample,yourPhase1definitionisnamedFGT1_to_FGT2.use-natipissettodisable,soyoucan
specifythesourceselectorusingthesrc-addr-type,src-start-ip/src-end-iporsrc-subnet
keywords.Thisexampleleavesthesekeywordsattheirdefaultvalues,whichspecifythesubnet0.0.0.0/0.
Thepfskeywordensuresthatperfectforwardsecrecy(PFS)isused.ThisensuresthateachPhase2keycreated
isunrelatedtoanyotherkeysinuse.
Todefinethelocalprivatenetworkfirewalladdress
1. GotoPolicy&Objects>AddressesandcreateanewAddress.
2. EnterthefollowinginformationandselectOK.
Category SettoAddress.
Name Entervpn-local.Ameaningfulnameforthelocalprivatenetwork.
Type SettoIP/Netmask.
Subnet/IPRange 10.11.101.0255.255.255.0
Interface Settoany.
Todefinetheremoteprivatenetworkfirewalladdress
1. GotoPolicy&Objects>AddressesandcreateanewAddress.
Category SettoAddress.

Gateway-to-gateway Testing
Name Entervpn-remote.Ameaningfulnamefortheremoteprivatenetwork.
Type SettoIP/Netmask.
Subnet/IPRange 10.31.101.0 255.255.255.0onFortiGate_1.
10.21.101.0 255.255.255.0onFortiGate_2.
Interface Any
ToconfiguretheIPsecsecuritypolicy
IntheCLIonFortiGate_1,enterthecommands:
config firewall policy
edit 1
set srcintf "port1"
set dstintf "port2"
set srcaddr "vpn-local"
set dstaddr "vpn-remote"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "FGT1_to_FGT2"
set natoutbound enable
set natip 10.31.101.0 255.255.255.0
end
Optionally,youcanseteverythingexceptnatipintheweb-basedmanagerandthenusetheCLItosetnatip.
EnterthesamecommandsonFortiGate_2,butsetnatipbe10.21.101.0 255.255.255.0.
Testing
ThebesttestingistolookatthepacketsbothastheVPNtunnelisnegotiated,andwhenthetunnelisup.
DeterminingwhattheotherendoftheVPNtunnelisproposing
1. StartaterminalprogramsuchasPuTTYandsetittologalloutput.
Whennecessaryrefertothelogstolocateinformationwhenoutputisverbose.
2. LogontotheFortiGateunitusingasuper_adminaccount.
3. EnterthefollowingCLIcommands.
4. DisplayallthepossibleIKEerrortypesandthenumberoftimestheyhaveoccurred:
diag vpn ike errors
5. Checkforexistingdebugsessions:
diag debug info

Testing Gateway-to-gateway
Ifadebugsessionisrunning,tohaltitenter:
diag debug disable
6. Confirmyourproposalsettings:
diag vpn ike config list
7. Ifyourproposalsettingsdonotmatchwhatyouexpect,makeachangetoitandsaveittoforceanupdatein
memory.Ifthatfixestheproblem,stophere.
8. Listthecurrentvpnfilter:
diag vpn ike filter
9. Ifallfieldsaresettoany,therearenofilterssetandallVPNIKEpacketswillbedisplayedinthedebugoutput.If
yoursystemhasonlyafewVPNs,skipsettingthefilter.
IfyoursystemhasmanyVPNconnectionsthiswillresultinveryverboseoutputandmakeitverydifficulttolocate
thecorrectconnectionattempt.
10. SettheVPNfiltertodisplayonlyinformationfromthedestinationIPaddressforexample10.10.10.10:
diag vpn ike log-filter dst-addr4 10.10.10.10
Toaddmorefilteroptions,enterthemoneperlineasabove.Otherfilteroptionsare:
clear erasethecurrentfilter
dst-addr6 theIPv6destinationaddressrangetofilterby
dst-port thedestinationportrangetofilterby
interface interfacethatIKEconnectionisnegotiatedover
list displaythecurrentfilter
name thephase1nametofilterby
negate negatethespecifiedfilterparameter
src-addr4 theIPv4sourceaddressrangetofilterby
src-addr6 theIPv6sourceaddressrangetofilterby
src-port thesourceportrangetofilterby
vd indexofvirtualdomain.0matchesall
11. Startdebugging:
diag debug app ike 255

diag debug enable
12. HavetheremoteendattemptaVPNconnection.
Iftheremoteendattemptstheconnectiontheybecometheinitiator.ThissituationmakesiteasiertodebugVPN
tunnelsbecausethenyouhavetheremoteinformationandallofyourlocalinformation.byinitiatetheconnection,

Gateway-to-gateway Testing
youwillnotseetheotherendsinformation.
13. Ifpossiblegototheweb-basedmanageronyourFortiGateunit,gototheVPNmonitorandtrytobringthetunnel
up.
14. Stopthedebugoutput:
diag debug disable
15. Gobackthroughtheoutputtodeterminewhatproposalinformationtheinitiatorisusing,andhowitisdifferent
fromyourVPNP1proposalsettings.
ThingstolookforinthedebugoutputofattemptedVPNconnectionsareshownbelow.
ImportanttermstolookforinVPNdebugoutput
initiator StartstheVPNattempt,intheaboveprocedurethatistheremoteend
responder Answerstheinitiatorsrequest
local ID Inaggressivemode,thisisnotencrypted
error no SA
Therewasnoproposalmatchtherewasnoencryption-authenticationpairin
proposal
common,usuallyoccursafteralonglistofproposalattempts
chosen
R U THERE deadpeerdetection(dpd),alsoknownasdeadgatewaydetectionafterthreefailed
and attemptstocontacttheremoteenditwillbedeclareddead,nofartherattemptswillbe
R U THERE madetocontactit
ack
negotiation
liststheproposalsettingsthatwereagreedon
result
SA_life_soft negotiatinganewkey,andthekeylife
and SA_life_
hard
R U THERE Ifyouseethis,itmeansPhase1wassuccessful
tunnel up thenegotiationwassuccessful,theVPNtunnelisoperational

Hub-and-spokeconfigurations
Thissectiondescribeshowtosetuphub-and-spokeIPsecVPNs.Thefollowingtopicsareincludedinthissection:
Configurethehub
Configurethespokes
Dynamicspokesconfigurationexample
Inahub-and-spokeconfiguration,VPNconnectionsradiatefromacentralFortiGateunit(thehub)toanumberof
remotepeers(thespokes).Trafficcanpassbetweenprivatenetworksbehindthehubandprivatenetworks
behindtheremotepeers.Trafficcanalsopassbetweenremotepeerprivatenetworksthroughthehub.
Examplehub-and-spokeconfiguration
Theactualimplementationvariesincomplexitydependingon:

Hub-and-spoke configurations Configuration overview
l Whetherthespokesarestaticallyordynamicallyaddressed
l Theaddressingschemeoftheprotectedsubnets
l Howpeersareauthenticated
Thisguidediscussestheissuesinvolvedinconfiguringahub-and-spokeVPNandprovidessomebasic
configurationexamples.
Hub-and-spokeinfrastructurerequirements
l TheFortiGatehubmustbeoperatinginNATmodeandhaveastaticpublicIPaddress.
l SpokesmayhavestaticIPaddresses,dynamicIPaddresses(seeFortiGatedialup-clientconfigurationsonpage1),
orstaticdomainnamesanddynamicIPaddresses(seeDynamicDNSconfigurationonpage1).
Spokegatewayaddressing
ThepublicIPaddressofthespokeistheVPNremotegatewayasseenfromthehub.Staticallyaddressedspokes
eachrequireaseparateVPNPhase1configurationonthehub.Whentherearemanyspokes,thisbecomes
rathercumbersome.
UsingdynamicaddressingforspokessimplifiestheVPNconfigurationbecausethenthehubrequiresonlya
singlePhase1configurationwithdialupuserastheremotegateway.Youcanusethisconfigurationevenifthe
remotepeershavestaticIPaddresses.AremotepeercanestablishaVPNconnectionregardlessofitsIP
addressifitstrafficselectorsmatchanditcanauthenticatetothehub.SeeConfigurationoverviewonpage93for
anexampleofthisconfiguration.
Protectednetworksaddressing
Theaddressesoftheprotectednetworksareneededtoconfiguredestinationselectorsandsometimesfor
securitypoliciesandstaticroutes.Thelargerthenumberofspokes,themoreaddressestherearetomanage.
Youcan
l Assignspokesubnetsaspartofalargersubnet,usuallyonanewnetwork
or
l Createaddressgroupsthatcontainalloftheneededaddresses
Usingaggregatedsubnets
Ifyouarecreatinganewnetwork,wheresubnetIPaddressesarenotalreadyassigned,youcansimplifytheVPN
configurationbyassigningspokesubnetsthatarepartofalargesubnet.

Configure the hub Hub-and-spoke configurations
Aggregatedsubnets
Allspokesusethelargesubnetaddress,10.1.0.0/16forexample,as:
l TheIPsecdestinationselector
l ThedestinationofthesecuritypolicyfromtheprivatesubnettotheVPN(requiredforpolicy-basedVPN,optionalfor
route-basedVPN)
l ThedestinationofthestaticroutetotheVPN(route-based)
EachspokeusestheaddressofitsownprotectedsubnetastheIPsecsourceselectorandasthesourceaddress
initsVPNsecuritypolicy.TheremotegatewayisthepublicIPaddressofthehubFortiGateunit.
Usinganaddressgroup
Ifyouwanttocreateahub-and-spokeVPNbetweenexistingprivatenetworks,thesubnetaddressingusually
doesnotfittheaggregatedsubnetmodeldiscussedearlier.Allofthespokesandthehubwillneedtoincludethe
addressesofalltheprotectednetworksintheirconfiguration.
OnFortiGateunits,youcandefineanamedfirewalladdressforeachoftheremoteprotectednetworksandadd
theseaddressestoafirewalladdressgroup.Forapolicy-basedVPN,youcanthenusethisaddressgroupasthe
destinationoftheVPNsecuritypolicy.
Foraroute-basedVPN,thedestinationoftheVPNsecuritypolicycanbesettoAll.Youneedtospecify
appropriateroutesforeachoftheremotesubnets.
Authentication
Authenticationisbyacommonpre-sharedkeyorbycertificates.Forsimplicity,theexamplesinthischapter
assumethatallspokesusethesamepre-sharedkey.
Configurethehub
AttheFortiGateunitthatactsasthehub,youneedto:

Hub-and-spoke configurations Configure the hub
l ConfiguretheVPNtoeachspoke
l Configurecommunicationbetweenspokes
Youconfigurecommunicationbetweenspokesdifferentlyforapolicy-basedVPNthanforaroute-basedVPN.For
apolicy-basedVPN,youconfigureaVPNconcentrator.Foraroute-basedVPN,youmusteitherdefinesecurity
policiesorgrouptheIPsecinterfacesintoazone.
Definethehub-spokeVPNs
PerformthesestepsattheFortiGateunitthatwillactasthehub.Althoughthisprocedureassumesthatthe
spokesareallFortiGateunits,aspokecouldalsobeVPNclientsoftware,suchasFortiClientEndpointSecurity.
ConfiguringtheVPNhub
1. Atthehub,definethePhase1configurationforeachspoke.SeePhase1parametersonpage47.Enterthese
settingsinparticular:
Name EnteranametoidentifytheVPNinPhase2configurations,security
policiesandtheVPNmonitor.
RemoteGateway TheremotegatewayistheotherendoftheVPNtunnel.Therearethree
options:
StaticIPAddressEnterthespokespublicIPAddress.Youwillneedto
createaPhase1configurationforeachspoke.Eitherthehuborthespoke
canestablishtheVPNconnection.
DialupUserNoadditionalinformationisneeded.Thehubaccepts
connectionsfrompeerswithappropriateencryptionandauthentication
settings.OnlyonePhase1configurationisneededformultipledialup
spokes.OnlythespokecanestablishtheVPNtunnel.
DynamicDNSIfthespokesubscribestoadynamicDNSservice,enter
thespokesDynamicDNSdomainname.Eitherthehuborthespokecan
establishtheVPNconnection.Formoreinformation,seeDynamicDNS
configurationonpage1.
LocalInterface SelecttheFortiGateinterfacethatconnectstotheremotegateway.Thisis
usuallytheFortiGateunitspublicinterface.
2. DefinethePhase2parametersneededtocreateaVPNtunnelwitheachspoke.SeePhase2parametersonpage
65.Enterthesesettingsinparticular:
Name EnteranametoidentifythisspokePhase2configuration.
Phase1 SelectthenameofthePhase1configurationthatyoudefinedforthis
spoke.
IPsecVPNinADVPNhub-and-spoke
IPsecVPNtrafficisallowedthroughatunnelbetweenanADVPNhub-and-spoke.

CLISyntax:
edit "int-fgtb"
...
set auto-discovery-sender [enable | disable]
set auto-discovery-receiver [enable | disable]
set auto-discovery-forwarder [enable | disable]
...
next
end
edit "int-fgtb"
...
set auto-discovery-sender phase1 [enable | disable]
...
next
end
Definethehub-spokesecuritypolicies
1. Defineanamefortheaddressoftheprivatenetworkbehindthehub.Formoreinformation,seeDefiningpolicy
addressesonpage1.
2. Definenamesfortheaddressesoraddressrangesoftheprivatenetworksbehindthespokes.Formore
information,seeDefiningpolicyaddressesonpage1.
3. DefinetheVPNconcentrator.SeeTodefinetheVPNconcentratoronpage98.
4. Definesecuritypoliciestopermitcommunicationbetweenthehubandthespokes.Formoreinformation,see
DefiningVPNsecuritypoliciesonpage1.
Route-basedVPNsecuritypolicies
DefineACCEPTsecuritypoliciestopermitcommunicationsbetweenthehubandthespoke.Youneedonepolicy
foreachdirection.
Addingpolicies
3. Enterthesesettingsinparticular:
IncomingInterface SelecttheVPNTunnel(IPsecInterface)youconfiguredinStep1.
SourceAddress SelecttheaddressnameyoudefinedinStep2fortheprivatenetwork
behindthespokeFortiGateunit.
OutgoingInterface Selectthehubsinterfacetotheinternal(private)network.
DestinationAddress SelectthesourceaddressthatyoudefinedinStep1.
EnableNAT Enable.

Hub-and-spoke configurations Configure the hub
IncomingInterface SelecttheVPNTunnel(IPsecInterface)youconfiguredinStep1.
SourceAddress SelecttheaddressnameyoudefinedinStep2fortheprivatenetwork
behindthespokeFortiGateunits.
OutgoingInterface SelectthesourceaddressthatyoudefinedinStep1.
DestinationAddress Selectthehubsinterfacetotheinternal(private)network.
EnableNAT Enable.
Policy-basedVPNsecuritypolicy
DefineanIPsecsecuritypolicytopermitcommunicationsbetweenthehubandthespoke.
Addingpolicies
IncomingInterface Selectthehubsinterfacetotheinternal(private)network.
SourceAddress SelectthesourceaddressthatyoudefinedinStep1.
OutgoingInterface Selectthehubspublicnetworkinterface.
DestinationAddress SelecttheaddressnameyoudefinedinStep2fortheprivatenetwork
behindthespokeFortiGateunit.
VPNTunnel SelectUseExistingandselectthenameofthePhase1configurationthat
youcreatedforthespokeinStep1.
Inthepolicylist,arrangethepoliciesinthefollowingorder:
l IPsecpoliciesthatcontroltrafficbetweenthehubandthespokesfirst
l Thedefaultsecuritypolicylast
Configuringcommunicationbetweenspokes(policy-basedVPN)
Forapolicy-basedhub-and-spokeVPN,youdefineaconcentratortoenablecommunicationbetweenthespokes.
TodefinetheVPNconcentrator
1. Atthehub,gotoVPN>IPsecConcentratorandselectCreateNew.
2. IntheConcentratorNamefield,typeanametoidentifytheconcentrator.
3. FromtheAvailableTunnelslist,selectaVPNtunnelandthenselecttheright-pointingarrow.

4. RepeatStep3untilallofthetunnelsassociatedwiththespokesareincludedintheconcentrator.
5. SelectOK.
Configuringcommunicationbetweenspokes(route-basedVPN)
Foraroute-basedhub-and-spokeVPN,thereareseveralwaysyoucanenablecommunicationbetweenthe
spokes:
l PutalloftheIPsecinterfacesintoazoneandenableintra-zonetraffic.Thiseliminatestheneedforanysecurity
policyfortheVPN,butyoucannotapplyUTMfeaturestoscanthetrafficforsecuritythreats.
l PutalloftheIPsecinterfacesintoazoneandcreateasinglezone-to-zonesecuritypolicy
l Createasecuritypolicyforeachpairofspokesthatareallowedtocommunicatewitheachother.Thenumberof
policiesrequiredincreasesrapidlyasthenumberofspokesincreases.
Usingazoneasaconcentrator
Asimplewaytoprovidecommunicationamongallofthespokesistocreateazoneandallowintra-zone
communication.YoucannotapplyUTMfeaturesusingthismethod.
1. GotoNetwork>Interfaces.
2. Selectthedown-arrowontheCreateNewbuttonandselectZone.
3. IntheZoneNamefield,enteraname,suchasOur_VPN_zone.
4. ClearBlockintra-zonetraffic.
5. IntheInterfaceMemberslist,selecttheIPsecinterfacesthatarepartofyourVPN.
6. SelectOK.
Usingazonewithapolicyasaconcentrator
IfyouputallofthehubIPsecinterfacesinvolvedintheVPNintoazone,youcanenablecommunicationamong
allofthespokesandapplyUTMfeatureswithjustonesecuritypolicy.
CreatingazonefortheVPN
4. SelectBlockintra-zonetraffic.
5. IntheInterfaceMemberslist,selecttheIPsecinterfacesthatarepartofyourVPN.
6. SelectOK.
Creatingasecuritypolicyforthezone
3. Enterthesettings:andselectOK.
IncomingInterface SelectthezoneyoucreatedforyourVPN.

Hub-and-spoke configurations Configure the spokes
SourceAddress SelectAll.
OutgoingInterface SelectthezoneyoucreatedforyourVPN.
DestinationAddress SelectAll.
EnableNAT Enable.
Usingsecuritypoliciesasaconcentrator
Toenablecommunicationbetweentwospokes,youneedtodefineanACCEPTsecuritypolicyforthem.Toallow
eitherspoketoinitiatecommunication,youmustcreateapolicyforeachdirection.Thisproceduredescribesa
securitypolicyforcommunicationfromSpoke1toSpoke2.Othersaresimilar.
1. Definenamesfortheaddressesoraddressrangesoftheprivatenetworksbehindeachspoke.Formore
information,seeDefiningpolicyaddressesonpage1.
4. EnterthesettingsandselectOK.
IncomingInterface SelecttheIPsecinterfacethatconnectstoSpoke1.
SourceAddress SelecttheaddressoftheprivatenetworkbehindSpoke1.
OutgoingInterface SelecttheIPsecinterfacethatconnectstoSpoke2.
DestinationAddress SelecttheaddressoftheprivatenetworkbehindSpoke2.
EnableNAT Enable.
Configurethespokes
AlthoughthisprocedureassumesthatthespokesareallFortiGateunits,aspokecouldalsobeVPNclient
software,suchasFortiClientEndpointSecurity.
PerformthesestepsateachFortiGateunitthatwillactasaspoke.
CreatingthePhase1andphase_2configurations
1. Atthespoke,definethePhase1parametersthatthespokewillusetoestablishasecureconnectionwiththehub.
SeePhase1parametersonpage47.Enterthesesettings:
IPAddress TypetheIPaddressoftheinterfacethatconnectstothehub.

Configure the spokes Hub-and-spoke configurations
2. CreatethePhase2tunneldefinition.SeePhase2parametersonpage65.SelectthesetofPhase1parameters
thatyoudefinedforthehub.YoucanselectthenameofthehubfromtheStaticIPAddresspartofthelist.
Configuringsecuritypoliciesforhub-to-spokecommunication
1. Createanaddressforthisspoke.SeeDefiningpolicyaddressesonpage1.EntertheIPaddressandnetmaskof
theprivatenetworkbehindthespoke.
2. Createanaddresstorepresentthehub.SeeDefiningpolicyaddressesonpage1.EntertheIPaddressand
netmaskoftheprivatenetworkbehindthehub.
3. Definethesecuritypolicytoenablecommunicationwiththehub.
Route-basedVPNsecuritypolicy
Definetwosecuritypoliciestopermitcommunicationstoandfromthehub.
3. Enterthesesettings:
IncomingInterface SelectthevirtualIPsecinterfaceyoucreated.
SourceAddress SelectthehubaddressyoudefinedinStep1.
OutgoingInterface Selectthespokesinterfacetotheinternal(private)network.
DestinationAddress SelectthespokeaddressesyoudefinedinStep2.
EnableNAT Enable
IncomingInterface Selectthespokesinterfacetotheinternal(private)network.
SourceAddress SelectthespokeaddressyoudefinedinStep1.
OutgoingInterface SelectthevirtualIPsecinterfaceyoucreated.
DestinationAddress SelectthehubdestinationaddressesyoudefinedinStep2.
EnableNAT Enable
DefineanIPsecsecuritypolicytopermitcommunicationswiththehub.SeeDefiningVPNsecuritypolicieson
page1.

Hub-and-spoke configurations Configure the spokes
SourceAddress SelectthespokeaddressyoudefinedinStep1.
OutgoingInterface Selectthespokesinterfacetotheexternal(public)network.
DestinationAddress SelectthehubaddressyoudefinedinStep2.
VPNTunnel SelectUseExistingandselectthenameofthePhase1configurationyou
defined.
Configuringsecuritypoliciesforspoke-to-spokecommunication
Eachspokerequiressecuritypoliciestoenablecommunicationwiththeotherspokes.Insteadofcreating
separatesecuritypoliciesforeachspoke,youcancreateanaddressgroupthatcontainstheaddressesofthe
networksbehindtheotherspokes.Thesecuritypolicythenappliestoallofthespokesinthegroup.
1. Definedestinationaddressestorepresentthenetworksbehindeachoftheotherspokes.Addtheseaddressesto
anaddressgroup.
2. Definethesecuritypolicytoenablecommunicationbetweenthisspokeandthespokesintheaddressgroupyou
created.
DefineanIPsecsecuritypolicytopermitcommunicationswiththeotherspokes.SeeDefiningVPNsecurity
policiesonpage1.Enterthesesettingsinparticular:
Definetwosecuritypoliciestopermitcommunicationstoandfromtheotherspokes.
IncomingInterface SelectthevirtualIPsecinterfaceyoucreated.
SourceAddress SelectthespokeaddressgroupyoudefinedinStep"Configurethespokes"
onpage100.
OutgoingInterface Selectthespokesinterfacetotheinternal(private)network.
DestinationAddress Selectthisspokesaddressname.
EnableNAT Enable
4. SelectCreateNew,leavethePolicyTypeasFirewallandleavethePolicySubtypeasAddress,andenter
thesesettings:

Dynamic spokes configuration example Hub-and-spoke configurations
SourceAddress Selectthisspokesaddressname.
OutgoingInterface SelectthevirtualIPsecinterfaceyoucreated.
DestinationAddress SelectthespokeaddressgroupyoudefinedinStep1.
EnableNAT Enable
2. Enterthefollowing:
IncomingInterface Selectthisspokesinternal(private)networkinterface.
SourceAddress Selectthisspokessourceaddress.
OutgoingInterface Selectthespokesinterfacetotheexternal(public)network.
DestinationAddress SelectthespokeaddressgroupyoudefinedinStep1.
VPNTunnel SelectUseExistingandselectthenameofthePhase1configurationyou
defined.
Placethispolicyorpoliciesinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestination
addresses.
Dynamicspokesconfigurationexample
Thisexampledemonstrateshowtosetupabasicroute-basedhub-and-spokeIPsecVPNthatusespreshared
keystoauthenticateVPNpeers.

Hub-and-spoke configurations Dynamic spokes configuration example
Examplehub-and-spokeconfiguration
Intheexampleconfiguration,theprotectednetworks10.1.0.0/24,10.1.1.0/24and10.1.2.0/24areallpartofthe
largersubnet10.1.0.0/16.Thestepsforsettinguptheexamplehub-and-spokeconfigurationcreateaVPN
amongSite1,Site2,andtheHRNetwork.
Thespokesaredialup.Theiraddressesarenotpartoftheconfigurationonthehub,soonlyonespokedefinition
isrequirednomatterthenumberofspokes.Forsimplicity,onlytwospokesareshown.
InanADVPNtopology,anytwopairofpeerscancreateashortcut,aslongasoneofthedevicesisnotbehind
NAT.
Theon-the-wireformatoftheADVPNmessagesuseTLVencoding.Becauseofthis,thisfeatureisnot
compatiblewithanypreviousADVPNbuilds.
Configurethehub(FortiGate_1)
ThePhase1configurationdefinestheparametersthatFortiGate_1willusetoauthenticatespokesandestablish
secureconnections.
Forthepurposesofthisexample,onepresharedkeywillbeusedtoauthenticateallofthespokes.Eachkeymust
containatleast6printablecharactersandbestpracticesdictatesthatitonlybeknownbynetworkadministrators.
Foroptimumprotectionagainstcurrentlyknownattacks,eachkeymustconsistofaminimumof16randomly
chosenalphanumericcharacters.

DefinetheIPsecconfiguration
1. AtFortiGate_1,gotoVPN>IPsecTunnelsandcreatethenewcustomtunneloreditanexistingtunnel.
DefinethePhase1parametersthatthehubwillusetoestablishasecureconnectiontothespokes.
Name Enteraname(forexample,toSpokes).
RemoteGateway Dialupuser
LocalInterface External
Mode Main
AuthenticationMethod PresharedKey
Pre-sharedKey Enterthepresharedkey.
PeerOptions AnypeerID
ThebasicPhase2settingsassociateIPsecPhase2parameterswiththePhase1configurationandspecifythe
remoteendpointsoftheVPNtunnels.
button).
Name EnteranameforthePhase2definition(forexample,toSpokes_ph2).
Phase1 SelectthePhase1configurationthatyoudefinedpreviously(forexample,
toSpokes).
Definethesecuritypolicies
securitypoliciescontrolallIPtrafficpassingbetweenasourceaddressandadestinationaddress.Foraroute-
basedVPN,thepoliciesaresimplerthanforapolicy-basedVPN.InsteadofanIPSECpolicy,youusean
ACCEPTpolicywiththevirtualIPsecinterfaceastheexternalinterface.
Beforeyoudefinesecuritypolicies,youmustfirstdefinefirewalladdressestouseinthosepolicies.Youneed
addressesfor:
l TheHRnetworkbehindFortiGate_1
l Theaggregatesubnetaddressfortheprotectednetworks
DefiningtheIPaddressoftheHRnetworkbehindFortiGate_1
1. GotoPolicy&Objects>Addresses.
2. SelectCreateNew,enterthefollowinginformation,andselectOK:
Name Enteranaddressname(forexample,HR_Network).
Type Subnet

Subnet/IPRange EntertheIPaddressoftheHRnetworkbehindFortiGate_1
(forexample,10.1.0.0/24).
SpecifyingtheIPaddresstheaggregateprotectedsubnet
2. SelectCreateNew,enterthefollowinginformation,andselectOK:
AddressName Enteranaddressname(forexample,Spoke_net).
Type Subnet
Subnet/IPRange EntertheIPaddressoftheaggregateprotectednetwork,10.1.0.0/16
Definingthesecuritypolicyfortrafficfromthehubtothespokes
1. GotoPolicy&Objects>IPv4PolicyandselectCreateNew,
IncomingInterface SelecttheinterfacetotheHRnetwork,port1.
SourceAddress Select HR_Network.
OutgoingInterface SelectthevirtualIPsecinterfacethatconnectstothespokes,toSpokes.
DestinationAddress Select Spoke_net.
Placethepolicyinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestinationaddresses.
Configurecommunicationbetweenspokes
Spokescommunicatewitheachotherthroughthehub.Youneedtoconfigurethehubtoallowthis
communication.AneasywaytodothisistocreateazonecontainingthevirtualIPsecinterfacesevenifthereis
onlyone,andcreateazone-to-zonesecuritypolicy.
4. SelectBlockintra-zonetraffic.
Youcouldenableintra-zonetrafficandthenyouwouldnotneedtocreateasecuritypolicy.But,youwouldnotbe
abletoapplyUTMfeatures.
5. InInterfaceMembers,selectthevirtualIPsecinterface,toSpokes.
6. SelectOK.
Creatingasecuritypolicyforthezone

3. Enterthesesettings:
IncomingInterface SelectOur_VPN_zone.
SourceAddress SelectAll.
OutgoingInterface SelectOur_VPN_zone.
DestinationAddress SelectAll.
EnableNAT Enable.
4. SelectOK.
Configurethespokes
Inthisexample,allspokeshavenearlyidenticalconfiguration,requiringthefollowing:
l Phase1authenticationparameterstoinitiateaconnectionwiththehub.
l Phase2tunnelcreationparameterstoestablishaVPNtunnelwiththehub.
l Asourceaddressthatrepresentsthenetworkbehindthespoke.Thisistheonlypartoftheconfigurationthatis
differentforeachspoke.
l Adestinationaddressthatrepresentstheaggregateprotectednetwork.
l Asecuritypolicytoena.blecommunicationsbetweenthespokeandtheaggregateprotectednetwork
DefinetheIPsecconfiguration
Ateachspoke,createthefollowingconfiguration.
1. Atthespoke,gotoVPN>IPsecTunnelsandcreatethenewcustomtunneloreditanexistingtunnel.
Enterthefollowinginformation:
Name Typeaname,forexample,toHub.
IPAddress Enter172.16.10.1.
LocalInterface SelectPort2.
Mode Main
Pre-sharedKey Enterthepresharedkey.Thevaluemustbeidenticaltothepresharedkey
thatyouspecifiedpreviouslyintheFortiGate_1configuration
PeerOptions SelectAnypeerID.

button).
2. EnterthefollowinginformationandselectOK:
Name Enteranameforthetunnel,forexample,toHub_ph2.
Phase1 SelectthenameofthePhase1configurationthatyoudefinedpreviously,
forexample,toHub.
Advanced SelecttoshowthefollowingQuickModeSelectorsettings.
Source Entertheaddressoftheprotectednetworkatthisspoke.
Forspoke_1,thisis10.1.1.0/24.
Destination Entertheaggregateprotectedsubnetaddress,10.1.0.0/16.
Definethesecuritypolicies
Youneedtodefinefirewalladdressesforthespokesandtheaggregateprotectednetworkandthencreatea
securitypolicytoenablecommunicationbetweenthem.
DefiningtheIPaddressofthenetworkbehindthespoke
2. SelectCreateNewandenterthefollowinginformation:
AddressName Enteranaddressname,forexampleLocalNet.
Type Subnet
Subnet/IPRange EntertheIPaddressoftheprivatenetworkbehindthespoke.
SpecifyingtheIPaddressoftheaggregateprotectednetwork
2. SelectCreateNewandenterthefollowinginformation:
AddressName Enteranaddressname,forexample,S poke_net.
Type Subnet
Subnet/IPRange EntertheIPaddressoftheaggregateprotectednetwork,10.1.0.0/16.
Definingthesecuritypolicy

3. Enterthefollowinginformation:
IncomingInterface SelectthevirtualIPsecinterface,toHub.
SourceAddress Selecttheaggregateprotectednetworkaddress Spoke_net.
OutgoingInterface Selecttheinterfacetotheinternal(private)network,port1.
DestinationAddress SelecttheaddressforthisspokesprotectednetworkLocalNet.
4. SelectCreateNew.
IncomingInterface Selecttheinterfacetotheinternalprivatenetwork,port1.
SourceAddress Selecttheaddressforthisspokesprotectednetwork,LocalNet.
OutgoingInterface SelectthevirtualIPsecinterface,toHub.
DestinationAddress Selecttheaggregateprotectednetworkaddress,Spoke_net.
Placethesepoliciesinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestinationaddresses.

DynamicDNSconfiguration
Thissectiondescribeshowtoconfigureasite-to-siteVPN,inwhichoneFortiGateunithasastaticIPaddressand
theotherFortiGateunithasadomainnameandadynamicIPaddress.
DynamicDNSoverVPNconcepts
DDNStopology
DynamicDNSoverVPNconcepts
AtypicalcomputerhasastaticIPaddressandoneormoreDNSserverstoresolvefullyqualifieddomainnames
(FQDN)intoIPaddresses.AdomainnameassignedtothiscomputerisresolvedbyanyDNSserverhavingan
entryforthedomainnameanditsstaticIPaddress.TheIPaddressneverchangesorchangesonlyrarelysothe
DNSservercanreliablysayithasthecorrectaddressforthatdomainallthetime.
DynamicDNS(DDNS)
ItisdifferentwhenacomputerhasadynamicIPaddress,suchasanIPaddressassigneddynamicallybyaDHCP
server,andadomainname.ComputersthatwanttocontactthiscomputerdonotknowwhatitscurrentIP
addressis.TosolvethisproblemtherearedynamicDNS(DDNS)servers.Thesearepublicserversthatstorea
DNSentryforyourcomputerthatincludesitscurrentIPaddressandassociateddomainname.Theseentriesare
keptuptodatebyyourcomputersendingitscurrentIPaddresstotheDDNSservertoensureitsentryisalways
uptodate.Whenothercomputerswanttocontactyourdomain,theirDNSgetsyourIPaddressfromyourDDNS
server.TouseDDNSservers,youmustsubscribetothemandusuallypayfortheirservices.
WhenconfiguringDDNSonyourFortiGateunit,gotoNetwork>DNSandenableEnableFortiGuardDDNS.
Thenselecttheinterfacewiththedynamicconnection,whichDDNSserveryouhaveanaccountwith,your
domainname,andaccountinformation.IfyourDDNSserverisnotonthelist,thereisagenericoptionwhereyou
canprovideyourDDNSserverinformation.
Routing
WhenaninterfacehassomeformofchangingIPaddress(DDNS,PPPoE,orDHCPassignedaddress),routing
needsspecialattention.ThestandardstaticroutecannothandlethechangingIPaddress.Thesolutionistouse
thedynamic-gatewaycommandintheCLI.Sayforexampleyoualreadyhavefourstaticroutes,andyouhavea
PPPoEconnectionoverthewan2interfaceandyouwanttousethatasyourdefaultroute.
TherouteisconfiguredonthedynamicaddressVPNpeertryingtoaccessthestaticaddressFortiGateunit.
Configuringdynamicgatewayrouting-CLI
config router static
edit 5
set dst 0.0.0.0 0.0.0.0
set dynamic-gateway enable
set device wan2

Dynamic DNS over VPN concepts Dynamic DNS configuration
next
end
FormoreinformationonDDNS,seetheSystemAdministrationhandbookchapter.
DDNSoverVPN
IPsecVPNexpectsanIPaddressforeachendoftheVPNtunnel.Allconfigurationandcommunicationwiththat
tunneldependsontheIPaddressesasreferencepoints.However,whentheinterfacethetunnelisonhasDDNS
enabledthereisnosetIPaddress.TheremoteendoftheVPNtunnelnowneedsanotherwaytoreferenceyour
endoftheVPNtunnel.ThisisaccomplishedusingLocalID.
AFortiGateunitthathasadomainnameandadynamicIPaddresscaninitiateVPNconnectionsanytime.The
remotepeercanreplytothelocalFortiGateunitusingthesourceIPaddressthatwassentinthepacketheader
becauseitiscurrent.WithoutdoingaDNSlookupfirst,theremotepeerrunstheriskofthedynamicIPchanging
beforeitattemptstoconnect.Toavoidthis,theremotepeermustperformaDNSlookupforthedomainnameof
tobesureofthedynamicIPaddressbeforeinitiatingtheconnection.
RemoteGateway
WhenconfiguringthePhase1entryforaVPNtunnel,theRemoteGatewaydeterminestheaddressingmethod
theremoteendofthetunnelusesasoneofStaticIPAddress,DialupUser,orDynamicDNS.Therearedifferent
fieldsforeachoption.
WhenyouselecttheDynamicDNSVPNtypethereisarelatedfieldcalledDynamicDNS.TheDynamicDNSfield
isaskingfortheFQDNoftheremoteendofthetunnel.ItusesthisinformationtolookuptheIPaddressofthe
remoteendofthetunnelthroughtheDDNSserverassociatedwiththatdomainname.
LocalID(peerID)
TheLocalIDorpeerIDcanbeusedtouniquelyidentifyoneendofaVPNtunnel.Thisenablesamoresecure
connection.AlsoifyouhavemultipleVPNtunnelsnegotiating,thisensurestheproperremoteandlocalends
connect.Whenyouconfigureitonyourend,itisyourLocalID.Whentheremoteendconnectstoyou,theyseeit
asyourpeerID.
IfyouaredebuggingaVPNconnection,theLocalIDispartoftheVPNnegotiations.Youcanuseittohelp
troubleshootconnectionproblems.
ConfiguringyourLocalID
1. GotoVPN>IPsecWizardandcreatethenewcustomtunnelorgotoVPN>IPsecTunnelsandeditan
existingtunnel.
2. EditthePhase1Proposal(ifitisnotavailable,youmayneedtoclicktheConvertToCustomTunnelbutton).
3. InthePhase1Proposalsection,enteryourLocalID.
4. SelectOK.
ThedefaultconfigurationistoacceptalllocalIDs(peerIDs).IfyouhaveLocalIDset,theremoteendofthe
tunnelmustbeconfiguredtoacceptyourlocalID.
AcceptingaspecificPeerID
2. EditAuthentication(ifitisnotavailable,youmayneedtoclicktheConvertToCustomTunnelbutton).
3. SetModetoAggressive.

Dynamic DNS configuration DDNS topology
4. ForPeerOptions,selectThispeerID.ThisoptionbecomesvisibleonlywhenAggressivemodeisselected.
5. InthePeerIDfield,enterthestringtheotherendofthetunnelusedforitslocalID.
6. ConfiguretherestofthePhase1entryasrequired.
7. SelectOK.
Route-basedorpolicy-basedVPN
VPNoverdynamicDNScanbeconfiguredwitheitherroute-basedorpolicy-basedVPNsettings.Botharevalid,
buthavedifferencesinconfiguration.Choosethebestmethodbasedonyourrequirements.Formore
informationonroute-basedandpolicy-based,seeIPsecVPNoverviewonpage29.
Route-basedVPNconfigurationrequirestwosecuritypoliciestobeconfigured(oneforeachdirectionoftraffic)to
permittrafficovertheVPNvirtualinterface,andyoumustalsoaddastaticrouteentryforthatVPNinterfaceor
theVPNtrafficwillnotreachitsdestination.SeeDynamicDNSconfigurationonpage110andDynamicDNS
configurationonpage110.
Policy-basedVPNconfigurationusesmorecomplexandoftenmoreIPsecsecuritypolicies,butdoesnotrequirea
staticrouteentry.Ithasthebenefitofbeingabletoconfiguremultiplepoliciesforhandlingmultipleprotocolsin
differentways,suchasmorescanningoflesssecureprotocolsorguaranteeingaminimumbandwidthfor
protocolssuchasVoIP.SeeDynamicDNSconfigurationonpage110andDynamicDNSconfigurationonpage
110.
DDNStopology
Inthisscenario,twobranchofficeseachhaveaFortiGateunitandareconnectedinagateway-to-gatewayVPN
configuration.OneFortiGateunithasadomainname(example.com)withadynamicIPaddress.Seebranch_
2inthefigurebelow.
Wheneverthebranch_2unitconnectstotheInternet(andpossiblyalsoatpredefinedintervalssetbytheISP),
theISPmayassignadifferentIPaddresstotheFortiGateunit.Theunithasitsdomainnameregisteredwitha
dynamicDNSservice.Thebranch_2unitchecksinwiththeDDNSserveronaregularbasis,andthatserver
providestheDNSinformationforthedomainname,updatingtheIPaddressfromtimetotime.Remotepeers
havetolocatethebranch_2FortiGateunitthroughaDNSlookupeachtimetoensuretheaddresstheygetis
currentandcorrect.

Configuration overview Dynamic DNS configuration
ExampledynamicDNSconfiguration
Whenaremotepeer(suchasthebranch_1FortiGateunitabove)initiatesaconnectiontoexample.com,the
localDNSserverlooksupandreturnstheIPaddressthatmatchesthedomainnameexample.com.The
remotepeerusestheretrievedIPaddresstoestablishaVPNconnectionwiththebranch_2FortiGateunit.
Assumptions
l YouhaveadministratoraccesstobothFortiGateunits.
l BothFortiGateunitshaveinterfacesnamedwan1andinternal.(Ifnot,youcanusethealiasfeaturetoassignthese
labelsasnicknamestootherinterfacestofollowthisexample.)
l BothFortiGateunitshavethemostrecentfirmwareinstalled,havebeenconfiguredfortheirnetworks,andare
currentlypassingnormalnetworktraffic.
l Thebranch_2FortiGateunithasitswan1interfacedefinedasadynamicDNSinterfacewiththedomainnameof
example.com.
l Abasicgateway-to-gatewayconfigurationisinplace(seeGateway-to-gatewayconfigurationsonpage1)except
oneoftheFortiGateunitshasastaticdomainnameandadynamicIPaddressinsteadofastaticIPaddress.
l TheFortiGateunitwiththedomainnameissubscribedtooneofthesupporteddynamicDNSservices.Contactone
oftheservicestosetupanaccount.FormoreinformationandinstructionsabouthowtoconfiguretheFortiGate
unittopushitsdynamicIPaddresstoadynamicDNSserver,seetheSystemAdministrationhandbookchapter.
WhenaFortiGateunitreceivesaconnectionrequestfromaremoteVPNpeer,itusesIPsecPhase1parameters
toestablishasecureconnectionandauthenticatetheVPNpeer.Then,ifthesecuritypolicypermitsthe
connection,theFortiGateunitestablishesthetunnelusingIPsecPhase2parametersandappliesthesecurity
policy.Keymanagement,authentication,andsecurityservicesarenegotiateddynamicallythroughtheIKE
protocol.
Tosupportthesefunctions,thefollowinggeneralconfigurationstepsmustbeperformed:

Dynamic DNS configuration Configuration overview
l Configurethebranch_2FortiGateunitwiththedynamicIPaddress.ThisunitusesaLocalIDstringinsteadofanIP
addresstoidentifyitselftotheremotepeer.SeeConfiguringthedynamically-addressedVPNpeerbelow,whichis
madeupofconfiguringbranch_2'sVPNtunnelsettingsandsecuritypolicies.
l Configurethefixed-addressVPNpeer.ToinitiateaVPNtunnelwiththedynamically-addressedpeer,thisunitmust
firstretrievetheIPaddressforthedomainfromthedynamicDNSservice.SeeConfiguringthefixed-address
VPNpeer,whichismadeupofconfiguringbranch_1'sVPNtunnelsettingsandsecuritypolicies.
Configuringthedynamically-addressedVPNpeer
ItisassumedthatthisFortiGateunit(branch_2)hasalreadyhaditspublicfacinginterface,forexamplethe
wan1,configuredwiththeproperdynamicDNSconfiguration.
Configuringbranch_2,thedynamicaddressside
DefinethePhase1parametersneededtoestablishasecureconnectionwiththeremotepeer.SeePhase1
parametersonpage47.Duringthisprocedureyouneedtochooseifyouwillbeusingroute-basedorpolicy-based
VPNs.
2. EditNetwork(fullconfigurationoptionsareonlyavailableonceyouclicktheConvertToCustomTunnel
button).
3. Enterthefollowinginformation:
TheremotepeerthisFortiGateisconnectingtohasastaticIPpublic
address.
IftheremoteinterfaceisPPPoEdonotselectRetrievedefaultgateway
fromserver.
IPAddress Enter172.16.20.1,theIPaddressofthepublicinterfacetotheremote
peer.

Interface SelecttheInternet-facinginterfacewan1(selectedbydefault).
NATTraversal SelectEnable(selectedbydefault).
KeepaliveFrequency Enterakeepalivefrequency(Inseconds;setto10bydefault).
DeadPeerDetection Selectadeadpeerdetectionoption.OnIdlewillattempttoreestablish
VPNtunnelswhenaconnectionbecomesidle(theidleintervalisnota
negotiatedvalue).
Useofperiodicdeadpeerdetectionincursextraoverhead.When
communicatingtolargenumbersofIKEpeers,youshouldconsiderusing
OnDemand.(settoOnDemandbydefault).
4. EditAuthenticationandcompletethefollowing:
Mode SelectAggressive.
5. EditPhase1Proposalandcompletethefollowing:
LocalID Enterexample.com.
Acharacterstringusedbythebranch_2FortiGateunittoidentifyitself
totheremotepeer.
ThisvaluemustbeidenticaltothevalueintheThispeerIDfieldofthe
Phase1remotegatewayconfigurationonthebranch_1remotepeer.See
6. OpenthePhase2Selectorspanel.
DefinethePhase2parametersneededtocreateaVPNtunnelwiththeremotepeer.FordetailsonPhase2,see
Phase2parametersonpage65.
Name AutomaticallyenteredasthenameoftheVPNtunnel.
Phase1 Selectbranch_2.
ThenameofthePhase1configurationthatyoudefinedearlier.
DefinesecuritypoliciestopermitcommunicationsbetweentheprivatenetworksthroughtheVPNtunnel.Route-
basedandpolicy-basedVPNsrequiredifferentsecuritypolicies.Fordetailedinformationaboutcreatingsecurity
policies,seeDefiningVPNsecuritypoliciesonpage1.
Afterdefiningthetwoaddressranges,selectoneofCreatingbranch_2route-asedsecuritypoliciesonpage116
orCreatingbranch_2policy-basedsecuritypoliciesonpage118toconfiguretheappropriateVPNpolicies.
DefineVPNconnectionnamesfortheaddressrangesoftheprivatenetworks.Theseaddressesareusedinthe
securitypoliciesthatpermitcommunicationbetweenthenetworks.Formoreinformation,seeDefiningVPN
securitypoliciesonpage1.
DefineanaddressnamefortheIPaddressandnetmaskoftheprivatenetworkbehindthelocalFortiGateunit.

2. SelectCreateNew.
Name Enterbranch_2_internal.Enterameaningfulname.
Type SelectIP/Netmask.
Subnet/IPRange Enter10.10.10.0/24.
Includethenetmaskorspecifyaspecificrange.
Interface Selectinternal.Theinterfacethatwillbehandlingthetrafficfromthe
internalnetwork.
DefineanaddressnamefortheIPaddressandnetmaskoftheprivatenetworkbehindtheremote
peer.
4. SelectCreateNew.
Name Enterbranch_1_internal.Ameaningfulnamefortheprivatenetwork
attheremoteendoftheVPNtunnel.
Subnet/IPRange Enter192.168.1.0/24.
Includethenetmask.Optionallyyoucanspecifyarange
Interface Selectany.
TheinterfacethatwillbehandlingtheremoteVPNtrafficonthisFortiGate
unit.Ifyouareunsure,ormultipleinterfacesmaybehandlingthistraffic
useany.
Creatingbranch_2route-asedsecuritypolicies
DefineACCEPTsecuritypoliciestopermitcommunicationbetweenthebranch_2andbranch_1privatenetworks.
Oncetheroute-basedpolicyisconfiguredaroutingentrymustbeconfiguredtoroutetrafficovertheVPN
interface.
Defineapolicytopermitthebranch_2localFortiGateunittoinitiateaVPNsessionwiththebranch_1VPNpeer.
Name Enteranappropriatenameforthepolicy.

unit.
OutgoingInterface Selectbranch_2.TheVPNTunnel(IPsecInterface).
Source Selectbranch_2_internal.
SelecttheaddressnamefortheprivatenetworkbehindthisFortiGate
unit.
DestinationAddress Selectbranch_1_internal.
Theaddressnametheprivatenetworkbehindtheremotepeer.
NAT DisableNAT.
Comments Route-based:Initiateabranch_2tobranch_1VPNtunnel.
Defineapolicytopermitthebranch_1remoteVPNpeertoinitiateVPNsessions.
3. SelectCreateNew.
IncomingInterface Selectbranch_2.TheVPNTunnel(IPsecInterface).
OutgoingInterface Selectinternal.Theinterfaceconnectingtheprivatenetworkbehindthis
FortiGateunit.
Source Selectbranch_1_internal.Theaddressnamefortheprivatenetwork
behindtheremotepeer.
DestinationAddress Selectbranch_2_internal.Theaddressnamefortheprivatenetwork
behindthisFortiGateunit.
NAT DisableNAT.
Comments Route-based:Initiateabranch_1tobranch_2internalVPNtunnel.
5. OptionallyconfigureanyothersecuritypolicysettingsyourequiresuchasUTMortrafficshapingforthispolicy.
6. Placethesepoliciesinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestinationaddresses.
ThiswillensureVPNtrafficismatchedagainsttheVPNpoliciesbeforeanyotherpolicies.
CreatingroutingentryforVPNinterface-CLI
edit 5
set dst 0.0.0.0 0.0.0.0

set dynamic-dateway enable

set device wan1
next
end
ThisroutingentrymustbeaddedintheCLIbecausethedynamic-gatewayoptionisnotavailableintheweb-
basedmanager.
Creatingbranch_2policy-basedsecuritypolicies
DefineanIPsecpolicytopermitVPNsessionsbetweentheprivatenetworks.DefineanIPsecpolicytopermitthe
VPNsessionsbetweenthelocalbranch_2unitandtheremotebranch_1unit.
IncomingInterface Selectinternal.Theinterfaceconnectingtheprivatenetworkbehindthis
FortiGateunit.
OutgoingInterface Selectwan1.TheFortiGateunitspublicinterface.
Source Selectbranch_2_internal.Theaddressnamefortheprivatenetwork
behindthislocalFortiGateunit.
DestinationAddress Selectbranch_1_internal.Theaddressnamefortheprivatenetwork
behindbranch_1,theremotepeer.
Action SelectIPsec.UnderVPNTunnel,selectbranch_2fromthedrop-down
list.ThenameofthePhase1tunnel.SelectAllowtraffictobeinitiated
fromtheremotesite.
Comments Policy-based:allowstrafficineitherdirectiontoinitiatetheVPNtunnel.
3. OptionallyconfigureanyothersecuritypolicysettingsyourequiresuchasUTMortrafficshapingforthispolicy.
4. Placethesepoliciesinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestinationaddresses.
ThiswillensureVPNtrafficismatchedagainsttheVPNpoliciesbeforeanyotherpolicies.
Configuringthefixed-addressVPNpeer
Thefixed-addressVPNpeer,branch_1,needstoretrievetheIPaddressfromthedynamicDNSservicetoinitiate
communicationwiththedynamically-addressedpeer,branch_2.ItalsodependsonthepeerID(localID)to
initiatetheVPNtunnelwithbranch_2.

DefinethePhase1parametersneededtoestablishasecureconnectionwiththeremotepeer.Formore
2. EditNetwork(ifitisnotavailable,youmayneedtoclicktheConverttoCustomTunnelbutton).
RemoteGateway SelectDynamicDNS.TheremotepeerthisFortiGateisconnectingto
hasadynamicIPaddress.
DynamicDNS Typethefullyqualifieddomainnameoftheremotepeer(forexample,
example.com).
Interface Selectwan1.Thepublicfacinginterfaceonthefixed-addressFortiGate
unit.
ModeConfig SelectAggressive.
PeerOptions SelectThispeerID,andenterexample.com.Thisoptiononlyappears
whenthemodeissettoAggressive.TheidentifieroftheFortiGateunit
withthedynamicaddress.
4. EditAuthentication,enterthefollowinginformationandselectOK.
PeerOptions SelectThispeerID,andenterexample.com.Thisoptiononlyappears
whentheauthenticationmethodissettoSignature.Theidentifierofthe
FortiGateunitwiththedynamicaddress.
5. DefinethePhase2parametersneededtocreateaVPNtunnelwiththeremotepeer.SeePhase2parameterson
page65.Enterthesesettingsinparticular:
Name Enterbranch_1_p2.AnametoidentifythisPhase2configuration.

Phase1 Selectbranch_1.
ThenameofthePhase1configurationthatyoudefinedfortheremote
peer.YoucanselectthenameoftheremotegatewayfromtheDynamic
DNSpartofthelist.
Thebranch_1FortiGateunithasafixedIPaddressandwillbeconnectingtothebranch_2FortiGateunit
thathasadynamicIPaddressandadomainnameofexample.com.Rememberifyouareusingroute-based
securitypoliciesthatyoumustaddaroutefortheVPNtraffic.
Definingaddressrangesforbranch_1securitypolicies
Aswithbranch_2previously,branch_1needsaddressrangesdefinedaswell.SeeDefiningpolicyaddresses
onpage1.
1. GotoPolicy&Objects>AddressesandselectCreateNew>Address.
behindthebranch_2FortiGateunit.
Subnet/IPRange Enter10.10.10.0/24.Includethenetmaskorspecifyaspecificrange.
Interface Selectinternal.ThisistheinterfaceonthisFortiGateunitthatwillbe
handlingwiththistraffic.
3. DefineanaddressnamefortheIPaddressandnetmaskoftheprivatenetworkbehindtheremotepeer.
4. Createanotheraddress.Enterthefollowinginformation,andselectOK.
behindthebranch_1peer.
Subnet/IPRange Enter192.168.1.0/24.Includethenetmaskorspecifyaspecificrange.
Interface Selectany.TheinterfaceonthisFortiGateunitthatwillbehandlingwith
thistraffic.Ifyouareunsure,ormultipleinterfacesmaybehandlingthis
trafficuseany.
Creatingbranch_1route-basedsecuritypolicies
DefineanACCEPTsecuritypolicytopermitcommunicationsbetweenthesourceanddestinationaddresses.See
DefiningVPNsecuritypoliciesonpage1.

IncomingInterface Selectinternal.Theinterfacethatconnectstotheprivatenetworkbehind
thebranch_1FortiGateunit.
OutgoingInterface Selectbranch_1.TheVPNTunnel(IPsecInterface)youconfiguredearlier.
Source Selectbranch_1_internal.Theaddressnamethatyoudefinedforthe
privatenetworkbehindthisFortiGateunit.
DestinationAddress Selectbranch_2_internal.Theaddressnamethatyoudefinedforthe
privatenetworkbehindthebranch_2peer.
NAT DisableNAT.
Comments Internal->branch2
Topermittheremoteclienttoinitiatecommunication,youneedtodefineasecuritypolicyfor
communicationinthatdirection.
3. SelectCreateNew.
IncomingInterface Selectbranch_1.TheVPNTunnel(IPsecInterface)youconfiguredearlier.
OutgoingInterface Selectinternal.Theinterfacethatconnectstotheprivatenetworkbehind
thisFortiGateunit.
privatenetworkbehindthebranch_2remotepeer.
NAT DisableNAT.
Comments branch_2->Internal
Creatingbranch_1policy-basedsecuritypolicies
Apolicy-basedsecuritypolicyallowsyoutheflexibilitytoallowinboundoroutboundtrafficorboththroughthis
singlepolicy.
Thispolicy-basedIPsecVPNsecuritypolicyallowsbothinboundandoutboundtraffic

IncomingInterface Selectinternal.Theinterfacethatconnectstotheprivatenetworkbehind
thisFortiGateunit.
OutgoingInterface Selectwan1.TheFortiGateunitspublicinterface.
privatenetworkbehindtheremotepeer.
Action SelectIPsec.UnderVPNTunnel,selectbranch_1fromthedrop-down
list.ThenameofthePhase1tunnel.SelectAllowtraffictobeinitiated
fromtheremotesite.
3. Placethissecuritypolicyinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestination
addresses.
Results
Oncebothendsareconfigured,youcantesttheVPNtunnel.
TotesttheVPNinitiatedbybranch_2
1. Onbranch_2,gotoMonitor>IPsecMonitor.
AllIPsecVPNtunnelswillbelistedonthispage,nomatteriftheyareconnectedordisconnected.
2. Selectthetunnellistedforbranch_2,andselectthestatuscolumnforthatentry.
ThestatuswillsayBringUpandremoteport,incomingandoutgoingdatawillallbezero.Thisindicatesan
inactivetunnel.Whenyouright-clickandselectBringUp,theFortiGatewilltrytosetupaVPNsessionoverthis
tunnel.Ifitissuccessful,BringUpwillchangetoActive,andthearrowiconwillchangetoagreenuparrowicon.
3. IfthisdoesnotcreateaVPNtunnelwithincreasingvaluesforincomingandoutgoingdata,youneedtostart
troubleshooting:
TotesttheVPNinitiatedbybranch_1
1. Onbranch_1,gotoMonitor>IPsecMonitor.
2. Selectthetunnellistedforbranch_1,andselectthestatuscolumn.
Thedifferencebetweenbranch_2andbranch_1atthispointisthatthetunnelentryforbranch-1willnothavea
remotegatewayIPaddress.ItwillberesolvedwhentheVPNtunnelisstarted.
3. IfthisdoesnotcreateaVPNtunnelwithincreasingvaluesforincomingandoutgoingdata,youneedtostart
troubleshooting.
Sometroubleshootingideasinclude:
l Iftherewasnoentryforthetunnelonthemonitorpage,checktheAutoKey(IKE)pagetoverifythePhase1and
Phase2entriesexist.
l Checkthesecuritypolicyorpolicies,andensurethereisanoutgoingpolicyasaminimum.
l CheckthatyouenteredalocalIDinthePhase1configuration,andthatbranch_1hasthesamelocalID.
l EnsurethelocalDNSserverhasanup-to-dateDNSentryforexmaple.com.
Formoreinformation,seeTroubleshootingonpage1.

FortiClientdialup-clientconfiguration
TheFortiClientEndpointSecurityapplicationisanIPsecVPNclientwithantivirus,antispamandfirewall
capabilities.ThissectionexplainshowtoconfiguredialupVPNconnectionsbetweenaFortiGateunitandoneor
moreFortiClientEndpointSecurityapplications.
FortiClientusersareusuallymobileorremoteuserswhoneedtoconnecttoaprivatenetworkbehindaFortiGate
unit.Forexample,theusersmightbeemployeeswhoconnecttotheofficenetworkwhiletravelingorfromtheir
homes.
Forgreatesteaseofuse,theFortiClientapplicationcandownloadtheVPNsettingsfromtheFortiGateunitto
configureitselfautomatically.

DialupuserstypicallyobtaindynamicIPaddressesfromanISPthroughDynamicHostConfigurationProtocol
(DHCP)orPoint-to-PointProtocoloverEthernet(PPPoE).Then,theFortiClientEndpointSecurityapplication
initiatesaconnectiontoaFortiGatedialupserver.
BydefaulttheFortiClientdialupclienthasthesameIPaddressasthehostPConwhichitruns.Ifthehost
connectsdirectlytotheInternet,thisisapublicIPaddress.IfthehostisbehindaNATdevice,suchasarouter,
theIPaddressisaprivateIPaddress.TheNATdevicemustbeNATtraversal(NAT-T)compatibletopass
encryptedpackets(seePhase1parametersonpage47).TheFortiClientapplicationalsocanbeconfiguredto
useavirtualIPaddress(VIP).Forthedurationoftheconnection,theFortiClientapplicationandtheFortiGate
unitbothusetheVIPaddressastheIPaddressoftheFortiClientdialupclient.
TheFortiClientapplicationsendsitsencryptedpacketstotheVPNremotegateway,whichisusuallythepublic
interfaceoftheFortiGateunit.ItalsousesthisinterfacetodownloadVPNsettingsfromtheFortiGateunit.See
AutomaticconfigurationofFortiClientdialupclientsonpage124.

FortiClient dialup-client configuration Configuration overview
ExampleFortiClientdialup-clientconfiguration
Peeridentification
TheFortiClientapplicationcanestablishanIPsectunnelwithaFortiGateunitconfiguredtoactasadialup
server.WhentheFortiGateunitactsasadialupserver,itdoesnotidentifytheclientusingthePhase1remote
gatewayaddress.TheIPsectunnelisestablishedifauthenticationissuccessfulandtheIPsecsecuritypolicy
associatedwiththetunnelpermitsaccess.Ifconfigured,theFortiGateunitcouldalsorequireFortiClient
registration,thatis,theremoteuserwouldberequiredtohaveFortiClientinstalledbeforeconnectionis
completed.
AutomaticconfigurationofFortiClientdialupclients
TheFortiClientapplicationcanobtainitsVPNsettingsfromtheFortiGateVPNserver.FortiClientusersneedto
knowonlytheFortiGateVPNserverIPaddressandtheirusernameandpasswordontheFortiGateunit.
TheFortiGateunitlistensforVPNpolicyrequestsfromclientsonTCPport8900.Whenthedialupclient
connects:
l TheclientinitiatesaSecureSocketsLayer(SSL)connectiontotheFortiGateunit.
l TheFortiGateunitrequestsausernameandpasswordfromtheFortiClientuser.Usingthesecredentials,it
authenticatestheclientanddetermineswhichVPNpolicyappliestotheclient.
l Providedthatauthenticationissuccessful,theFortiGateunitdownloadsaVPNpolicytotheclientovertheSSL
connection.TheinformationincludesIPsecPhase1andPhase2settings,andtheIPaddressesoftheprivate
networksthattheclientisauthorizedtoaccess.
l TheclientusestheVPNpolicysettingstoestablishanIPsecPhase1connectionandPhase2tunnelwiththe
FortiGateunit.
FortiClient-to-FortiGateVPNconfigurationsteps
ConfiguringdialupclientcapabilityforFortiClientdialupclientsinvolvesthefollowinggeneralconfigurationsteps:
1. IfyouwillbeusingVIPaddressestoidentifydialupclients,determinewhichVIPaddressestouse.Asa
precaution,considerusingVIPaddressesthatarenotcommonlyused.
2. ConfiguretheFortiGateunittoactasadialupserver.SeeConfiguretheFortiGateunitonpage1.

Configuration overview FortiClient dialup-client configuration
3. IfthedialupclientswillbeconfiguredtoobtainVIPaddressesthroughDHCPoverIPsec,configuretheFortiGate
unittoactasaDHCPserverortorelayDHCPrequeststoanexternalDHCPserver.
4. Configurethedialupclients.SeeConfiguretheFortiClientEndpointSecurityapplicationonpage1.
UsingvirtualIPaddresses
WhentheFortiClienthostPCislocatedbehindaNATdevice,unintendedIPaddressoverlapissuesmayarise
betweentheprivatenetworksatthetwoendsofthetunnel.Forexample,theclientshostmightreceiveaprivate
IPaddressfromaDHCPserveronitsnetworkthatbyco-incidenceisthesameasaprivateIPaddressonthe
networkbehindtheFortiGateunit.AconflictwilloccurinthehostsroutingtableandtheFortiClientEndpoint
Securityapplicationwillbeunabletosendtrafficthroughthetunnel.ConfiguringvirtualIP(VIP)addressesfor
FortiClientapplicationspreventsthisproblem.
UsingVIPsensuresthatclientIPaddressesareinapredictablerange.Youcanthendefinesecuritypoliciesthat
allowaccessonlytothatsourceaddressrange.IfyoudonotuseVIPs,thesecuritypoliciesmustallowallsource
addressesbecauseyoucannotpredicttheIPaddressforaremotemobileuser.
TheFortiClientapplicationmustnothavethesameIPaddressasanyhostontheprivatenetworkbehindthe
FortiGateunitoranyotherconnectedFortiClientapplication.YoucanensurethisbyreservingarangeofIP
addressesontheprivatenetworkforFortiClientusers.Or,youcanassignFortiClientVIPsfromanuncommonly
usedsubnetsuchas10.254.254.0/24or192.168.254.0/24.
YoucanreserveaVIPaddressforaparticularclientaccordingtoitsdeviceMACaddressandtypeofconnection.
TheDHCPserverthenalwaysassignsthereservedVIPaddresstotheclient.Formoreinformationaboutthis
feature,seethedhcpreserved-addresssectioninthesystemchapteroftheFortiGateCLIReference.
Onthehostcomputer,youcanfindouttheVIPaddressthattheFortiClientEndpoint
Securityapplicationisusing.Forexample,inWindowscommandprompt,type
ipconfig /all
OnLinuxorMacOSX,typeifconfiginaterminalwindow.Theoutputwillalso
showtheIPaddressthathasbeenassignedtothehostNetworkInterfaceCard(NIC).
ItisbesttoassignVIPsusingDHCPoverIPsec.TheFortiGatedialupservercanactasaDHCPserverorrelay
requeststoanexternalDHCPserver.YoucanalsoconfigureVIPsmanuallyonFortiClientapplications,butitis
moredifficulttoensurethatallclientsuseuniqueaddresses.
IfyouassignaVIPontheprivatenetworkbehindtheFortiGateunitandenableDHCP-
IPsec(aPhase2advancedoption),theFortiGateunitactsasaproxyonthelocal
privatenetworkfortheFortiClientdialupclient.Wheneverahostonthenetwork
behindthedialupserverissuesanARPrequestforthedeviceMACaddressofthe
FortiClienthost,theFortiGateunitanswerstheARPrequestonbehalfofthe
FortiClienthostandforwardstheassociatedtraffictotheFortiClienthostthroughthe
tunnel.Formoreinformation,seePhase2parametersonpage65.
FortiGateunitsfullysupportRFC3456.TheFortiGateDHCPoverIPsecfeaturecanbeenabledtoallocateVIP
addressestoFortiClientdialupclientsusingaFortiGateDHCPserver.
ThefigurebelowshowsanexampleofaFortiClient-to-FortiGateVPNwheretheFortiClientapplicationis
assignedaVIPonanuncommonlyusedsubnet.Thediagramalsoshowsthatwhilethedestinationforthe
informationintheencryptedpacketsistheprivatenetworkbehindtheFortiGateunit,thedestinationoftheIPsec
packetsthemselvesisthepublicinterfaceoftheFortiGateunitthatactsastheendoftheVPNtunnel.

IPaddressassignmentsinaFortiClientdialup-clientconfiguration
AssigningVIPsbyRADIUSusergroup
IfyouuseXAuthauthentication,youcanassignusersthevirtualIPaddressstoredintheFramed-IP-Addressfield
oftheirrecordontheRADIUSserver.(SeeRFC2865andRFC2866formoreinformationaboutRADIUSfields.)
Todothis:
l SettheDHCPserverIPAssignmentModetoUser-groupdefinedmethod.ThisisanAdvancedsetting.See
ConfiguringaDHCPserveronaFortiGateinterfaceonpage130.
l CreateanewfirewallusergroupandaddtheRADIUSservertoit.
l InyourPhase1settings,configuretheFortiGateunitasanXAuthserverandselectfromUserGroupthenewuser
groupthatyoucreated.Formoreinformation,seePhase1parametersonpage47.
l ConfiguretheFortiClientapplicationtouseXAuth.SeeConfigurationoverviewonpage123.
FortiClientdialup-clientinfrastructurerequirements
l Tosupportpolicy-basedVPNs,theFortiGatedialupservermayoperateineitherNATmodeortransparentmode.
NATmodeisrequiredifyouwanttocreatearoute-basedVPN.
l IftheFortiClientdialupclientswillbeconfiguredtoobtainVIPaddressesthroughFortiGateDHCPrelay,aDHCP
servermustbeavailableonthenetworkbehindtheFortiGateunitandtheDHCPservermusthaveadirectrouteto
theFortiGateunit.
l IftheFortiGateinterfacetotheprivatenetworkisnotthedefaultgateway,theprivatenetworkbehindtheFortiGate
unitmustbeconfiguredtorouteIPtrafficdestinedfordialupclientsback(throughanappropriategateway)tothe
FortiGateinterfacetotheprivatenetwork.Asanalternative,youcanconfiguretheIPsecsecuritypolicyonthe
FortiGateunittoperforminboundNATonIPpackets.InboundNATtranslatesthesourceaddressesofinbound
decryptedpacketsintotheIPaddressoftheFortiGateinterfacetothelocalprivatenetwork.
ConfiguringtheFortiGateunit
ConfiguringtheFortiGateunittoestablishVPNconnectionswithFortiClientEndpointSecurityusersinvolvesthe
followingsteps:

l ConfiguretheVPNsettings
l Ifthedialupclientsuseautomaticconfiguration,configuretheFortiGateunitasaVPNpolicyserver
l IfthedialupclientsobtainVIPaddressesbyDHCPoverIPsec,configureanIPsecDHCPserverorrelay
Theproceduresinthissectioncoverbasicsetupofpolicy-basedandroute-basedVPNscompatiblewith
FortiClientEndpointSecurity.Aroute-basedVPNissimplertoconfigure.
TheIPsecVPNWizardgreatlysimplifiesIPsecVPNtunnelcreationforroute-based
tunnels.
ToconfigureFortiGateunitVPNsettingstosupportFortiClientusers,youneedto:
l ConfiguretheFortiGatePhase1VPNsettings
l ConfiguretheFortiGatePhase2VPNsettings
l Addthesecuritypolicy
OnthelocalFortiGateunit,definethePhase1configurationneededtoestablishasecureconnectionwiththe
FortiClientpeer.SeePhase1parametersonpage47.
button).
RemoteGateway SelectDialupUser.
IPAddress EntertheIPaddressoftheremotepeer.
Interface SelecttheinterfacethroughwhichclientsconnecttotheFortiGateunit.
ModeConfig Whenenabled,furtheroptionsbecomeavailable:
l ClientAddressRange
l SubnetMask
l UseSystemDNS
l DNSServer
l EnableIPv4SplitTunnel
AuthenticationMethod SelectPre-sharedKey.
Pre-sharedKey Enterthepre-sharedkey.Thismustbethesamepresharedkeyprovidedto
theFortiClientusers.
Peeroption SelectAnypeerID.
4. EditAuthenticationandenterthefollowinginformation:
Method SelectPre-sharedKey.

Pre-sharedKey Enterthepre-sharedkey.Thismustbethesamepresharedkeyprovidedto
theFortiClientusers.
PeerOptions SetAcceptTypestoAnypeerID.
5. DefinethePhase2parametersneededtocreateaVPNtunnelwiththeFortiClientpeer.SeePhase2parameters
onpage65.Enterthesesettingsinparticular:
Name EnteranametoidentifythisPhase2configuration.
Phase1 SelectthenameofthePhase1configurationthatyoudefined.
Advanced Selecttoconfigurethefollowingoptionalsetting.
DHCP-IPsec SelectifyouprovidevirtualIPaddressestoclientsusingDHCP.
6. DefinenamesfortheaddressesoraddressrangesoftheprivatenetworksthattheVPNlinks.Theseaddresses
areusedinthesecuritypoliciesthatpermitcommunicationbetweenthenetworks.Formoreinformation,see
Definingpolicyaddressesonpage1.
Enterthesesettingsinparticular:
l Defineanaddressnamefortheindividualaddressorthesubnetaddressthatthedialupusersaccessthrough
theVPN.
l IfFortiClientusersareassignedVIPaddresses,defineanaddressnameforthesubnettowhichtheseVIPs
belong.
4. DefinesecuritypoliciestopermitcommunicationbetweentheprivatenetworksthroughtheVPNtunnel.Route-
Ifthesecuritypolicy,whichgrantstheVPNConnectionislimitedtocertainservices,DHCPmustbeincluded,
otherwisetheclientwontbeabletoretrievealeasefromtheFortiGates(IPsec)DHCPserver,becausethe
DHCPRequest(comingoutofthetunnel)willbeblocked.
Route-basedVPNsecuritypolicies
DefineanACCEPTsecuritypolicytopermitcommunicationsbetweenthesourceanddestinationaddresses.
IncomingInterface SelecttheVPNTunnel(IPsecInterface)youconfiguredinStep
"Configurationoverview"onpage123.
FortiGateunit.
Source Selectall.

NAT DisableNAT.
IfyouwanttoallowhostsontheprivatenetworktoinitiatecommunicationswiththeFortiClientusersafterthe
tunnelisestablished,youneedtodefineasecuritypolicyforcommunicationinthatdirection.
FortiGateunit.
FortiGateunit.
Source Selectall.
NAT DisableNAT.
FortiGateunit.
OutgoingInterface SelecttheFortiGateunitspublicinterface.
Source SelecttheaddressnamethatyoudefinedinStep"Configurationoverview"
onpage123fortheprivatenetworkbehindthisFortiGateunit.
DestinationAddress IfFortiClientusersareassignedVIPs,selecttheaddressnamethatyou
definedfortheVIPsubnet.Otherwise,selectall.
Action SelectIPsec.UnderVPNTunnel,selectthenameofthePhase1
configurationthatyoucreatedinStep"Configurationoverview"onpage
123fromthedrop-downlist.SelectAllowtraffictobeinitiatedfromthe
remotesite.
PlaceVPNpoliciesinthepolicylistaboveanyotherpolicieshavingsimilarsourceanddestinationaddresses.
ConfiguringtheFortiGateunitasaVPNpolicyserver
WhenaFortiClientapplicationsettoautomaticconfigurationconnectstotheFortiGateunit,theFortiGateunit
requestsausernameandpassword.Iftheusersuppliesvalidcredentials,theFortiGateunitdownloadstheVPN

settingstotheFortiClientapplication.
YoumustdothefollowingtoconfiguretheFortiGateunittoworkasaVPNpolicyserverforFortiClientautomatic
configuration:
1. CreateuseraccountsforFortiClientusers.
2. CreateausergroupforFortiClientusersandtheuseraccountsthatyoucreatedinstep1.
3. ConnecttotheFortiGateunitCLIandconfigureVPNpolicydistributionasfollows:
config vpn ipsec forticlient
edit <policy_name>
set phase2name <tunnel_name>
set usergroupname <group_name>
set status enable
end
<tunnel_name>mustbetheNameyouspecifiedinthestep2ofConfigurationoverviewonpage123.
<group_name>mustbethenameoftheusergroupyourcreatedforFortiClientusers.
ConfiguringDHCPservicesonaFortiGateinterface
IftheFortiClientdialupclientsareconfiguredtoobtainaVIPaddressusingDHCP,configuretheFortiGatedialup
servertoeither:
l RelayDHCPrequeststoaDHCPserverbehindtheFortiGateunit(seeConfiguringDHCPrelayonaFortiGate
interfaceonpage130below).
l ActasaDHCPserver(seeConfiguringaDHCPserveronaFortiGateinterfaceonpage130).
NotethatDHCPservicesaretypicallyconfiguredduringtheinterfacecreationstage,butyoucanreturntoan
interfacetomodifyDHCPsettingsifneedbe.
ConfiguringDHCPrelayonaFortiGateinterface
1. GotoNetwork>InterfacesandselecttheinterfacethatyouwanttorelayDHCP.
2. EnableDHCPServer,andcreateanewDHCPAddressRangeandNetmask.
3. OpentheAdvanced...menuandsetModetoRelay.
4. EntertheDHCPServerIP.
5. SelectOK.
ConfiguringaDHCPserveronaFortiGateinterface
1. GotoNetwork>InterfacesandselecttheinterfacethatyouwanttoactasaDHCPserver.
2. EnableDHCPServer,andcreateanewDHCPAddressRangeandNetmask.
3. SetDefaultGatewaytoSpecify,andentertheIPaddressofthedefaultgatewaythattheDHCPserverassigns
toDHCPclients.
4. SetDNSServertoSameasSystemDNS.IfyouwanttouseadifferentDNSserverforVPNclients,select
SpecifyandenteranIPaddressintheavailablefield.
5. OpentheAdvanced...menuandsetModetoServer.
6. SelectOK.

ConfiguretheFortiClientEndpointSecurityapplication
ThefollowingprocedureexplainshowtoconfiguretheFortiClientEndpointSecurityapplicationtocommunicate
witharemoteFortiGatedialupserverusingtheVIPaddressthatyouspecifymanually.Theseproceduresare
basedonFortiClient5.4.1.
ConfiguringFortiClient
ThisprocedureexplainshowtoconfiguretheFortiClientapplicationmanuallyusingthedefaultIKEandIPsec
settings.Formoreinformation,refertotheFortiClientAdministrationGuide.
1. GotoRemoteAccessandselecttheSettingsicon.
2. SelectAddanewconnection,setthenewVPNconnectiontoIPsecVPN ,andcompletefollowinginformation:
ConnectionName Enteradescriptivenamefortheconnection.
RemoteGateway EntertheIPaddressorthefullyqualifieddomainname(FQDN)ofthe
remotegateway.
AuthenticationMethod SelectPre-sharedKeyandenterthepre-sharedkeyinthefieldprovided.
Authentication(XAuth) ExtendedAuthentication(XAuth)increasessecuritybyrequiringadditional
userauthenticationinaseparateexchangeattheendoftheVPNPhase1
negotiation.TheFortiGateunitchallengestheuserforausernameand
password.ItthenforwardstheuserscredentialstoanexternalRADIUSor
LDAPserverforverification.
ImplementationofXAuthrequiresconfigurationatboththeFortiGateunit
andtheFortiClientapplication.
3. SelectOK.
AddingXAuthauthentication
ForinformationaboutconfiguringaFortiGateunitasanXAuthserver,seePhase1parametersonpage47.The
followingprocedureexplainshowtoconfiguretheFortiClientapplication.
NotethatXAuthisnotcompatiblewithIKEversion2.
FormoreinformationonconfiguringXAuthauthentication,seetheFortiClientAdministrationGuide.

FortiGatedialup-clientconfigurations
ThissectionexplainshowtosetupaFortiGatedialup-clientIPsecVPN.InaFortiGatedialup-client
configuration,aFortiGateunitwithastaticIPaddressactsasadialupserverandaFortiGateunithavinga
dynamicIPaddressinitiatesaVPNtunnelwiththeFortiGatedialupserver.
AdialupclientcanbeaFortiGateunit.TheFortiGatedialupclienttypicallyobtainsadynamicIPaddressfroman
ISPthroughtheDynamicHostConfigurationProtocol(DHCP)orPoint-to-PointProtocoloverEthernet(PPPoE)
beforeinitiatingaconnectiontoaFortiGatedialupserver.
ExampleFortiGatedialup-clientconfiguration
Inadialup-clientconfiguration,theFortiGatedialupserverdoesnotrelyonaPhase1remotegatewayaddressto
establishanIPsecVPNconnectionwithdialupclients.AslongasauthenticationissuccessfulandtheIPsec
securitypolicyassociatedwiththetunnelpermitsaccess,thetunnelisestablished.
Severaldifferentwaystoauthenticatedialupclientsandrestrictaccesstoprivatenetworksbasedonclient
credentialsareavailable.ToauthenticateFortiGatedialupclientsandhelptodistinguishthemfromFortiClient
dialupclientswhenmultipleclientswillbeconnectingtotheVPNthroughthesametunnel,bestpracticesdictate
thatyouassignauniqueidentifier(localIDorpeerID)toeachFortiGatedialupclient.Formoreinformation,see
Phase1parametersonpage47.

Configuration overview FortiGate dialup-client configurations
Wheneveryouaddauniqueidentifier(localID)toaFortiGatedialupclientfor
identificationpurposes,youmustselectAggressivemodeontheFortiGatedialup
serverandalsospecifytheidentifierasapeerIDontheFortiGatedialupserver.For
moreinformation,seePhase1parametersonpage47.
UsersbehindtheFortiGatedialupservercannotinitiatethetunnelbecausetheFortiGatedialupclientdoesnot
haveastaticIPaddress.AfterthetunnelisinitiatedbyusersbehindtheFortiGatedialupclient,trafficfromthe
privatenetworkbehindtheFortiGatedialupservercanbesenttotheprivatenetworkbehindtheFortiGatedialup
client.
EncryptedpacketsfromtheFortiGatedialupclientareaddressedtothepublicinterfaceofthedialupserver.
EncryptedpacketsfromthedialupserverareaddressedeithertothepublicIPaddressoftheFortiGatedialup
client(ifthedialupclientconnectstotheInternetdirectly),oriftheFortiGatedialupclientisbehindaNATdevice,
encryptedpacketsfromthedialupserverareaddressedtothepublicIPaddressoftheNATdevice.
IfarouterwithNATcapabilitiesisinfrontoftheFortiGatedialupclient,theroutermustbeNAT-Tcompatiblefor
encryptedtraffictopassthroughtheNATdevice.Formoreinformation,seePhase1parametersonpage47.
WhentheFortiGatedialupserverdecryptsapacketfromtheFortiGatedialupclient,thesourceaddressintheIP
headermaybeoneofthefollowingvalues,dependingontheconfigurationofthenetworkatthefarendofthe
tunnel:
l IftheFortiGatedialupclientconnectstotheInternetdirectly,thesourceaddresswillbetheprivateIPaddressofa
hostorserveronthenetworkbehindtheFortiGatedialupclient.
l IftheFortiGatedialupclientisbehindaNATdevice,thesourceaddresswillbethepublicIPaddressoftheNAT
device.
Insomecases,computersontheprivatenetworkbehindtheFortiGatedialupclientmay(byco-incidence)have
IPaddressesthatarealreadyusedbycomputersonthenetworkbehindtheFortiGatedialupserver.Inthistype
ofsituation(ambiguousrouting),conflictsmayoccurinoneorbothoftheFortiGateroutingtablesandtraffic
destinedfortheremotenetworkthroughthetunnelmaynotbesent.
Inmanycases,computersontheprivatenetworkbehindtheFortiGatedialupclientwillmostlikelyobtainIP
addressesfromalocalDHCPserverbehindtheFortiGatedialupclient.However,unlessthelocalandremote
networksusedifferentprivatenetworkaddressspaces,unintendedambiguousroutingandIP-addressoverlap
issuesmayarise.
Toavoidtheseissues,youcanconfigureFortiGateDHCPrelayonthedialupclientinsteadofusingaDHCP
serveronthenetworkbehindthedialupclient.TheFortiGatedialupclientcanbeconfiguredtorelayDHCP
requestsfromthelocalprivatenetworktoaDHCPserverthatresidesonthenetworkbehindtheFortiGatedialup
server.YouconfiguretheFortiGatedialupclienttopasstrafficfromthelocalprivatenetworktotheremote
networkbyenablingFortiGateDHCPrelayontheFortiGatedialupclientinterfacethatisconnectedtothelocal
privatenetwork.
Afterward,whenacomputeronthenetworkbehindthedialupclientbroadcastsaDHCPrequest,thedialupclient
relaysthemessagethroughthetunneltotheremoteDHCPserver.TheremoteDHCPserverrespondswitha
privateIPaddressforthecomputer.Toavoidambiguousroutingandnetworkoverlapissues,theIPaddresses
assignedtocomputersbehindthedialupclientcannotmatchthenetworkaddressspaceusedbytheprivate
networkbehindtheFortiGatedialupserver.

FortiGate dialup-client configurations Configuration overview
PreventingnetworkoverlapinaFortiGatedialup-clientconfiguration
WhentheDHCPserverresidesontheprivatenetworkbehindtheFortiGatedialupserver,theIPdestination
addressspecifiedintheIPsecsecuritypolicyontheFortiGatedialupclientmustrefertothatnetwork.
YoumustaddastaticroutetotheDHCPserverFortiGateunitifitisnotdirectly
connectedtotheprivatenetworkbehindtheFortiGatedialupserver;itsIPaddress
doesnotmatchtheIPaddressoftheprivatenetwork.Also,thedestinationaddressin
theIPsecsecuritypolicyontheFortiGatedialupclientmustrefertotheDHCPserver
address.TheDHCPservermustbeconfiguredtoassignarangeofIPaddresses
differentfromtheDHCPserver'slocalnetwork,andalsodifferentfromtheprivate
networkaddressesbehindtheFortiGatedialupserver.SeeRoutingonpage1.
FortiGatedialup-clientinfrastructurerequirements
Therequirementsare:
l TheFortiGatedialupservermusthaveastaticpublicIPaddress.
l NATmodeisrequiredifyouwanttocreatearoute-basedVPN.
l TheFortiGatedialupservermayoperateineitherNATmodeortransparentmodetosupportapolicy-basedVPN.
l ComputersontheprivatenetworkbehindtheFortiGatedialupclientcanobtainIPaddresseseitherfromaDHCP
serverbehindtheFortiGatedialupclient,oraDHCPserverbehindtheFortiGatedialupserver.
l IftheDHCPserverresidesonthenetworkbehindthedialupclient,theDHCPservermustbeconfiguredto
assignIPaddressesthatdonotmatchtheprivatenetworkbehindtheFortiGatedialupserver.
l IftheDHCPserverresidesonthenetworkbehindtheFortiGatedialupserver,theDHCPservermustbe
configuredtoassignIPaddressesthatdonotmatchtheprivatenetworkbehindtheFortiGatedialupclient.
ConfiguringtheservertoacceptFortiGatedialup-clientconnections
TheproceduresinthissectionassumethatcomputersontheprivatenetworkbehindtheFortiGatedialupclient
obtainIPaddressesfromalocalDHCPserver.TheassignedIPaddressesdonotmatchtheprivatenetwork

behindtheFortiGatedialupserver.
InsituationswhereIP-addressoverlapbetweenthelocalandremoteprivatenetworks
islikelytooccur,FortiGateDHCPrelaycanbeconfiguredontheFortiGatedialup
clienttorelayDHCPrequeststoaDHCPserverbehindtheFortiGatedialupserver.
Formoreinformation,seeToconfigureDHCPrelayonaFortiGateinterfaceonpage
1.
ConfiguringdialupclientcapabilityforFortiGatedialupclientsinvolvesthefollowinggeneralconfigurationsteps:
l DeterminewhichIPaddressestoassigntotheprivatenetworkbehindtheFortiGatedialupclient,andaddtheIP
addressestotheDHCPserverbehindtheFortiGatedialupclient.Refertothesoftwaresuppliersdocumentationto
configuretheDHCPserver.
l ConfiguretheFortiGatedialupserver.SeeConfigurationoverviewonpage132.
l ConfiguretheFortiGatedialupclient.SeeConfigurationoverviewonpage132.
Beforeyoubegin,optionallyreserveauniqueidentifier(peerID)fortheFortiGatedialupclient.Thedialupclient
willsupplythisvaluetotheFortiGatedialupserverforauthenticationpurposesduringtheIPsecPhase1
exchange.Inaddition,thevaluewillenableyoutodistinguishFortiGatedialup-clientconnectionsfrom
FortiClientdialup-clientconnections.Thesamevaluemustbespecifiedonthedialupserverandonthedialup
client.
AttheFortiGatedialupserver,definethePhase1parametersneededtoauthenticatetheFortiGatedialupclient
andestablishasecureconnection.SeePhase1parametersonpage47.
button).
RemoteGateway SelectDialupUser.
Interface SelecttheinterfacethroughwhichclientsconnecttotheFortiGateunit.
Mode IfyouwillbeassigninganIDtotheFortiGatedialupclient,select
Aggressive.
PeerOptions IfyouwillbeassigninganIDtotheFortiGatedialupclient,setAccept
TypestoThispeerIDandtypetheidentifierthatyoureservedforthe
FortiGatedialupclientintotheadjacentfield.
5. DefinethePhase2parametersneededtocreateaVPNtunnelwiththeFortiGatedialupclient.SeePhase2
parametersonpage65.Enterthesesettingsinparticular:

6. DefinenamesfortheaddressesoraddressrangesoftheprivatenetworksthattheVPNlinks.SeeDefiningpolicy
addressesonpage1.Enterthesesettingsinparticular:
l Defineanaddressnamefortheserver,host,ornetworkbehindtheFortiGatedialupserver.
l DefineanaddressnamefortheprivatenetworkbehindtheFortiGatedialupclient.
4. DefinethesecuritypoliciestopermitcommunicationsbetweentheprivatenetworksthroughtheVPNtunnel.
Route-basedandpolicy-basedVPNsrequiredifferentsecuritypolicies.Fordetailedinformationaboutcreating
securitypolicies,seeDefiningVPNsecuritypoliciesonpage1.
DefineanACCEPTsecuritypolicytopermitcommunicationsbetweenhostsontheprivatenetworkbehindthe
FortiGatedialupclientandtheprivatenetworkbehindthisFortiGatedialupserver.Becausecommunication
cannotbeinitiatedintheoppositedirection,thereisonlyonepolicy.
IncomingInterface SelecttheVPNtunnel(IPsecinterface)createdinStep1.
FortiGateunit.
Source Selectall.
NAT DisableNAT.
FortiGateunit.
thisFortiGateunit.
DestinationAddress Selecttheaddressnamethatyoudefined.
132fromthedrop-downlist.SelectAllowtraffictobeinitiatedfromthe
remotesite.

3. Topreventtrafficfromthelocalnetworkfrominitiatingthetunnelafterthetunnelhasbeenestablished,youneed
todisabletheoutboundVPNtrafficintheCLI
edit <policy_number>
set outbound disable
end
Ifconfiguringaroute-basedpolicy,configureadefaultrouteforVPNtrafficonthisinterface.
ConfiguringtheFortiGatedialupclient
AttheFortiGatedialupclient,definethePhase1parametersneededtoauthenticatethedialupserverand
establishasecureconnection.SeePhase1parametersonpage47.
button).
IPAddress TypetheIPaddressofthedialupserverspublicinterface.
Interface Selecttheinterfacethatconnectstothepublicnetwork.
Mode TheFortiGatedialupclienthasadynamicIPaddress,selectAggressive.
Advanced Selecttoviewthefollowingoptions.
LocalID IfyoudefinedapeerIDforthedialupclientintheFortiGatedialupserver
configuration,entertheidentifierofthedialupclient.Thevaluemustbe
identicaltothepeerIDthatyouspecifiedpreviouslyintheFortiGatedialup
serverconfiguration.
Mode TheFortiGatedialupclienthasadynamicIPaddress,selectAggressive.
5. EditPhase1Proposalandenterthefollowinginformation:
LocalID IfyoudefinedapeerIDforthedialupclientintheFortiGatedialupserver
configuration,entertheidentifierofthedialupclient.Thevaluemustbe
identicaltothepeerIDthatyouspecifiedpreviouslyintheFortiGatedialup
serverconfiguration.
6. DefinethePhase2parametersneededtocreateaVPNtunnelwiththedialupserver.SeePhase2parameterson
page65.Enterthesesettingsinparticular:

7. DefinenamesfortheaddressesoraddressrangesoftheprivatenetworksthattheVPNlinks.SeeDefiningpolicy
addressesonpage1.Enterthesesettingsinparticular:
l Defineanaddressnamefortheserver,host,ornetworkbehindtheFortiGatedialupserver.
l DefineanaddressnamefortheprivatenetworkbehindtheFortiGatedialupclient.
4. DefinesecuritypoliciestopermitcommunicationbetweentheprivatenetworksthroughtheVPNtunnel.Route-
DefineanACCEPTsecuritypolicytopermitcommunicationsbetweenhostsontheprivatenetworkbehindthis
FortiGatedialupclientandtheprivatenetworkbehindtheFortiGatedialupserver.Becausecommunication
cannotbeinitiatedintheoppositedirection,thereisonlyonepolicy.
FortiGateunit.
OutgoingInterface SelecttheVPNtunnel(IPsecinterface)createdinStep1.
Source Selectall.
NAT DisableNAT.
FortiGateunit.
Source Selecttheaddressnamethatyoudefinedf ortheprivatenetworkbehind

thisFortiGateunit.

thedialupserver.
132fromthedrop-downlist.
ClearAllowtraffictobeinitiatedfromtheremotesitetoprevent
trafficfromtheremotenetworkfrominitiatingthetunnelafterthetunnel
hasbeenestablished.

SupportingIKEModeConfigclients
IKEModeConfigisanalternativetoDHCPoverIPsec.AFortiGateunitcanbeconfiguredaseitheranIKEMode
Configserverorclient.Thischaptercontainsthefollowingsections:
IKEModeConfigoverview
Automaticconfigurationoverview
IKEModeConfigmethod
IKEModeConfigoverview
DialupVPNclientsconnecttoaFortiGateunitthatactsasaVPNserver,providingtheclientthenecessary
configurationinformationtoestablishaVPNtunnel.TheconfigurationinformationtypicallyincludesavirtualIP
address,netmask,andDNSserveraddress.
IKEModeConfigisavailableonlyforVPNsthatareroute-based,alsoknownasinterface-based.AFortiGateunit
canfunctionaseitheranIKEConfigurationMethodserverorclient.IKEModeConfigisconfigurableonlyinthe
CLI.
Automaticconfigurationoverview
VPNconfigurationforremoteclientsissimplerifitisautomated.Severalprotocolssupportautomatic
configuration:
l TheFortinetFortiClientEndpointSecurityapplicationcancompletelyconfigureaVPNconnectionwithasuitably
configuredFortiGateunitgivenonlytheFortiGateunitsaddress.ThisprotocolisexclusivetoFortinet.Formore
information,seeFortiClientdialup-clientconfigurationsonpage1.
l DHCPoverIPseccanassignanIPaddress,Domain,DNSandWINSaddresses.Theusermustfirstconfigure
IPsecparameterssuchasgatewayaddress,encryptionandauthenticationalgorithms.
l IKEModeConfigcanconfigurehostIPaddress,Domain,DNSandWINSaddresses.Theusermustfirstconfigure
IPsecparameterssuchasgatewayaddress,encryptionandauthenticationalgorithms.Severalnetworkequipment
vendorssupportIKEModeConfig,whichisdescribedintheISAKMPConfigurationMethoddocumentdraft-dukes-
ike-mode-cfg-02.txt.
ThischapterdescribeshowtoconfigureaFortiGateunitaseitheranIKEModeConfigserverorclient.
IKEModeConfigmethod
IKEModeConfigisconfiguredwiththeCLIcommandconfig vpn ipsec phase1-interface.The

mode-cfg variableenablesIKEModeConfig.The type fielddetermineswhetheryouarecreatinganIKE
ModeConfigserveroraclient.Setting type to dynamic createsaserverconfiguration,otherwisethe
configurationisaclient.

IKE Mode Config method Supporting IKE Mode Config clients
CreatinganIKEModeConfigclient
IftheFortiGateunitwillconnectasadialupclienttoaremotegatewaythatsupportsIKEModeConfig,the
relevantvpn ipsec phase1-interface variablesareasfollows:
Variable Description
ike-version 1 IKEv1isthedefaultforFortiGateIPsecVPNs.
IKEModeConfigisalsocompatiblewithIKEv2
(RFC4306).Usesyntaxike-version 2.
mode-cfg enable EnableIKEModeConfig.
type {ddns | static} Ifyouset type to dynamic,anIKEModeConfigserveriscreated.
assign-ip {enable |
EnabletorequestanIPaddressfromtheserver.
disable}
interface <interface_ ThisisaregularIPsecVPNfield.Specifythephysical,aggregate,orVLAN

name> interfacetowhichtheIPsectunnelwillbebound.
ThisisaregularIPsecVPNfieldthatdeterminestheencryptionand
proposal <encryption_
authenticationsettingsthattheclientwillaccept.Formoreinformation,
combination>
seePhase1parametersonpage47.
ip-version <4 | 6> ThisisaregularIPsecVPNfield.Bydefault,IPsecVPNsuseIPv4

addressing.Youcanset ip-version to 6 tocreateaVPNwithIPv6
addressing.
Foracompletelistofavailablevariables,seetheCLIReference.
IKEModeConfigclientexample-CLI
Inthisexample,theFortiGateunitconnectstoaVPNgatewaywithastaticIPaddressthatcanbereached
throughPort1.Onlytheport,gatewayandproposalinformationneedstobeconfigured.Allotherconfiguration
informationwillcomefromtheIKEModeConfigserver.
edit vpn1
set ip-version 4
set type static
set remote-gw <gw_address>
set interface port 1
set proposal 3des-sha1 aes128-sha1
set mode-cfg enable
set assign-ip enable
end

Supporting IKE Mode Config clients IKE Mode Config method
CreatinganIKEModeConfigserver
IftheFortiGateunitwillacceptconnectionrequestsfromdialupclientsthatsupportIKEModeConfig,the
following vpn ipsec phase1-interface settingsarerequiredbeforeanyotherconfigurationis
attempted:
Variable Description
ike-version 1 IKEv1isthedefaultforFortiGateIPsecVPNs.
IKEModeConfigisalsocompatiblewithIKEv2
(RFC4306).Usesyntaxike-version 2.
mode-cfg enable EnableIKEModeConfig.
type dynamic AnyothersettingcreatesanIKEModeConfigclient.
interface <interface_ ThisisaregularIPsecVPNfield.Specifythephysical,aggregate,orVLAN

name> interfacetowhichtheIPsectunnelwillbebound.
proposal <encryption_ ThisisaregularIPsecVPNfieldthatdeterminestheencryptionand

combination> authenticationsettingsthattheserverwillaccept.Formoreinformation,
seePhase1parametersonpage47.
ip-version <4 | 6> ThisisaregularIPsecVPNfield.Bydefault,IPsecVPNsuseIPv4

addressing.Youcanset ip-version to 6 tocreateaVPNwithIPv6
addressing.
IKEModeConfigserverexample-CLI
Inthisexample,theFortiGateunitassignsIKEModeConfigclientsaddressesintherangeof10.11.101.160
through10.11.101.180.DNSandWINSserveraddressesarealsoprovided.ThepublicinterfaceoftheFortiGate
unitisPort1.
WhenIKEMode-Configurationisenabled,multipleserverIPscanbedefinedinIPsecPhase1.
Theipv4-split-includevariablespecifiesafirewalladdressthatrepresentsthenetworkstowhichthe
clientswillhaveaccess.ThisdestinationIPaddressinformationissenttotheclients.
OnlytheCLIfieldsrequiredforIKEModeConfigareshownhere.Fordetailedinformationaboutthesevariables,
seetheFortiGateCLIReference.
edit "vpn-p1"
set type dynamic
set interface "wan1"
set xauthtype auto
set mode aggressive
set mode-cfg enable
set dpd disable
set dhgrp 2
set xauthexpire on-rekey
set authusrgrp "FG-Group1"

IKE Mode Config method Supporting IKE Mode Config clients
set ipv4-start-ip 10.10.10.10

set ipv4-end-ip 10.10.10.20
set ipv4-dns-server1 1.1.1.1
set ipv4-wins-server1 4.4.4.4
set ipv4-wins-server2 5.5.5.5
set domain "fgt1c-domain"
set banner "fgt111C-banner"
set backup-gateway "100.100.100.1" "host1.com" "host2"
set ipv4-split-include OfficeLAN
end
IPaddressassignment
Afteryouhaveenabledthebasicconfiguration,youcanconfigureIPaddressassignmentforclients,aswellas
DNSandWINSserverassignment.UsuallyyouwillwanttoassignIPaddressestoclients.
ThesimplestmethodtoassignIPaddressestoclientsistoassignaddressesfromaspecificrange,similartoa
DHCPserver.
IfyourclientsareauthenticatedbyaRADIUSserver,youcanobtaintheusersIPaddressassignmentfromthe
Framed-IP-Addressattribute.TheusermustbeauthenticatedusingXAuth.
IKEModeConfigcanalsousearemoteDHCPservertoassigntheclientIPaddresses.Uptoeightaddressescan
beselectedforeitherIPv4orIPv6.AftertheDHCPproxyhasbeenconfigured,theassign-ip-fromcommand
isusedtoassignIPaddressesviaDHCP.
AssigningIPaddressesfromanaddressrange-CLI
IfyourVPNusesIPv4addresses,
edit vpn1
set mode-cfg-ipversion 4
set assign-ip-type ip
set assign-ip-from range
set ipv4-start-ip <range_start>
set ipv4-end-ip <range_end>
set ipv4-netmask <netmask>
end
IfyourVPNusesIPv6addresses,
edit vpn1
set mode-cfg-ipversion 6
set assign-ip-type ip
set assign-ip-from range
set ipv6-start-ip <range_start>
set ipv6-end-ip <range_end>
end

Supporting IKE Mode Config clients IKE Mode Config method
AssigningIPaddressesfromaRADIUSserver-CLI
TheusersmustbeauthenticatedbyaRADIUSserverandassignedtotheFortiGateusergroup<grpname>.
SincetheIPaddresswillnotbestatic,typeissettodynamic,andmode-cfgisenabled.ThisisIKE
ConfigurationMethodsothatcompatibleclientscanconfigurethemselveswithsettingsthattheFortiGateunit
provides.
edit vpn1
set type dynamic
set mode-cfg enable
set assign-ip-from usrgrp
set xauthtype auto
set authusrgrp <grpname>
end
AssigningIPaddressfromDHCP-CLI
TheDHCPproxymustfirstbeenabledforIKEModeConfigtouseDHCPtoassigntheVPNclientIPaddress(es).
set dhcp-proxy enable
set dhcp-server-ip [ipv4 address]
set dhcp6-server-ip [ipv6-address]
(Uptoeightserveraddressescanbeconfigured)
end

edit vpn1
set mode-cfg enable
set assign-ip-from dhcp
next
end
Certificategroups
IKEcertificategroupsconsistingofuptofourRSAcertificatescanbeusedinIKEPhase1.SinceCAandlocal
certificatesareglobal,theIKEdaemonloadsthemonceforallVDOMsandindexesthemintotreesbasedon
subjectandpublickeyhash(forCAcertificates),orcertificatename(forlocalcerticates).Certifcatesarelinked
togetherbasedontheissuer,andcertificatechainsarebuiltbytraversingtheselinks.Thisreducestheneedto
keepmultiplecopiesofcertificatesthatcouldexistinmultiplechains.
IKEcertificategroupscanbeconfiguredthroughtheCLI.
ConfiguringtheIKElocalID-CLI
config vpn certificate local
edit <name>
set ike-localid <string>
set ike-localid-type {asnldn | fqdn}
end

Internet-browsingconfiguration
ThissectionexplainshowtosupportsecurewebbrowsingperformedbydialupVPNclients,and/orhostsbehinda
remoteVPNpeer.RemoteuserscanaccesstheprivatenetworkbehindthelocalFortiGateunitandbrowsethe
Internetsecurely.Alltrafficgeneratedremotelyissubjecttothesecuritypolicythatcontrolstrafficontheprivate
networkbehindthelocalFortiGateunit.
RoutingallremotetrafficthroughtheVPNtunnel
AVPNprovidessecureaccesstoaprivatenetworkbehindtheFortiGateunit.YoucanalsoenableVPNclientsto
accesstheInternetsecurely.TheFortiGateunitinspectsandprocessesalltrafficbetweentheVPNclientsand
hostsontheInternetaccordingtotheInternetbrowsingpolicy.Thisisaccomplishedeventhoughthesame
FortiGateinterfaceisusedforbothencryptedVPNclienttrafficandunencryptedInternettraffic.
Inthefigurebelow,FortiGate_1enablessecureInternetbrowsingforFortiClientEndpointSecurityuserssuchas
Dialup_1andusersontheSite_2networkbehindFortiGate_2,whichcouldbeaVPNpeeroradialupclient.
ExampleInternet-browsingconfiguration

Internet-browsing configuration Configuration overview
YoucanadaptanyofthefollowingconfigurationstoprovidesecureInternetbrowsing:
l Agateway-to-gatewayconfiguration(seeGateway-to-gatewayconfigurationsonpage1)
l AFortiClientdialup-clientconfiguration(seeFortiClientdialup-clientconfigurationsonpage1)
l AFortiGatedialup-clientconfiguration(seeFortiGatedialup-clientconfigurationsonpage1)
Theproceduresinthissectionassumethatoneoftheseconfigurationsisinplace,andthatitisoperating
properly.
Tocreateaninternet-browsingconfigurationbasedonanexistinggateway-to-gatewayconfiguration,youmust
editthegateway-to-gatewayconfigurationasfollows:
l OntheFortiGateunitthatwillprovideInternetaccess,createanInternetbrowsingsecuritypolicy.See
Configurationoverviewonpage145,below.
l ConfiguretheremotepeerorclienttoroutealltrafficthroughtheVPNtunnel.YoucandothisonaFortiGateunitor
onaFortiClientEndpointSecurityapplication.SeeConfigurationoverviewonpage145.
CreatinganInternetbrowsingsecuritypolicy
OntheFortiGateunitthatactsasaVPNserverandwillprovidesecureaccesstotheInternet,youmustcreatean
Internetbrowsingsecuritypolicy.Thispolicydiffersdependingonwhetheryourgateway-to-gatewayconfiguration
ispolicy-basedorroute-based.
CreatinganInternetbrowsingpolicy-policy-basedVPN
2. EnterthefollowinginformationandthenselectOK:
IncomingInterface TheinterfacetowhichtheVPNtunnelisbound.
OutgoingInterface TheinterfacetowhichtheVPNtunnelisbound.
Source Theinternalrangeaddressoftheremotespokesite.
DestinationAddress all
Action SelectIPsec.UnderVPNTunnel,selectthetunnelthatprovidesaccess
totheprivatenetworkbehindtheFortiGateunit.SelectAllowtrafficto
beinitiatedfromtheremotesite.
NAT EnableNAT.
CreatinganInternetbrowsingpolicy-route-basedVPN
2. EnterthefollowinginformationandthenselectOK:

Routing all remote traffic through the VPN tunnel Internet-browsing configuration
IncomingInterface TheIPsecVPNinterface.
OutgoingInterface TheinterfacethatconnectstotheInternet.ThevirtualIPsecinterfaceis
configuredonthisphysicalinterface.
Source Theinternalrangeaddressoftheremotespokesite.
DestinationAddress all
Action ACCEPT
NAT EnableNAT.
TheVPNclientsmustbeconfiguredtorouteallInternettrafficthroughtheVPNtunnel.
RoutingallremotetrafficthroughtheVPNtunnel
TomakeuseoftheInternetbrowsingconfigurationontheVPNserver,theVPNpeerorclientmustroutealltraffic
throughtheVPNtunnel.Usually,onlythetrafficdestinedfortheprivatenetworkbehindtheFortiGateVPNserver
issentthroughthetunnel.
TheremoteendoftheVPNcanbeaFortiGateunitthatactsasapeerinagateway-to-gatewayconfiguration,or
aFortiClientapplicationthatprotectsanindividualclientPC.
l ToconfigurearemotepeerFortiGateunitforInternetbrowsingviaVPN,seeConfiguringaFortiGateremotepeer
tosupportInternetbrowsingonpage147.
l ToconfigureaFortiClientEndpointSecurityapplicationforInternetbrowsingviaVPN,seeConfiguringaFortiClient
applicationtosupportInternetbrowsingonpage148.
TheseproceduresassumethatyourVPNconnectiontotheprotectedprivatenetworkisworkingandthatyou
haveconfiguredtheFortiGateVPNserverforInternetbrowsingasdescribedinConfigurationoverviewonpage
145.
ConfiguringaFortiGateremotepeertosupportInternetbrowsing
TheconfigurationchangestosendalltrafficthroughtheVPNdifferforpolicy-basedandroute-basedVPNs.
Routingalltrafficthroughapolicy-basedVPN
1. AttheFortiGatedialupclient,gotoPolicy&Objects>IPv4Policy.
2. SelecttheIPsecsecuritypolicyandthenselectEdit.
3. FromtheDestinationAddresslist,selectall.
4. SelectOK.
PacketsareroutedthroughtheVPNtunnel,notjustthosedestinedfortheprotectedprivatenetwork.
Routingalltrafficthrougharoute-basedVPN
1. AttheFortiGatedialupclient,gotoNetwork>StaticRoutes.
2. Selectthedefaultroute(destinationIP0.0.0.0)andthenselectEdit.Ifthereisnodefaultroute,selectCreate
New.EnterthefollowinginformationandselectOK:

Internet-browsing configuration Routing all remote traffic through the VPN tunnel
DestinationIP/Mask SettoSubnetandenter0.0.0.0/0.0.0.0inthefieldprovided.
Device SelecttheIPsecvirtualinterface.
AdministrativeDistance Leaveatdefault.
AllpacketsareroutedthroughtheVPNtunnel,notjustpacketsdestinedfortheprotectedprivatenetwork.
ConfiguringaFortiClientapplicationtosupportInternetbrowsing
Bydefault,theFortiClientapplicationconfiguresthePCsothattrafficdestinedfortheremoteprotectednetwork
passesthroughtheVPNtunnelbutallothertrafficissenttothedefaultgateway.Youneedtomodifythe
FortiClientsettingssothatitconfiguresthePCtoroutealloutboundtrafficthroughtheVPN.
RoutingalltrafficthroughVPN-FortiClientapplication
1. Attheremotehost,startFortiClient.
2. GotoRemoteAccess.
3. SelectthedefinitionthatconnectsFortiClienttotheFortiGatedialupserver,selecttheSettingsicon,andselect
Edittheselectedconnection.
4. IntheEditVPNConnectiondialogbox,selectAdvancedSettings.
5. IntheRemoteNetworkgroup,selectAdd.
6. IntheIPandSubnetMaskfields,type0.0.0.0/0.0.0.0andselectOK.
TheaddressisaddedtotheRemoteNetworklist.ThefirstdestinationIPaddressinthelistestablishesa
VPNtunnel.Theseconddestinationaddress(0.0.0.0/0.0.0.0inthiscase)forcesallothertraffic
throughtheVPNtunnel.
7. SelectOK.

RedundantVPNconfigurations
ThissectiondiscussestheoptionsforsupportingredundantandpartiallyredundantIPsecVPNs,usingroute-
basedapproaches.
AFortiGateunitwithtwointerfacesconnectedtotheInternetcanbeconfiguredtosupportredundantVPNsto
thesameremotepeer.Iftheprimaryconnectionfails,theFortiGateunitcanestablishaVPNusingtheother
connection.
RedundanttunnelsdonotsupportTunnelModeormanualkeys.YoumustuseInterfaceMode.
Afully-redundantconfigurationrequiresredundantconnectionstotheInternetonbothpeers.Thefigurebelow
showsanexampleofthis.ThisisusefultocreateareliableconnectionbetweentwoFortiGateunitswithstaticIP
addresses.
Whenonlyonepeerhasredundantconnections,theconfigurationispartially-redundant.Foranexampleofthis,
seeConfigurationoverviewonpage149.ThisisusefultoprovidereliableservicefromaFortiGateunitwithstatic
IPaddressesthatacceptsconnectionsfromdialupIPsecVPNclients.
Inafully-redundantVPNconfigurationwithtwointerfacesoneachpeer,fourdistinctpathsarepossibleforVPN
trafficfromendtoend.Eachinterfaceonapeercancommunicatewithbothinterfacesontheotherpeer.This
ensuresthataVPNwillbeavailableaslongaseachpeerhasoneworkingconnectiontotheInternet.
YouconfigureaVPNandanentryintheroutingtableforeachofthefourpaths.AlloftheseVPNsarereadyto
carrydata.Yousetdifferentroutingdistancesforeachrouteandonlytheshortestdistancerouteisused.Ifthis
routefails,theroutewiththenextshortestdistanceisused.
Theredundantconfigurationsdescribedinthischapteruseroute-basedVPNs,otherwiseknownasvirtualIPsec
interfaces.ThismeansthattheFortiGateunitmustoperateinNATmode.Youmustuseauto-keying.AVPNthat
iscreatedusingmanualkeyscannotbeincludedinaredundant-tunnelconfiguration.
TheconfigurationdescribedhereassumesthatyourredundantVPNsareessentiallyequalincostandcapability.
WhentheoriginalVPNreturnstoservice,trafficcontinuestousethereplacementVPNuntilthereplacementVPN
fails.IfyourredundantVPNusesmoreexpensivefacilities,youwanttouseitonlyasabackupwhilethemain
VPNisdown.Forinformationonhowtodothis,seeConfigurationoverviewonpage149.

Redundant VPN configurations Configuration overview
Exampleredundant-tunnelconfiguration
AVPNthatiscreatedusingmanualkeyscannotbeincludedinaredundant-tunnelconfiguration.
Generalconfigurationsteps
AredundantconfigurationateachVPNpeerincludes:
l OnePhase1configuration(virtualIPsecinterface)foreachpathbetweenthetwopeers.Inafully-meshed
redundantconfiguration,eachnetworkinterfaceononepeercancommunicatewitheachnetworkinterfaceonthe
remotepeer.Ifbothpeershavetwopublicinterfaces,thismeansthateachpeerhasfourpaths,forexample.
l OnePhase2definitionforeachPhase1configuration.
l OnestaticrouteforeachIPsecinterface,withdifferentdistancevaluestoprioritizetheroutes.
l TwoAcceptsecuritypoliciesperIPsecinterface,oneforeachdirectionoftraffic.
l DeadpeerdetectionenabledineachPhase1definition.
TheproceduresinthissectionassumethattwoseparateinterfacestotheInternetareavailableoneachVPN
peer.

Configuration overview Redundant VPN configurations
ConfiguringtheVPNpeers-route-basedVPN
VPNpeersareconfiguredusingInterfaceModeforredundanttunnels.
ConfigureeachVPNpeerasfollows:
1. EnsurethattheinterfacesusedintheVPNhavestaticIPaddresses.
2. CreateaPhase1configurationforeachofthepathsbetweenthepeers.
3. Enabledeadpeerdetectionsothatoneoftheotherpathsisactivatedifthispathfails.
4. Enterthesesettingsinparticular,andanyotherVPNsettingsasrequired:
Path1
IPAddress TypetheIPaddressoftheprimaryinterfaceoftheremotepeer.
LocalInterface Selecttheprimarypublicinterfaceofthispeer.
DeadPeerDetection Enable
Path2
IPAddress TypetheIPaddressofthesecondaryinterfaceoftheremotepeer.
LocalInterface Selecttheprimarypublicinterfaceofthispeer.
Path3
IPAddress TypetheIPaddressoftheprimaryinterfaceoftheremotepeer.
LocalInterface Selectthesecondarypublicinterfaceofthispeer.
Path4
IPAddress TypetheIPaddressofthesecondaryinterfaceoftheremotepeer.
LocalInterface Selectthesecondarypublicinterfaceofthispeer.
Formoreinformation,seePhase1parametersonpage47.

Redundant VPN configurations Configuration overview
5. CreateaPhase2definitionforeachpath.SeePhase2parametersonpage65.SelectthePhase1configuration
(virtualIPsecinterface)thatyoudefinedforthispath.YoucanselectthenamefromtheStaticIPAddresspartof
thelist.
6. Createarouteforeachpathtotheotherpeer.Iftherearetwoportsoneachpeer,therearefourpossiblepaths
betweenthepeerdevices.
DestinationIP/Mask TheIPaddressandnetmaskoftheprivatenetworkbehindtheremote
peer.
Device OneofthevirtualIPsecinterfacesonthelocalpeer.
Distance Foreachpath,enteradifferentvaluetoprioritizethepaths.
7. Definethesecuritypolicyforthelocalprimaryinterface.SeeDefiningVPNsecuritypoliciesonpage1.Youneed
tocreatetwopoliciesforeachpathtoenablecommunicationinbothdirections.Enterthesesettingsinparticular:
SourceAddress All
OutgoingInterface SelectoneofthevirtualIPsecinterfacesyoucreatedinStep2.
DestinationAddress All
Schedule Always
Service Any
Action ACCEPT
8. SelectCreateNew,leavethePolicyTypeasFirewallandleavethePolicySubtypeasAddress,andenter
thesesettings:
IncomingInterface SelectoneofthevirtualIPsecinterfacesyoucreatedinStep2.
SourceAddress All
OutgoingInterface Selectthelocalinterfacetotheinternal(private)network.
Schedule Always
Service Any
Action ACCEPT
10. RepeatthisprocedureattheremoteFortiGateunit.

Configuration overview Redundant VPN configurations
CreatingabackupIPsecinterface
Youcanconfigurearoute-basedVPNthatactsasabackupfacilitytoanotherVPN.Itisusedonlywhileyourmain
VPNisoutofservice.ThisisdesirablewhentheredundantVPNusesamoreexpensivefacility.
YoucanconfigureabackupIPsecinterfaceonlyintheCLI.Thebackupfeatureworksonlyoninterfaceswith
staticaddressesthathavedeadpeerdetectionenabled.ThemonitoroptioncreatesabackupVPNforthe
specifiedPhase1configuration.
Inthefollowingexample,backup_vpnisabackupformain_vpn.
edit main_vpn
set dpd on
set interface port1
set nattraversal enable
set psksecret "hard-to-guess"
set remote-gw 192.168.10.8
set type static
end
edit backup_vpn
set dpd on
set interface port2
set monitor main_vpn
set psksecret "hard-to-guess"
set type static
end

TransparentmodeVPNs
ThissectiondescribestransparentVPNconfigurations,inwhichtwoFortiGateunitscreateaVPNtunnelbetween
twoseparateprivatenetworkstransparently.
Intransparentmode,allinterfacesoftheFortiGateunitexceptthemanagementinterface(whichbydefaultis
assignedIPaddress10.10.10.1/255.255.255.0)areinvisibleatthenetworklayer.Typically,whenaFortiGate
unitrunsintransparentmode,differentnetworksegmentsareconnectedtotheFortiGateinterfaces.Thefigure
belowshowsthemanagementstationonthesamesubnet.Themanagementstationcanconnecttothe
FortiGateunitdirectlythroughtheweb-basedmanager.
Managementstationoninternalnetwork
AnedgeroutertypicallyprovidesapublicconnectiontotheInternetandoneinterfaceoftheFortiGateunitis
connectedtotherouter.IftheFortiGateunitismanagedfromanexternaladdress(seethefigurebelow),the
routermusttranslate(NAT)aroutableaddresstodirectmanagementtraffictotheFortiGatemanagement
interface.
Managementstationonexternalnetwork

Configuration overview Transparent mode VPNs
InatransparentVPNconfiguration,twoFortiGateunitscreateaVPNtunnelbetweentwoseparateprivate
networkstransparently.AlltrafficbetweenthetwonetworksisencryptedandprotectedbyFortiGatesecurity
policies.
BothFortiGateunitsmayberunningintransparentmode,oronecouldberunningintransparentmodeandthe
otherrunninginNATmode.IftheremotepeerisrunninginNATmode,itmusthaveastaticpublicIPaddress.
VPNsbetweentwoFortiGateunitsrunningintransparentmodedonotsupport
inbound/outboundNAT(supportedthroughCLIcommands)withinthetunnel.In
addition,aFortiGateunitrunningintransparentmodecannotbeusedinahub-and-
spokeconfiguration.
EncryptedpacketsfromtheremoteVPNpeerareaddressedtothemanagementinterfaceofthelocalFortiGate
unit.IfthelocalFortiGateunitcanreachtheVPNpeerlocally,astaticroutetotheVPNpeermustbeaddedto
theroutingtableonthelocalFortiGateunit.IftheVPNpeerconnectsthroughtheInternet,encryptedpackets
fromthelocalFortiGateunitmustberoutedtotheedgerouterinstead.Forinformationabouthowtoaddastatic
routetotheFortiGateroutingtable,seetheAdvancedRoutingGuide.
Intheexampleconfigurationshownabove,NetworkAddressTranslation(NAT)isenabledontherouter.When
anencryptedpacketfromtheremoteVPNpeerarrivesattherouterthroughtheInternet,therouterperforms
inboundNATandforwardsthepackettotheFortiGateunit.Refertothesoftwaresuppliersdocumentationto
configuretherouter.
IfyouwanttoconfigureaVPNbetweentwoFortiGateunitsrunningintransparentmode,eachunitmusthavean
independentconnectiontoarouterthatactsasagatewaytotheInternet,andbothunitsmustbeonseparate
networksthathaveadifferentaddressspace.WhenthetwonetworkslinkedbytheVPNtunnelhavedifferent
addressspaces(seethefigurebelow),atleastoneroutermustseparatethetwoFortiGateunits,unlessthe
packetscanberedirectedusingICMP(asshowninthefollowingfigure).
LinkbetweentwoFortiGateunitsintransparentmode
Inthefigurebelow,interfaceCbehindtherouteristhedefaultgatewayforbothFortiGateunits.Packetsthat
cannotbedeliveredonNetwork_1areroutedtointerfaceCbydefault.Similarly,packetsthatcannotbedelivered
onNetwork_2areroutedtointerfaceC.Inthiscase,theroutermustbeconfiguredtoredirectpacketsdestined
forNetwork_1tointerfaceAandredirectpacketsdestinedforNetwork_2tointerfaceB.

Transparent mode VPNs Configuration overview
ICMPredirectingpacketstotwoFortiGateunitsintransparentmode
IfthereareadditionalroutersbehindtheFortiGateunit(seethefigurebelow)andthedestinationIPaddressof
aninboundpacketisonanetworkbehindoneofthoserouters,theFortiGateroutingtablemustincluderoutesto
thosenetworks.Forexample,inthefollowingfigure,theFortiGateunitmustbeconfiguredwithstaticroutesto
interfacesAandBinordertoforwardpacketstoNetwork_1andNetwork_2respectively.
Destinationsonremotenetworksbehindinternalrouters
TransparentVPNinfrastructurerequirements
l ThelocalFortiGateunitmustbeoperatingintransparentmode.
l ThemanagementIPaddressofthelocalFortiGateunitspecifiesthelocalVPNgateway.ThemanagementIP
addressisconsideredastaticIPaddressforthelocalVPNpeer.
l IfthelocalFortiGateunitismanagedthroughtheInternet,oriftheVPNpeerconnectsthroughtheInternet,the
edgeroutermustbeconfiguredtoperforminboundNATandforwardmanagementtrafficand/orencryptedpackets
totheFortiGateunit.
l IftheremotepeerisoperatinginNATmode,itmusthaveastaticpublicIPaddress.

Configuration overview Transparent mode VPNs
AFortiGateunitoperatingintransparentmoderequiresthefollowingbasicconfigurationtooperateasanodeon
theIPnetwork:
l Theunitmusthavesufficientroutinginformationtoreachthemanagementstation.
l Foranytraffictoreachexternaldestinations,adefaultstaticroutetoanedgerouterthatforwardspacketstothe
InternetmustbepresentintheFortiGateroutingtable.
l Whenallofthedestinationsarelocatedontheexternalnetwork,theFortiGateunitmayroutepacketsusinga
singledefaultstaticroute.Ifthenetworktopologyismorecomplex,oneormorestaticroutesinadditiontothe
defaultstaticroutemayberequiredintheFortiGateroutingtable.
Onlypolicy-basedVPNconfigurationsarepossibleintransparentmode.
Beforeyoubegin
AnIPsecVPNdefinitionlinksagatewaywithatunnelandanIPsecpolicy.Ifyournetworktopologyincludesmore
thanonevirtualdomain,youmustchoosecomponentsthatwerecreatedinthesamevirtualdomain.Therefore,
beforeyoudefineatransparentVPNconfiguration,chooseanappropriatevirtualdomaininwhichtocreatethe
requiredinterfaces,securitypolicies,andVPNcomponents.Formoreinformation,seetheVirtualDomains
guide.
ConfiguringtheVPNpeers
1. ThelocalVPNpeerneedtooperateintransparentmode.
TodetermineifyourFortiGateunitisintransparentmode,gototheDashboard>SystemInformationwidget.
Select[change].SelecttransparentfortheOperationMode.Twonewfieldswillappeartoenterthe
ManagementIP/Netmask,andtheDefaultGateway.
Intransparentmode,theFortiGateunitisinvisibletothenetwork.Allofitsinterfacesareonthesamesubnetand
sharethesameIPaddress.YouonlyhavetoconfigureamanagementIPaddresssothatyoucanmake
configurationchanges.
TheremoteVPNpeermayoperateinNATmodeortransparentmode.
2. AtthelocalFortiGateunit,definethePhase1parametersneededtoestablishasecureconnectionwiththe
remotepeer.SeePhase1parametersonpage47.SelectAdvancedandenterthesesettingsinparticular:
IPAddress TypetheIPaddressofthepublicinterfacetotheremotepeer.Ifthe
remotepeerisaFortiGateunitrunningintransparentmode,typetheIP
addressoftheremotemanagementinterface.
Advanced SelectNat-traversal,andtypeavalueintotheKeepaliveFrequency
field.Thesesettingsprotecttheheadersofencryptedpacketsfrombeing
alteredbyexternalNATdevicesandensurethatNATaddressmappingsdo
notchangewhiletheVPNtunnelisopen.Formoreinformation,seePhase
1parametersonpage47andPhase1parametersonpage47.
3. DefinethePhase2parametersneededtocreateaVPNtunnelwiththeremotepeer.SeePhase2parameterson
page65.SelectthesetofPhase1parametersthatyoudefinedfortheremotepeer.Thenameoftheremotepeer
canbeselectedfromtheStaticIPAddresslist.
4. DefinethesourceanddestinationaddressesoftheIPpacketsthataretobetransportedthroughtheVPNtunnel.
SeeDefiningVPNsecuritypoliciesonpage1.Enterthesesettingsinparticular:

Transparent mode VPNs Configuration overview
l Fortheoriginatingaddress(sourceaddress),entertheIPaddressandnetmaskoftheprivatenetworkbehind
thelocalpeernetwork.forthemanagementinterface,forexample,10.10.10.0/24.Thisaddressneedsto
bearangetoallowtrafficfromyournetworkthroughthetunnel.Optionallyselectanyforthisaddress.
l Fortheremoteaddress(destinationaddress),entertheIPaddressandnetmaskoftheprivatenetworkbehind
theremotepeer(forexample,192.168.10.0/24).IftheremotepeerisaFortiGateunitrunningin
transparentmode,entertheIPaddressoftheremotemanagementinterfaceinstead.
5. DefineanIPsecsecuritypolicytopermitcommunicationsbetweenthesourceanddestinationaddresses.See
DefiningVPNsecuritypoliciesonpage1.Enterthesesettingsinparticular:
SourceAddress SelectthesourceaddressthatyoudefinedinStep4.
OutgoingInterface Selecttheinterfacetotheedgerouter.WhenyouconfiguretheIPsec
securitypolicyonaremotepeerthatoperatesinNATmode,youselectthe
publicinterfacetotheexternal(public)networkinstead.
DestinationAddress SelectthedestinationaddressthatyoudefinedinStep4.
VPNTunnel SelectUseExistingandselectthenameofthePhase2tunnel
configurationthatyoucreatedinStep3fromthedrop-downlist.
7. DefineanotherIPsecsecuritypolicytopermitcommunicationsbetweenthesourceanddestinationaddressesin
theoppositedirection.Thissecuritypolicyandthepreviousoneformabi-directionalpolicypair.SeeDefiningVPN
securitypoliciesonpage1.Enterthesesettingsinparticular:
IncomingInterface Selecttheinterfacetotheedgerouter.WhenyouconfiguretheIPsec
securitypolicyonaremotepeerthatoperatesinNATmode,youselectthe
publicinterfacetotheexternal(public)networkinstead.
SourceAddress SelectthedestinationaddressthatyoudefinedinStep4..
OutgoingInterface Selectthelocalinterfacetotheinternal(private)network.
DestinationAddress SelectthesourceaddressthatyoudefinedinStep4.
VPNTunnel SelectUseExistingandselectthenameofthePhase2tunnel
configurationthatyoucreatedinStep3fromthedrop-downlist.
8. RepeatthisprocedureattheremoteFortiGateunittocreatebidirectionalsecuritypolicies.Usethelocalinterface
andaddressinformationlocaltotheremoteFortiGateunit.
Formoreinformationontransparentmode,seetheSystemAdministrationGuide.

IPv6IPsecVPNs
ThischapterdescribeshowtoconfigureyourFortiGateunitsIPv6IPsecVPNfunctionality.
BydefaultIPv6configurationstonotappearontheWeb-basedManager.Youneedto
enablethefeaturefirst.
ToenableIPv6
1.GotoSystem>FeatureSelect.
2.EnableIPv6.
3.SelectApply.
Configurationexamples
IPv6IPsecsupport
FortiOSsupportsroute-basedIPv6IPsec,butnotpolicy-based.ThissectiondescribeshowIPv6IPsecsupport
differsfromIPv4IPsecsupport.FortiOS4.0MR3isIPv6ReadyLogoProgramPhase2certified.
WhereboththegatewaysandtheprotectednetworksuseIPv6addresses,sometimescalledIPv6overIPv6,you
cancreateeitheranauto-keyedormanually-keyedVPN.YoucancombineIPv6andIPv4addressinginanauto-
keyedVPNinthefollowingways:
IPv4overIPv6 TheVPNgatewayshaveIPv6addresses.
TheprotectednetworkshaveIPv4addresses.ThePhase2configurations
ateitherenduseIPv4selectors.
TheVPNgatewayshaveIPv4addresses.
IPv6overIPv4
TheprotectednetworksuseIPv6addresses.ThePhase2configurationsat
eitherenduseIPv6selectors.
ComparedwithIPv4IPsecVPNfunctionality,therearesomelimitations:
l ExceptforIPv6overIPv4,remotegatewayswithDynamicDNSarenotsupported.
l Selectorscannotbefirewalladdressnames.OnlyIPaddress,addressrangeandsubnetaresupported.
l RedundantIPv6tunnelsarenotsupported.
Certificates
OnaVPNwithIPv6Phase1configuration,youcanauthenticateusingVPNcertificatesinwhichthecommon
name(cn)isanIPv6address.Thecn-typekeywordoftheuser peercommandhasanoption,ipv6,to
supportthis.

IPv6 IPsec VPNs Configuration examples
Configurationexamples
Thissectionconsistsofthefollowingconfigurationexamples:
l Site-to-siteIPv6overIPv6VPNexample
Site-to-siteIPv6overIPv6VPNexample
Inthisexample,computersonIPv6-addressedprivatenetworkscommunicatesecurelyoverpublicIPv6
infrastructure.
BydefaultIPv6configurationstonotappearontheWeb-basedManager.Youneedto
enablethefeaturefirst.
ToenableIPv6
1.GotoSystem>FeatureSelect.
2.EnableIPv6.
3.SelectApply.
ExampleIPv6-over-IPv6VPNtopology

Configuration examples IPv6 IPsec VPNs
ConfigureFortiGateAinterfaces
Port2connectstothepublicnetworkandport3connectstothelocalnetwork.
config system interface
edit port2
config ipv6
set ip6-address fec0::0001:209:0fff:fe83:25f2/64
end
next
edit port3
config ipv6
end
next
end
ConfigureFortiGateAIPsecsettings
ThePhase1configurationcreatesavirtualIPsecinterfaceonport2andsetstheremotegatewaytothepublicIP
addressFortiGateB.ThisconfigurationisthesameasforanIPv4route-basedVPN,exceptthatip-versionis
setto6andtheremote-gw6keywordisusedtospecifyanIPv6remotegatewayaddress.
edit toB
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7
set psksecret maryhadalittlelamb
set proposal 3des-md5 3des-sha1
end
Bydefault,Phase2selectorsaresettoacceptallsubnetaddressesforsourceanddestination.Thedefault
settingforsrc-addr-typeanddst-addr-typeissubnet.TheIPv6equivalentissubnet6.Thedefault
subnetaddressesare0.0.0.0/0forIPv4,::/0forIPv6.
edit toB2
set phase1name toB
set pfs enable
set replay enable
set src-addr-type subnet6
set dst-addr-type subnet6
end
ConfigureFortiGateAsecuritypolicies
Securitypoliciesarerequiredtoallowtrafficbetweenport3andtheIPsecinterfacetoBineachdirection.The
addressall6mustbedefinedusingthefirewall address6commandas::/0.
config firewall policy6
edit 1
set srcintf port3
set dstintf toB
set srcaddr all6
set dstaddr all6

set action accept

set service ANY
set schedule always
next
edit 2
set srcintf toB
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
ConfigureFortiGateArouting
Thissimpleexamplerequiresjusttwostaticroutes.TraffictotheprotectednetworkbehindFortiGateBisrouted
viathevirtualIPsecinterfacetoB.AdefaultroutesendsallIPv6trafficoutonport2.
config router static6
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst fec0:0000:0000:0004::/64
end
ConfigureFortiGateB
TheconfigurationofFortiGateBisverysimilartothatofFortiGateA.AvirtualIPsecinterfacetoAisconfigured
onport2anditsremotegatewayisthepublicIPaddressofFortiGateA.Securitypoliciesenabletraffictopass
betweentheprivatenetworkandtheIPsecinterface.Routingensurestrafficfortheprivatenetworkbehind
FortiGateAgoesthroughtheVPNandthatallIPv6packetsareroutedtothepublicnetwork.
edit port2
config ipv6
set ip6-address fec0::0003:209:0fff:fe83:25c7/64
end
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
end
edit toA
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2
end
edit toA2

set phase1name toA

set pfs enable
set replay enable
end
edit 1
set srcintf port3
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toA
set dst fec0:0000:0000:0000::/64
end
Inthisexample,IPv6-addressedprivatenetworkscommunicatesecurelyoverIPv4publicinfrastructure.

Port2connectstotheIPv4publicnetworkandport3connectstotheIPv6LAN.
edit port2
set 10.0.0.1/24
next
edit port3
config ipv6
end
ThePhase1configurationusesIPv4addressing.
edit toB
set interface port2
end
ThePhase2configurationusesIPv6selectors.Bydefault,Phase2selectorsaresettoacceptallsubnet
addressesforsourceanddestination.Thedefaultsettingforsrc-addr-typeanddst-addr-typeis
subnet.TheIPv6equivalentissubnet6.Thedefaultsubnetaddressesare0.0.0.0/0forIPv4,::/0forIPv6.


edit toB2
set phase1name toB
set pfs enable
set replay enable
end
IPv6securitypoliciesarerequiredtoallowtrafficbetweenport3andtheIPsecinterfacetoBineachdirection.
Definetheaddressall6usingthefirewall address6commandas::/0.
edit 1
set srcintf port3
set dstintf toB
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toB
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
viathevirtualIPsecinterfacetoBusinganIPv6staticroute.AdefaultroutesendsallIPv4traffic,includingthe
IPv4IPsecpackets,outonport2.
edit 1
set device toB
set dst fec0:0000:0000:0004::/64
end
edit 1
set device port2
set dst 0.0.0.0/0
set gateway 10.0.0.254
end
ConfigureFortiGateB
onport2anditsremotegatewayistheIPv4publicIPaddressofFortiGateA.TheIPsecPhase2configuration

hasIPv6selectors.
IPv6securitypoliciesenabletraffictopassbetweentheprivatenetworkandtheIPsecinterface.AnIPv6static
routeensurestrafficfortheprivatenetworkbehindFortiGateAgoesthroughtheVPNandanIPv4staticroute
ensuresthatallIPv4packetsareroutedtothepublicnetwork.
edit port2
set 10.0.1.1/24
next
edit port3
config ipv6
set ip6-address fec0::0004:209:0fff:fe83:2569/64
end
edit toA
set interface port2
end
edit toA2
set phase1name toA
set pfs enable
set replay enable
end
edit 1
set srcintf port3
set dstintf toA
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all6
set dstaddr all6
set action accept
set service ANY
set schedule always
end
edit 1
set device toA
set dst fec0:0000:0000:0000::/64
end
edit 1
set device port2

set gateway 10.0.1.254

end
Inthisexample,twoprivatenetworkswithIPv4addressingcommunicatesecurelyoverIPv6infrastructure.
Port2connectstotheIPv6publicnetworkandport3connectstotheIPv4LAN.
edit port2
config ipv6
end
next
edit port3
set 192.168.2.1/24
end
ThePhase1configurationisthesameasintheIPv6overIPv6example.
edit toB
set ip-version 6
set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7

end
ThePhase2configurationisthesameasyouwoulduseforanIPv4VPN.Bydefault,Phase2selectorsaresetto
acceptallsubnetaddressesforsourceanddestination.
edit toB2
set phase1name toB
set pfs enable
set replay enable
end
Securitypoliciesarerequiredtoallowtrafficbetweenport3andtheIPsecinterfacetoBineachdirection.These
areIPv4securitypolicies.
edit 1
set srcintf port3
set dstintf toB
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toB
set dstintf port3
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
viathevirtualIPsecinterfacetoBusinganIPv4staticroute.AdefaultroutesendsallIPv6traffic,includingthe
IPv6IPsecpackets,outonport2.
edit 1
set device port2
set dst 0::/0
next
edit 2
set device toB
set dst 192.168.3.0/24
end

ConfigureFortiGateB
onport2anditsremotegatewayisthepublicIPaddressofFortiGateA.TheIPsecPhase2configurationhas
IPv4selectors.
IPv4securitypoliciesenabletraffictopassbetweentheprivatenetworkandtheIPsecinterface.AnIPv4static
routeensurestrafficfortheprivatenetworkbehindFortiGateAgoesthroughtheVPNandanIPv6staticroute
ensuresthatallIPv6packetsareroutedtothepublicnetwork.
edit port2
config ipv6
set ip6-address fec0::0003:fe83:25c7/64
end
next
edit port3
set 192.168.3.1/24
end
edit toA
set ip-version 6
set interface port2
set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2
end
edit toA2
set phase1name toA
set pfs enable
set replay enable
end
edit 1
set srcintf port3
set dstintf toA
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
next
edit 2
set srcintf toA
set dstintf port3
set srcaddr all
set dstaddr all
set action accept
set service ANY
set schedule always
end
edit 1
set device port2

set dst 0::/0

next
edit 2
set device toA
set dst 192.168.2.0/24
end

L2TPandIPsec(MicrosoftVPN)
ThissectiondescribeshowtosetupaVPNthatiscompatiblewiththeMicrosoftWindowsnativeVPN,whichis
Layer2TunnelingProtocol(L2TP)withIPsecencryption.
Overview
Assumptions
Fortroubleshootinginformation,refertoTroubleshootingL2TPandIPsec.
Overview
ThetopologyofaVPNforMicrosoftWindowsdialupclientsisverysimilartothetopologyforFortiClientEndpoint
Securityclients.
ExampleFortiGateVPNconfigurationwithMicrosoftclients
Forusers,thedifferenceisthatinsteadofinstallingandusingtheFortiClientapplication,theyconfigurea
networkconnectionusingthesoftwarebuiltintotheMicrosoftWindowsoperatingsystem.StartinginFortiOS4.0
MR2,youcanconfigureaFortiGateunittoworkwithunmodifiedMicrosoftVPNclientsoftware.

L2TP and IPsec (Microsoft VPN) Assumptions
Layer2TunnelingProtocol(L2TP)
L2TPisatunnelingprotocolpublishedin1999thatisusedwithVPNs,asthenamesuggests.MicrosoftWindows
operatingsystemhasabuilt-inL2TPclientstartingsinceWindows2000.MacOSX10.3systemandhigheralso
haveabuilt-inclient.
L2TPprovidesnoencryptionandusedUDPport1701.IPsecisusedtosecureL2TPpackets.Theinitiatorofthe
L2TPtunneliscalledtheL2TPAccessConcentrator(LAC).
L2TPandIPsecissupportedfornativeWindowsXP,WindowsVistaandMacOSXnativeVPNclients.However,
inMacOSX(OSX10.6.3,includingpatchreleases)theL2TPfeaturedoesnotworkproperlyontheMacOSside.
Assumptions
Thefollowingassumptionshavebeenmadeforthisexample:
l L2TPprotocoltrafficisallowedthroughnetworkfirewalls(TCPandUDPport1701)
l UserhasMicrosoftWindows2000orhigheraWindowsversionthatsupportsL2TP
ThefollowingsectionconsistsofconfiguringtheFortiGateunitandconfiguringtheWindowsPC.
ToconfiguretheFortiGateunit,youmust:
l ConfigureLT2Pusersandfirewallusergroup.
l ConfiguretheL2TPVPN,includingtheIPaddressrangeitassignstoclients.
l ConfigureanIPsecVPNwithencryptionandauthenticationsettingsthatmatchtheMicrosoftVPNclient.
l Configuresecuritypolicies.
ConfiguringLT2Pusersandfirewallusergroup
Remoteusersmustbeauthenticatedbeforetheycanrequestservicesand/oraccessnetworkresourcesthrough
theVPN.TheauthenticationprocesscanuseapassworddefinedontheFortiGateunitoranestablishedexternal
authenticationmechanismsuchasRADIUSorLDAP.
Creatinguseraccounts
YouneedtocreateuseraccountsandthenaddtheseuserstoafirewallusergrouptobeusedforL2TP
authentication.TheMicrosoftVPNclientcanautomaticallysendtheusersWindownetworklogoncredentials.
YoumightwanttousethesefortheirL2TPusernameandpassword.
Creatingauseraccount-web-basedmanager
1. GotoUser&Device>UserDefinitionandselectCreateNew.
2. EntertheUserName.

Configuration overview L2TP and IPsec (Microsoft VPN)
3. Dooneofthefollowing:
l SelectPasswordandentertheusersassignedpassword.
l SelectMatchuseronLDAPserver,MatchuseronRADIUSserver,orMatchuseronTACACS+
serverandselecttheauthenticationserverfromthelist.Theauthenticationservermustbealreadyconfigured
ontheFortiGateunit.
4. SelectOK.
Creatingauseraccount-CLI
Tocreateauseraccountcalleduser1withthepassword123_user,enter:
config user local
edit user1
set type password
set passwd "123_user"
set status enable
end
Creatingausergroup
WhenclientsconnectusingtheL2TP-over-IPsecVPN,theFortiGateunitcheckstheircredentialsagainsttheuser
groupyouspecifyforL2TPauthentication.Youneedtocreateafirewallusergrouptouseforthispurpose.
Creatingausergroup-web-basedmanager
1. GotoUser&Device>UserGroups,selectCreateNew,andenterthefollowing:
Name Typeoredittheusergroupname(forexample,L2TP_group).
Type SelectFirewall.
AvailableUsers/Groups ThelistofLocalusers,RADIUSservers,LDAPservers,TACACS+servers,
orPKIusersthatcanbeaddedtotheusergroup.Toaddamembertothis
list,selectthenameandthenselecttherightarrowbutton.
Members ThelistofLocalusers,RADIUSservers,LDAPservers,TACACS+servers,
orPKIusersthatbelongtotheusergroup.Toremoveamember,select
thenameandthenselecttheleftarrowbutton.
2. SelectOK.
Creatingausergroup-CLI
TocreatetheusergroupL2TP_groupandaddmembersUser_1,User_2,andUser_3,enter:
config user group
edit L2TP_group
set group-type firewall
set member User_1 User_2 User_3
end

L2TP and IPsec (Microsoft VPN) Configuration overview
ConfiguringL2TP
YoucanonlyconfigureL2TPsettingsintheCLI.AswellasenablingL2TP,yousettherangeofIPaddressvalues
thatareassignedtoL2TPclientsandspecifytheusergroupthatcanaccesstheVPN.Forexample,toallow
accesstousersintheL2TP_groupandassignthemaddressesintherange192.168.0.50to192.168.0.59,enter:
config vpn l2tp
set sip 192.168.0.50
set eip 192.168.0.59
set status enable
set usrgrp "L2TP_group"
end
OneofthesecuritypoliciesfortheL2TPoverIPsecVPNusestheclientaddressrange,soyouneedalsoneedto
createafirewalladdressforthatrange.Forexample,
config firewall address
edit L2TPclients
set type iprange
set start-ip 192.168.0.50
set end-ip 192.168.0.59
end
Alternatively,youcoulddefinethisrangeintheweb-basedmanager.
ConfiguringIPsec
TheMicrosoftVPNclientusesIPsecforencryption.TheconfigurationneededontheFortiGateunitisthesame
asforanyotherIPsecVPNwiththefollowingexceptions.
l Transportmodeisusedinsteadoftunnelmode.
l TheencryptionandauthenticationproposalsmustbecompatiblewiththeMicrosoftclient.
WhetherTransportmodeisrequireddependsontheconfigurationofthepeerdevice
(typicallyanoldWindowsdevice,sincenewerversionsofWindowsdon'trequireIPsec
andL2TPtheycanrunIPsecnatively).
WhenconfiguringL2TP,donotnametheVPN"L2TP"asthatwillresultinaconflict.
L2TPoverIPsecissupportedontheFortiGateunitforbothpolicy-basedandroute-basedconfigurations,butthe
followingexampleispolicy-based.
ConfiguringPhase1-web-basedmanager
Name EnteranameforthisVPN,dialup_p1forexample.

RemoteGateway DialupUser
LocalInterface SelectthenetworkinterfacethatconnectstotheInternet.Forexample,
port1.
Mode Main(IDprotection)
Pre-sharedKey Enterthepresharedkey.ThiskeymustalsobeenteredintheMicrosoft
VPNclient.
Advanced SelectAdvancedtoenterthefollowinginformation.
Phase1Proposal EnterthefollowingEncryption/Authenticationpairs:
AES256-MD5,3DES-SHA1,AES192-SHA1
Diffie-HellmanGroup 2
NATTraversal Enable
ConfiguringPhase1-CLI
TocreateaPhase1configurationcalleddialup_p1onaFortiGateunitthathasport1connectedtotheInternet,
youwouldenter:
edit dialup_p1
set type dynamic
set interface port1
set mode main
set psksecret ********
set proposal aes256-md5 3des-sha1 aes192-sha1
set dhgrp 2
end
Itisworthnotingherethatthecommandconfig vpn ipsec phase1isused

ratherthanconfig vpn ipsec phase1-interfacebecausethisconfiguration
ispolicy-basedandnotroute-based.
ConfiguringPhase2-web-basedmanager
1. OpenthePhase2Selectorspanel.
2. EnterthefollowinginformationandthenselectOK.

Phase2Proposal EnterthefollowingEncryption/Authenticationpairs:
AES256-MD5,3DES-SHA1,AES192-SHA1
Enablereplaydetection Enable
Enableperfectforward Disable
secrecy(PFS)
Keylife 3600seconds
3. Makethisatransport-modeVPN.YoumustusetheCLItodothis.IfyourPhase2nameisdialup_p2,youwould
enter:
edit dialup_p2
set encapsulation transport-mode
end
ConfiguringPhase2-CLI
ToconfigureaPhase2toworkwithyourphase_1configuration,youwouldenter:
edit dialup_p2
set phase1name dialup_p1
set proposal aes256-md5 3des-sha1 aes192-sha1
set replay enable
set pfs disable
set keylifeseconds 3600
end
Onceagain,noteherethatthecommandconfig vpn ipsec phase2isused

ratherthanconfig vpn ipsec phase2-interfacebecausethisconfiguration
ispolicy-basedandnotroute-based.
Configuringsecuritypolicies
ThesecuritypoliciesrequiredforL2TPoverIPsecVPNare:
l AnIPsecpolicy,asyouwouldcreateforanypolicy-basedIPsecVPN
l AregularACCEPTpolicytoallowtrafficfromtheL2TPclientstoaccesstheprotectednetwork
ConfiguringtheIPsecsecuritypolicy-web-basedmanager
1. GotoSystem>FeatureSelectandenablePolicy-basedIPsecVPN .
3. SettheActiontoIPsecandenterthefollowinginformation:
FortiGateunit.

SourceAddress All
VPNTunnel SelectUseExistingandselectthenameofthePhase1configurationthat
youcreated.Forexample,dialup_p1.SeeConfiguringIPseconpage174.
Allowtraffictobeinitiated enable
fromtheremotesite
4. SelectOK.
ConfiguringtheIPsecsecuritypolicy-CLI
IfyourVPNtunnel(Phase1)iscalleddialup_p1,yourprotectednetworkisonport2,andyourpublicinterfaceis
port1,youwouldenter:
edit 0
set srcintf port2
set dstintf port1
set srcaddr all
set dstaddr all
set action ipsec
set schedule always
set service all
set inbound enable
set vpntunnel dialup_p1
end
ConfiguringtheACCEPTsecuritypolicy-web-basedmanager
3. EnterthefollowinginformationandselectOK:
IncomingInterface SelecttheFortiGateunitspublicinterface.
SourceAddress SelectthefirewalladdressthatyoudefinedfortheL2TPclients.
FortiGateunit.
Action ACCEPT
ConfiguringtheACCEPTsecuritypolicy-CLI
Ifyourpublicinterfaceisport1,yourprotectednetworkisonport2,andL2TPclientsistheaddressrangethat
L2TPclientsuse,youwouldenter:

edit 1
set srcintf port1
set dstintf port2
set srcaddr L2TPclients
set dstaddr all
set action accept
set schedule always
set service all
end
ConfiguringtheWindowsPC
ConfigurationoftheWindowsPCforaVPNconnectiontotheFortiGateunitconsistsofthefollowing:
1. InNetworkConnections,configureaVirtualPrivateNetworkconnectiontotheFortiGateunit.
2. EnsurethattheIPSECserviceisrunning.
3. EnsurethatIPsechasnotbeendisabledfortheVPNclient.ItmayhavebeendisabledtomaketheMicrosoftVPN
compatiblewithanearlierversionofFortiOS.
TheinstructionsinthissectionarebasedonWindowsXP.OtherversionsofWindowsmayvaryslightly.
Configuringthenetworkconnection
1. OpenNetworkConnections.
ThisisavailablethroughtheControlPanel.
2. Double-clickNewConnectionWizardandSelectNext.
3. SelectConnecttothenetworkatmyworkplace.
4. SelectNext.
5. SelectVirtualPrivateNetworkconnectionandselectNext.
6. IntheCompanyNamefield,enteranamefortheconnectionandselectNext.
7. SelectDonotdialtheinitialconnectionandthenselectNext.
8. EnterthepublicIPaddressorFQDNoftheFortiGateunitandselectNext.
9. Optionally,selectAddashortcuttothisconnectiontomydesktop.
10. SelectFinish.
TheConnectdialogopensonthedesktop.
11. SelectPropertiesandthenselecttheSecuritytab.
12. SelectIPsecSettings.
13. SelectUsepre-sharedkeyforauthentication,enterthepresharedkeythatyouconfiguredforyourVPN,and
selectOK.
14. SelectOK.
CheckingthattheIPsecserviceisrunning
1. OpenAdministrativeToolsthroughtheControlPanel.
2. Double-clickServices.
3. LookforIPSECServices.ConfirmthattheStartupTypeisAutomaticandStatusissettoStarted.Ifneeded,
double-clickIPsecServicestochangethesesettings.

CheckingthatIPsechasnotbeendisabled
1. SelectStart>Run.
2. EnterregeditandselectOK.
3. FindtheRegistrykeyHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters
4. IfthereisaProhibitIPsecvalue,itmustbesetto0.

GREoverIPsec(CiscoVPN)
ThissectiondescribeshowtoconfigureaFortiGateVPNthatiscompatiblewithCisco-styleVPNsthatuseGRE
inanIPsectunnel.
ConfiguringtheCiscorouter
CiscoproductsthatincludeVPNsupportoftenuseGenericRoutingEncapsulation(GRE)protocoltunnelover
IPsecencryption.ThischapterdescribeshowtoconfigureaFortiGateunittoworkwiththistypeofCiscoVPN.
CiscoVPNscanuseeithertransportmodeortunnelmodeIPsec.BeforeFortiOS4.0MR2,theFortiGateunitwas
compatibleonlywithtunnelmodeIPsec.
ExampleFortiGatetoCiscoGRE-over-IPsecVPN
Inthisexample,usersonLAN1areprovidedaccesstoLAN2.

Configuration overview GRE over IPsec (Cisco VPN)
ThefollowingsectionconsistsofconfiguringtheFortiGateunitandconfiguringtheCiscorouter.
ThereareseveralstepstotheGRE-over-IPsecconfiguration:
l Enableoverlappingsubnets.ThisisneededbecausetheIPsecandGREtunnelswillusethesameaddresses.
l Configurearoute-basedIPsecVPNontheexternalinterface.
l ConfigureaGREtunnelonthevirtualIPsecinterface.Setitslocalgatewayandremotegatewayaddressesto
matchthelocalandremotegatewaysoftheIPsectunnel.
l ConfiguresecuritypoliciestoallowtraffictopassinbothdirectionsbetweentheGREvirtualinterfaceandtheIPsec
virtualinterface.
l Configuresecuritypoliciestoallowtraffictopassinbothdirectionsbetweentheprotectednetworkinterfaceandthe
GREvirtualinterface.
l ConfigureastaticroutetodirecttrafficdestinedforthenetworkbehindtheCiscorouterintotheGRE-over-IPsec
tunnel.
Enablingoverlappingsubnets
Bydefault,eachFortiGateunitnetworkinterfacemustbeonaseparatenetwork.Theconfigurationdescribedin
thischapterassignsanIPsectunnelendpointandtheexternalinterfacetothesamenetwork.Enablesubnet
overlapasfollows:
set allow-subnet-overlap enable
end
ConfiguringtheIPsecVPN
Aroute-basedVPNisrequired.ItmustuseencryptionandauthenticationalgorithmscompatiblewiththeCisco
equipmenttowhichitconnects.Inthischapter,presharedkeyauthenticationisshown.
ConfiguringtheIPsecVPN-web-basedmanager
1. DefinethePhase1configurationneededtoestablishasecureconnectionwiththeremoteCiscodevice.Enter
thesesettingsinparticular:
Name EnteranametoidentifytheVPNtunnel,tociscoforexample.Thisisthe
nameofthevirtualIPsecinterface.ItappearsinPhase2configurations,
securitypoliciesandtheVPNmonitor.
IPAddress EntertheIPaddressoftheCiscodevicepublicinterface.Forexample,
192.168.5.113.
LocalInterface SelecttheFortiGateunitspublicinterface.Forexample,172.20.120.141.

GRE over IPsec (Cisco VPN) Configuration overview
Mode SelectMain(IDProtection).
Pre-sharedKey Enterthepresharedkey.ItmustmatchthepresharedkeyontheCisco
device.
Advanced SelecttheAdvancedbuttontoseethefollowingsettings.
Phase1Proposal 3DES-MD5
AtleastoneproposalmustmatchthesettingsontheCiscounit.
Formoreinformationaboutthesesettings,seePhase1parametersonpage47.
2. DefinethePhase2parametersneededtocreateaVPNtunnelwiththeremotepeer.Forcompatibilitywiththe
Ciscorouter,QuickModeSelectorsmustbeentered,whichincludesspecifyingprotocol47,theGREprotocol.
Phase2Proposal 3DES-MD5
AtleastoneproposalmustmatchthesettingsontheCiscounit.
QuickModeSelector
SourceAddress EntertheGRElocaltunnelendIPaddress.
Forexample172.20.120.141.
SourcePort 0
DestinationAddress EntertheGREremotetunnelendIPaddress.
Forexample192.168.5.113.
DestinationPort 0
Protocol 47
Formoreinformationaboutthesesettings,seePhase2parametersonpage65.
3. IftheCiscodeviceisconfiguredtousetransportmodeIPsec,youneedtousetransportmodeontheFortiGate
VPN.YoucanconfigurethisonlyintheCLI.InyourPhase2configuration,setencapsulationto
transport-modeasfollows:
config vpn phase2-interface
edit to_cisco_p2
end
ConfiguringtheIPsecVPN-CLI
edit tocisco
set interface port1


set psksecret xxxxxxxxxxxxxxxx
end
edit tocisco_p2
set phase1name "tocisco"
set proposal 3des-md5
set encapsulation tunnel-mode //iftunnelmode
set encapsulation transport-mode //iftransportmode
set protocol 47
set src-addr-type ip
set dst-start-ip 192.168.5.113
set src-start-ip 172.20.120.141
end
AddingIPsectunnelendaddresses
TheCiscoconfigurationrequiresanaddressforitsendoftheIPsectunnel.Theaddressesaresettomatchthe
GREgatewayaddresses.UsetheCLItosettheaddresses,likethis:
edit tocisco
set ip 172.20.120.141 255.255.255.255
set remote-ip 192.168.5.113
end
ConfiguringtheGREtunnel
TheGREtunnelrunsbetweenthevirtualIPsecpublicinterfaceontheFortiGateunitandtheCiscorouter.You
mustusetheCLItoconfigureaGREtunnel.Intheexample,youwouldenter:
edit gre1
set interface tocisco
set local-gw 172.20.120.141
end
interfaceisthevirtualIPsecinterface,local-gwistheFortiGateunitpublicIPaddress,andremote-gwis
theremoteCiscodevicepublicIPaddress
AddingGREtunnelendaddresses
Youwillalsoneedtoaddtunnelendaddresses.TheCiscorouterconfigurationrequiresanaddressforitsendof
theGREtunnel.UsingtheCLI,entertunnelendaddressesthatarenotusedelsewhereontheFortiGateunit,
likethis:
edit gre1
set ip 10.0.1.1 255.255.255.255
end
Configuringsecuritypolicies
Twosetsofsecuritypoliciesarerequired:

GRE over IPsec (Cisco VPN) Configuration overview
l PoliciestoallowtraffictopassinbothdirectionsbetweentheGREvirtualinterfaceandtheIPsecvirtualinterface.
l PoliciestoallowtraffictopassinbothdirectionsbetweentheprotectednetworkinterfaceandtheGREvirtual
interface.
Configuringsecuritypolicies-web-basedmanager
1. DefineanACCEPTfirewallsecuritypolicytopermitcommunicationsbetweentheprotectednetworkandtheGRE
tunnel:
FortiGateunit.
SourceAddress All
OutgoingInterface SelecttheGREtunnelvirtualinterfaceyouconfigured.
Action ACCEPT
EnableNAT Disable
2. Topermittheremoteclienttoinitiatecommunication,youneedtodefineafirewalladdresssecuritypolicyfor
communicationinthatdirection:
IncomingInterface SelecttheGREtunnelvirtualinterfaceyouconfigured.
SourceAddress All
FortiGateunit.
Action ACCEPT
EnableNAT Disable
3. DefineapairofACCEPTfirewalladdresssecuritypoliciestopermittraffictoflowbetweentheGREvirtual
interfaceandtheIPsecvirtualinterface:
IncomingInterface SelecttheGREvirtualinterface.SeeConfiguringtheGREtunnelonpage
183.
SourceAddress All
OutgoingInterface SelectthevirtualIPsecinterfaceyoucreated.SeeConfiguringtheIPsec
VPNonpage181.
Action ACCEPT
EnableNAT Disable

IncomingInterface SelectthevirtualIPsecinterfaceyoucreated.SeeConfiguringtheIPsec
VPNonpage181.
SourceAddress All
OutgoingInterface SelecttheGREvirtualinterface.SeeConfiguringtheGREtunnelonpage
183.
Action ACCEPT
EnableNAT Disable
Configuringsecuritypolicies-CLI
edit 1 //LANtoGREtunnel
set srcintf port2
set dstintf gre1
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 2 //GREtunneltoLAN
set srcintf gre1
set dstintf port2
set srcaddr all
set dstaddr all
set action accept
set schedule always
set service ANY
next
edit 3 //GREtunneltoIPsecinterface
set srcintf "gre1"
set dstintf "tocisco"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
next
edit 4 //IPsecinterfacetoGREtunnel
set srcintf "tocisco"
set dstintf "gre1"
set srcaddr "all"
set dstaddr "all"
set action accept
set service "ANY"
end

GRE over IPsec (Cisco VPN) Configuring the Cisco router
Configuringrouting
TrafficdestinedforthenetworkbehindtheCiscoroutermustberoutedtotheGREtunnel.Todothis,createa
staticroute
1. GotoNetwork>StaticRoutesandselectCreateNew.
DestinationIP/Mask EntertheIPaddressandnetmaskforthenetworkbehindtheCiscorouter.
Forexample10.21.101.0255.255.255.0.
Device SelecttheGREvirtualinterface.
Distance(Advanced) Leavesettingatdefaultvalue.
IntheCLI,usingtheexamplevalues,youwouldenter
edit 0
set device gre1
set dst 10.21.101.0 255.255.255.0
end
ConfiguringtheCiscorouter
UsingCiscoIOS,youwouldconfiguretheCiscorouterasfollows,usingtheaddressesfromtheexample:
config ter
crypto ipsec transform-set myset esp-3des esp-md5-hmac
no mode
exit
no ip access-list extended tunnel
ip access-list extended tunnel
permit gre host 192.168.5.113 host 172.20.120.141
exit
interface Tunnel1
ip address 10.0.1.2 255.255.255.0
tunnel source 192.168.5.113
tunnel destination 172.20.120.141
!
ip route 10.11.101.0 255.255.255.0 Tunnel1
end
clea crypto sa
clea crypto isakmp
Fortransportmode,changeno modetomode transport.
ThisisonlytheportionoftheCiscorouterconfigurationthatappliestotheGRE-over-IPsectunnel.Formore
information,refertotheCiscodocumentation.

ProtectingOSPFwithIPsec
Forenhancedsecurity,OSPFdynamicroutingcanbecarriedoverIPsecVPNlinks.

Configuration overview OSPF over IPsec configuration
ThischaptershowsanexampleofOSPFroutingconductedoveranIPsectunnelbetweentwoFortiGateunits.
ThenetworkshownbelowisasingleOSPFarea.FortiGate_1isanAreaborderrouterthatadvertisesastatic
routeto10.22.10.0/24inOSPF.FortiGate_2advertisesitslocalLANasanOSPFinternalroute.
OSPFoveranIPsecVPNtunnel
ThesectionConfigurationoverviewdescribestheconfigurationwithonlyoneIPsecVPNtunnel,tunnel_wan1.
Then,thesectionConfigurationoverviewdescribeshowyoucanaddasecondtunneltoprovidearedundant
backuppath.ThisisshownaboveasVPNtunneltunnel_wan2.
OnlythepartsoftheconfigurationconcernedwithcreatingtheIPsectunnelandintegratingitintotheOSPF
networkaredescribed.Itisassumedthatsecuritypoliciesarealreadyinplacetoallowtraffictoflowbetweenthe
interfacesoneachFortiGateunit.
OSPFoverIPsecconfiguration
ThereareseveralstepstotheOSPF-over-IPsecconfiguration:

OSPF over IPsec configuration Configuration overview
l Configurearoute-basedIPsecVPNonanexternalinterface.Itwillconnecttoacorrespondinginterfaceonthe
otherFortiGateunit.Definethetwotunnel-endaddresses.
l ConfigureastaticroutetotheotherFortiGateunit.
l ConfigurethetunnelnetworkaspartoftheOSPFnetworkanddefinethevirtualIPsecinterfaceasanOSPF
interface.
ThissectiondescribestheconfigurationwithonlyoneVPN,tunnel_wan1.TheotherVPNisaddedinthesection
ConfiguringtheIPsecVPN
Aroute-basedVPNisrequired.Inthischapter,presharedkeyauthenticationisshown.Certificateauthentication
isalsopossible.BothFortiGateunitsneedthisconfiguration.
ConfiguringPhase1
1. DefinethePhase1configurationneededtoestablishasecureconnectionwiththeotherFortiGateunit.Formore
Name EnteranametoidentifytheVPNtunnel,tunnel_wan1forexample.This
becomesthenameofthevirtualIPsecinterface.
IPAddress EntertheIPaddressoftheotherFortiGateunitspublic(Port2)interface.
LocalInterface SelectthisFortiGateunitspublic(Port2)interface.
Mode SelectMain(IDProtection).
Pre-sharedKey Enterthepresharedkey.Itmustmatchthepresharedkeyontheother
FortiGateunit.
Advanced SelectAdvanced.
AssigningthetunnelendIPaddresses
1. GotoNetwork>Interfaces,selectthevirtualIPsecinterfacethatyoujustcreatedonPort2andselectEdit.
2. IntheIPandRemoteIPfields,enterthefollowingtunnelendaddresses:
FortiGate_1 FortiGate_2
IP 10.1.1.1 10.1.1.2
Remote_IP 10.1.1.2 10.1.1.1
Theseaddressesarefromanetworkthatisnotusedforanythingelse.

ConfiguringPhase2
1. EnteranametoidentifythisPhase2configuration,twan1_p2,forexample.
2. SelectthenameofthePhase1configurationthatyoudefinedinStep"Configurationoverview"onpage188,
tunnel_wan1forexample.
Configuringstaticrouting
Youneedtodefinetheroutefortrafficleavingtheexternalinterface.
1. GotoNetwork>StaticRoutes,selectCreateNew.
2. Enterthefollowinginformation.
DestinationIP/Mask Leaveas0.0.0.00.0.0.0.
Device Selecttheexternalinterface.
Gateway EntertheIPaddressofthenexthoprouter.
ConfiguringOSPF
ThissectiondoesnotattempttoexplainOSPFrouterconfiguration.ItfocussesontheintegrationoftheIPsec
tunnelintotheOSPFnetwork.ThisisaccomplishedbyassigningthetunnelasanOSPFinterface,creatingan
OSPFroutetotheotherFortiGateunit.
ThisconfigurationusesloopbackinterfacestoeaseOSPFtroubleshooting.TheOSPFrouterIDissettothe
loopbackinterfaceaddress.Theloopbackinterfaceensurestherouterisalwaysup.Eventhoughtechnicallythe
routerIDdoesnthavetomatchavalidIPaddressontheFortiGateunit,havinganIPthatmatchestherouterID
makestroubleshootingaloteasier.
ThetwoFortiGateunitshaveslightlydifferentconfigurations.FortiGate_1isanASborderrouterthatadvertises
itsstaticdefaultroute.FortiGate_2advertisesitslocalLANasanOSPFinternalroute.
SettingtherouterIDforeachFortiGateunittothelowestpossiblevalueisusefulifyouwanttheFortiGateunits
tobethedesignatedrouter(DR)fortheirrespectiveASes.Thisistherouterthatbroadcaststheupdatesforthe
AS.
LeavingtheIPaddressontheOSPFinterfaceat0.0.0.0indicatesthatallpotentialrouteswillbeadvertised,and
itwillnotbelimitedtoanyspecificsubnet.ForexampleifthisIPaddresswas10.1.0.0,thenonlyroutesthat
matchthatsubnetwillbeadvertisedthroughthisinterfaceinOSPF.
FortiGate_1OSPFconfiguration
WhenconfiguringFortiGate_1forOSPF,theloopbackinterfaceiscreated,andthenyouconfigureOSPFarea
networksandinterfaces.
Withtheexceptionofcreatingtheloopbackinterface,OSPFforthisexamplecanallbeconfiguredineitherthe
web-basedmanagerorCLI.
Creatingtheloopbackinterface
AloopbackinterfacecanbeconfiguredintheCLIonly.Forexample,iftheinterfacewillhaveanIPaddressof
10.0.0.1,youwouldenter:


edit lback1
set vdom root
set ip 10.0.0.1 255.255.255.255
set type loopback
end
TheloopbackaddressesandcorrespondingrouterIDsonthetwoFortiGateunitsmustbedifferent.Forexample,
settheFortiGate1loopbackto10.0.0.1andtheFortiGate2loopbackto10.0.0.2.
ConfiguringOSPFarea,networks,andinterfaces-web-basedmanager
1. OnFortiGate_1,gotoNetwork>OSPF.
2. Enterthefollowinginformationtodefinetherouter,area,andinterfaceinformation.
RouterID Enter10.0.0.1.SelectApplybeforeenteringtheremaining
information.
AdvancedOptions
Redistribute SelecttheConnectedandStaticcheckboxes.Usetheirdefaultmetric
values.
Areas SelectCreateNew,entertheAreaandTypeandthenselectOK.
Area 0.0.0.0
Type Regular
Interfaces EnteranamefortheOSPFinterface,ospf_wan1forexample.
Name
Interface SelectthevirtualIPsecinterface,tunnel_wan1.
IP 0.0.0.0
3. ForNetworks,selectCreateNew.
4. EntertheIP/Netmaskof10.1.1.0/255.255.255.0andanAreaof0.0.0.0.
6. EntertheIP/Netmaskof10.0.0.1/255.255.255.0andanAreaof0.0.0.0.
7. SelectApply.
ConfiguringOSPFareaandinterfaces-CLI
Yourloopbackinterfaceis10.0.0.1,yourtunnelendsareonthe10.1.1.0/24network,andyourvirtualIPsec
interfaceisnamedtunnel_wan1.EnterthefollowingCLIcommands:
config router ospf
set router-id 10.0.0.1
config area
edit 0.0.0.0
end
config network

edit 4
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.0.0.1 255.255.255.255
end
config ospf-interface
edit ospf_wan1
set cost 10
set interface tunnel_wan1
set network-type point-to-point
end
config redistribute connected
set status enable
end
config redistribute static
set status enable
end
end
FortiGate_2OSPFconfiguration
WhenconfiguringFortiGate_2forOSPF,theloopbackinterfaceiscreated,andthenyouconfigureOSPFarea
networksandinterfaces.
ConfiguringFortiGate_2differsfromFortiGate_1inthatthreeinterfacesaredefinedinsteadoftwo.Thethird
interfaceisthelocalLANthatwillbeadvertisedintoOSPF.
Withtheexceptionofcreatingtheloopbackinterface,OSPFforthisexamplecanallbeconfiguredineitherthe
web-basedmanagerorCLI.
Creatingtheloopbackinterface
AloopbackinterfacecanbeconfiguredintheCLIonly.Forexample,iftheinterfacewillhaveanIPaddressof
10.0.0.2,youwouldenter:
edit lback1
set vdom root
set ip 10.0.0.2 255.255.255.255
set type loopback
end
TheloopbackaddressesonthetwoFortiGateunitsmustbedifferent.Forexample,settheFortiGate1loopback
to10.0.0.1andtheFortiGate2loopbackto10.0.0.2.
ConfiguringOSPFareaandinterfaces-web-basedmanager
1. OnFortiGate_2,gotoNetwork>OSPF.
2. Completethefollowing.
RouterID 10.0.0.2
Areas SelectCreateNew,entertheAreaandTypeandthenselectOK.

Area 0.0.0.0
Type Regular
Interfaces
Name EnteranamefortheOSPFinterface,ospf_wan1forexample.
Interface SelectthevirtualIPsecinterface,tunnel_wan1.
IP 0.0.0.0
4. Enterthefollowinginformationfortheloopbackinterface:
IP/Netmask 10.0.0.2/255.255.255.255
Area 0.0.0.0
6. Enterthefollowinginformationforthetunnelinterface:
IP/Netmask 10.1.1.0/255.255.255.255
Area 0.0.0.0
8. EnterthefollowinginformationforthelocalLANinterface:
IP/Netmask 10.31.101.0/255.255.255.255
Area 0.0.0.0
9. SelectApply.
ConfiguringOSPFareaandinterfaces-CLI
Ifforexample,yourloopbackinterfaceis10.0.0.2,yourtunnelendsareonthe10.1.1.0/24network,yourlocal
LANis10.31.101.0/24,andyourvirtualIPsecinterfaceisnamedtunnel_wan1,youwouldenter:
config router ospf
config area
edit 0.0.0.0
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.31.101.0 255.255.255.0
next
edit 2

Configuration overview Creating a redundant configuration
set prefix 10.0.0.2 255.255.255.255

end
edit ospf_wan1
end
end
Creatingaredundantconfiguration
YoucanimprovethereliabilityoftheOSPFoverIPsecconfigurationdescribedintheprevioussectionbyaddinga
secondIPsectunneltouseifthedefaultonegoesdown.RedundancyinthiscaseisnotcontrolledbytheIPsec
VPNconfigurationbutbytheOSPFroutingprotocol.
Todothisyou:
l Createasecondroute-basedIPsectunnelonadifferentinterfaceanddefinetunnelendaddressesforit.
l AddthetunnelnetworkaspartoftheOSPFnetworkanddefinethevirtualIPsecinterfaceasanadditionalOSPF
interface.
l SettheOSPFcostfortheaddedOSPFinterfacetobesignificantlyhigherthanthecostofthedefaultroute.
AddingthesecondIPsectunnel
TheconfigurationisthesameasinConfiguringtheIPsecVPNonpage189,buttheinterfaceandaddresseswill
bedifferent.Ideally,thenetworkinterfaceyouuseisconnectedtoadifferentInternetserviceproviderforadded
redundancy.
WhenaddingthesecondtunneltotheOSPFnetwork,chooseanotherunusedsubnetforthetunnelends,
10.1.2.1and10.1.2.2forexample.
AddingtheOSPFinterface
OSPFusesthemetriccalledcostwhendeterminingthebestroute,withlowercostsbeingpreferred.Uptonowin
thisexample,onlythedefaultcostof10hasbeenused.CostcanbesetonlyintheCLI.
ThenewIPsectunnelwillhaveitsOSPFcostsethigherthanthatofthedefaulttunneltoensurethatitisonly
usedifthefirsttunnelgoesdown.Thenewtunnelcouldbesettoacostof200comparedtothedefaultcostis
10.Suchalargedifferenceincostwillensurethisnewtunnelwillonlybeusedasalastresort.
Ifthenewtunneliscalledtunnel_wan2,youwouldenterthefollowingonbothFortiGateunits:
config router ospf
edit ospf_wan2
set cost 200
end
end

RedundantOSPFroutingoverIPsec
ThisexamplesetsupredundantsecurecommunicationbetweentworemotenetworksusinganOpenShortest
PathFirst(OSPF)VPNconnection.Inthisexample,theHQFortiGateunitwillbecalledFortiGate1andthe
BranchFortiGateunitwillbecalledFortiGate2.
Thestepsinclude:
1. CreatingredundantIPsectunnelsonFortiGate1.
2. ConfiguringIPaddressesandOSPFonFortiGate1.
3. ConfiguringfirewalladdressesonFortiGate1.
4. ConfiguringsecuritypoliciesonFortiGate1.
5. CreatingredundantIPsectunnelsforFortiGate2.
6. ConfiguringIPaddressesandOSPFonFortiGate2.
7. ConfiguringfirewalladdressesonFortiGate2.
8. ConfiguringsecuritypoliciesonFortiGate2.
CreatingredundantIPsectunnelsonFortiGate1
1. GotoVPN>IPsecTunnels.
2. SelectCreateNew,nametheprimarytunnelandselectCustomVPNTunnel(NoTemplate).
3. Setthefollowing:
RemoteGateway StaticIPAddress
IPAddress FortiGate2swan1IP
LocalInterface wan1(theprimaryInternet-facinginterface)
Pre-sharedKey Enter
5. SelectCreateNew,namethesecondarytunnelandselectCustomVPNTunnel(NoTemplate).
6. Setthefollowing:
LocalInterface wan2(thesecondaryInternet-facinginterface)
Pre-sharedKey Enter
ConfiguringIPaddressesandOSPFonFortiGate1
2. Selectthearrowforwan1toexpandthelist.

Redundant OSPF routing over IPsec
3. EdittheprimarytunnelinterfaceandcreateIPaddresses.
IP 10.1.1.1
RemoteIP 10.1.1.2
5. EditthesecondarytunnelinterfaceandcreateIPaddresses.
IP 10.2.1.1
RemoteIP 10.2.1.2
6. GotoNetwork>OSPFandentertheRouterIDforFortiGate1.
7. SelectCreateNewintheAreasection.
8. Addthebackboneareaof0.0.0.0.
9. SelectCreateNewintheNetworkssection.
10. CreatethenetworksandselectArea0.0.0.0foreachone.
11. SelectCreateNewintheInterfacessection.
12. Createprimaryandsecondarytunnelinterfaces.
13. SetaCostof10fortheprimaryinterfaceand100forthesecondaryinterface.
ConfiguringfirewalladdressesonFortiGate1
2. Create/EditthesubnetsbehindFortiGate1andFortiGate2.
3. Create/EdittheprimaryandsecondaryinterfacesofFortiGate2.
ConfiguringsecuritypoliciesonFortiGate1
2. CreatethefoursecuritypoliciesrequiredforbothFortiGate1sprimaryandsecondaryinterfacestoconnectto
FortiGate2sprimaryandsecondaryinterfaces.
CreatingredundantIPsectunnelsonFortiGate2
2. SelectCreateNew,nametheprimarytunnelandselectCustomVPNTunnel(NoTemplate).
3. Setthefollowing:
LocalInterface wan1(theprimaryInternet-facinginterface)
Pre-sharedKey Enter

5. SelectCreateNew,namethesecondarytunnelandselectCustomVPNTunnel(NoTemplate).
6. Setthefollowing:
LocalInterface wan2(thesecondaryInternet-facinginterface)
Pre-sharedKey Enter
ConfiguringIPaddressesandOSPFonFortiGate1
3. EdittheprimarytunnelinterfaceandcreateIPaddresses.
IP 10.1.1.2
RemoteIP 10.1.1.1
5. EditthesecondarytunnelinterfaceandcreateIPaddresses.
IP 10.2.1.2
RemoteIP 10.2.1.1
6. GotoNetwork>OSPFandentertheRouterIDforFortiGate2.
7. SelectCreateNewintheAreasection.
8. Addthebackboneareaof0.0.0.0.
9. SelectCreateNewintheNetworkssection.
10. CreatethenetworksandselectArea0.0.0.0foreachone.
11. SelectCreateNewintheInterfacessection.
12. Createprimaryandsecondarytunnelinterfaces.
13. SetaCostof10fortheprimaryinterfaceand100forthesecondaryinterface.
ConfiguringfirewalladdressesonFortiGate2
2. Create/EditthesubnetsbehindFortiGate1andFortiGate2.
3. Create/EdittheprimaryandsecondaryinterfacesofFortiGate2.

ConfiguringsecuritypoliciesonFortiGate2
2. CreatethefoursecuritypoliciesrequiredforbothFortiGate2sprimaryandsecondaryinterfacestoconnectto
FortiGate1sprimaryandsecondaryinterfaces.
Results
1. GotoMonitor>IPsecMonitortoverifythestatusesofboththeprimaryandsecondaryIPsecVPNtunnelson
FortiGate1andFortiGate2.
2. GotoMonitor>RoutingMonitor.MonitortoverifytheroutingtableonFortiGate1andFortiGate2.Type
OSPFfortheTypeandselectApplyFiltertoverifytheOSPFroute.
3. Verifythattrafficflowsviatheprimarytunnel:
l FromaPC1settoIP:10.20.1.100behindFortiGate1,runatracerttoaPC2settoIPaddress10.21.1.00
behindFortiGate2andviseversa.
l FromPC1,youshouldseethatthetrafficgoesthrough10.1.1.2whichistheprimarytunnelinterfaceIPseton
FortiGate2.
l FromPC2,youshouldseethetrafficgoesthrough10.1.1.1whichistheprimarytunnelinterfaceIPseton
FortiGate1.
4. TheVPNnetworkbetweenthetwoOSPFnetworksusestheprimaryVPNconnection.Disconnectthewan1
interfaceandconfirmthatthesecondarytunnelwillbeusedautomaticallytomaintainasecureconnection.
5. VerifytheIPsecVPNtunnelstatusesonFortiGate1andFortiGate2.BothFortiGatesshouldshowthatprimary
tunnelisDOWNandsecondarytunnelisUP.
6. GotoMonitor>IPsecMonitortoverifythestatus.
7. VerifytheroutingtableonFortiGate1andFortiGate2.
ThesecondaryOSPFroute(withcost=100)appearsonbothFortiGateunits.
8. GotoMonitor>RoutingMonitor.TypeOSPFfortheTypeandselectApplyFiltertoverifyOSPFroute.
9. Verifythattrafficflowsviathesecondarytunnel:
l FromaPC1settoIP:10.20.1.100behindFortiGate1,runatracerttoaPC2settoIP:10.21.1.100behind
FortiGate2andviceversa.
l FromPC1,youshouldseethatthetrafficgoesthrough10.2.1.2whichisthesecondarytunnelinterfaceIPset
onFortiGate2.
l FromPC2,youshouldseethetrafficgoesthrough10.2.1.1whichisthesecondarytunnelinterfaceIPseton
FortiGate1.

OSPFoverdynamicIPsec
ThefollowingexampleshowshowtocreateadynamicIPsecVPNtunnelthatallowsOSPF.
ConfiguringIPseconFortiGate1
1. GotoDashboardandentertheCLIConsolewidget
2. Createphase1:
edit "dial-up"
set type dynamic
set mode-cfg enable
set proposal 3des-sha1
set add-route disable
set ipv4-start-ip 10.10.101.0
set ipv4-end-ip 10.10.101.255
set psksecret
next
end
3. Createphase2:
edit "dial-up-p2"
set phase1name "dial-up"
next
end
ConfiguringOSPFonFortiGate1
1. GotoDashboardandentertheCLIConsolewidget.
2. CreateOSPFroute.
config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.101.0 255.255.255.0
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end
end

OSPFover dynamic IPsec
AddingpoliciesonFortiGate1
1. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingOSPFtrafficfromdial-uptoport5.
2. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingOSPFtrafficfromport5todial-up
interfaces.
1. GotoDashboardandentertheCLIConsolewidget
2. Createphase1:
edit "dial-up-client"
set mode-cfg enable
set proposal 3des-sha1
set psksecret
next
end
3. Createphase2:
edit "dial-up-client"
set phase1name "dial-up-client"
set auto-negotiate enable
next
end
ConfiguringOSPFonFortiGate2
2. CreateOSPFroute.
config router ospf
config area
edit 0.0.0.0
next
end
config network
edit 1
set prefix 10.10.101.0 255.255.255.0
next
end
config redistribute "connected"
set status enable
end
config redistribute "static"
set status enable
end
end

OSPFover dynamic IPsec
1. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingOSPFtrafficfromdial-up-clienttoport5.
2. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingOSPFtrafficfromport5todial-up-client
interfaces.
Verifyingthetunnelisup
GotoMonitor>IPsecMonitortoverifythatthetunnelisUp.
Results
1. FromFortiGate1,gotoMonitor>RoutingMonitorandverifythatroutesfromFortiGate2weresuccessfully
advertisedtoFortiGate1viaOSPF.
2. FromFortiGate1,gotoDashboard.EntertheCLIConsolewidgetandtypethiscommandtoverifyOSPF
neighbors:
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
172.20.120.25 1 Full / - 00:00:34 10.10.101.1 dial-up_0
advertisedtoFortiGate2viaOSPF.
4. FromFortiGate2,gotoDashboard.EntertheCLIConsolewidgetandtypethiscommandtoverifyOSPF
neighbors:
get router info ospf neighbor
OSPF process 0:
Neighbor ID Pri State Dead Time Address Interface
172.20.120.22 1 Full / - 00:00:30 10.10.101.2 dial-up_client

BGPoverdynamicIPsec
ThefollowingexampleshowshowtocreateadynamicIPsecVPNtunnelthatallowsBGP.
1. GotoPolicy&Objects>AddressesandselectcreatenewAddress.
Name Remote_loop_int
Type Subnet
Subnet/IPRange 10.10.10.10
Interface any
2. CreateanAddressGroup.
GroupName VPN_DST
ShowinAddressList enable
Members Remote_loop_int
all
4. Createphase1:
edit Dialup
set type dynamic
set interface wan1
set mode aggressive
set peertype one
set mode-cfg enable
set peerid dial
set assign-ip disable
set psksecret
next
end
5. Createphase2:
edit dial_p2
set phase1name Dialup
set src-addr-type name
set dst-addr-type name
set src-name all
set dst-name VPN_DST
next

BGP over dynamic IPsec
end
ConfiguringBGPonFortiGate1
1. GotoNetwork>InterfacesandcreateaLoopbackinterface.
2. SetIP/NetworkMaskto20.20.20.20/255.255.255.255.
4. CreateaBGProute.
config router bgp
set as 100
config neighbor
edit 10.10.10.10
set ebgp-enforce-multihop enable
set remote-as 200
set update-source loop
next
end
set status enable
end
end
1. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingBGPtrafficfromDialuptoloopinterfaces.
2. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingBGPtrafficfromlooptoDialupinterfaces.
2. Createphase1:
edit Dialup
set interface wan1
set mode aggressive
set mode-cfg enable
set localid dial
set assign-ip disable
set psksecret
next
end
3. Createphase2:
edit dial_p2
set phase1name Dialup
set keepalive enable
next
end

ConfiguringBGPonFortiGate2
1. GotoNetwork>InterfacesandcreateaLoopbackinterface.
2. SetIP/NetworkMaskto10.10.10.10/255.255.255.255.
4. CreateaBGProute.
config router bgp
set as 200
config neighbor
edit 20.20.20.20
set ebgp-enforce-multihop enable
set remote-as 100
set update-source loop
next
end
set status enable
end
end
1. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingBGPtrafficfromDialuptoloopinterfaces.
2. GotoPolicy&Objects>IPv4PolicyandcreateapolicyallowingBGPtrafficfromlooptoDialupinterfaces.
AddingastaticrouteonFortiGate2
GotoNetwork>StaticRoutesandaddaroutetotheremoteLoopbackinterfaceviaDialupinterface.
DestinationIP/Mask 20.20.20.20/255.255.255.255
Device Dialup
AdministrativeDistance 10
Verifyingthetunnelisup
GotoMonitor>IPsecMonitortoverifythatthetunnelisUp.
Results
advertisedtoFortiGate1viaBGP.
2. FromFortiGate1,gotoDashboard.
3. EntertheCLIConsolewidgetandtypethiscommandtoverifyBGPneighbors:
get router info bgp summary

advertisedtoFortiGate2viaBGP.
5. FromFortiGate2,gotoDashboard.
6. EntertheCLIConsolewidgetandtypethiscommandtoverifyBGPneighbors:
get router info bgp summary

IPsecAuto-DiscoveryVPN(ADVPN)
Consideracompanythatwantstoprovidedirectsecure(IPsec)connectionsbetweenallofitsofficesinNew
York,Chicago,Greenwich,London,Paris,Frankfurt,Tokyo,Shanghai,andHongKong.
AstraightforwardsolutionistocreateafullmeshofconnectionssuchthateverysitehaseightIPsec
configurations,oneforeachoftheothersites.I ftherewereninetysites,thatcouldstillbedonebutnowthe
configurationisbecomingtedious,sinceeverytimeanewsiteisadded,N-1othersiteshavetohavetheir
configurationupdated.
AnefficientandsecurealternativeisIPsecAuto-DiscoveryVPN(ADVPN),whichallowsaminimumamountof
configurationpersitebutstillallowsdirectIPsecconnectionstobemadebetweeneverysite.RFC7018
essentiallydescribesthisproblem,alongwithsomerequirementsforcandidatesolutions.
TheADVPNsolutioninvolvespartitioningthesitesintospokesandhubssuchthataspokehastohaveenough
IPsecconfigurationtoenableittoconnecttoatleastonehub.Ahubdoesnothavespecificconfigurationforeach
spoke,sotheamountofconfigurationdoesnotgrowwiththenumberofspokesthatareconnectedtothathub.A
hubtohubconnectionwouldtypicallyinvolvebothhubshavingconfigurationforeachother.
So,onepossiblepartitionfortheoriginalninesiteswouldbethatChicagoandGreenwichwouldbespokesforthe
NewYorkhub,ParisandFrankfurtwouldbespokesfortheLondonhub,andTokyoandHongKongwouldbe
spokesfortheShanghaihub:
OnceaspokehasestablishedaconnectiontoitshubtheninitiallyIPsectraffictoanothersitetransitsviaoneor
morehubs.Forexample,trafficfromChicagotoHongKongwouldtransitviatheNewYorkandShanghaihubs.
Thistransittrafficthentriggersanattempttocreateamoredirectconnection.
InFortiOS:

Example ADVPNconfiguration IPsec Auto-Discovery VPN (ADVPN)
l Directconnectionsareonlycreatedbetweenthetwoendpointsthatwanttoexchangetraffic(e.g.Chicagoand
HongKong);wedonotcreateintermediateconnections(sayChicagotoShanghai,orNewYorktoHongKong)asa
side-effect.
l LearningthepeersubnetsisdoneviaadynamicroutingprotocolrunningovertheIPsecconnections.
l NegotiationofthedirectconnectionsisdoneviaIKE.
l BothPSKandcertificateauthenticationissupported.
ExampleADVPNconfiguration
SincedynamicroutingwithIPsecunderFortiOSrequiresthataninterfacehaveanIPaddress,thenforeverysite
auniqueIPaddressfromsomeunusedrangeisallocated.Forexamplewe'llassumethat10.100.0.0/16is
unusedandsoassigntheIPaddresses:
l Chicago10.100.0.4 l London10.100.0.2 l Frankfurt10.100.0.7

l Greenwich10.100.0.5 l Shanghai10.100.0.3 l HongKong10.100.0.8
l NewYork10.100.0.1 l Paris10.100.0.6 l Tokyo10.100.0.9
We'llassumethateachsitehasoneormoresubnetsthatitprotectsthatitwantstomakeavailabletothepeers.
Forthepurposesofexpositionwe'llassumethereisonlyonesubnetpersiteandtheyareallocatedas:
l Chicago10.0.4.0/16 l London10.0.2.0/24 l Frankfurt10.0.7.0/24

l Greenwich10.0.5.0/24 l Shanghai10.0.3.0/24 l HongKong10.0.8.0/24
l NewYork10.0.1.0/24 l Paris10.0.6.0/24 l Tokyo10.0.9.0/24
Ourexamplenetworktopologynowlookslikethis:

IPsec Auto-Discovery VPN (ADVPN) Example ADVPNconfiguration
TheconfiguratoninChicagowouldbeasfollows:
edit "New York"
set type static
set interface wan1
set remote-gw <New-York-IP-address>
set psk <New-York-PSK>
set auto-discovery-receiver enable
next
end
Theattributeauto-discovery-receiverindicatesthatthisIPsectunnelwishestoparticipateinanauto-
discoveryVPN.TheIPsecinterfacewouldthenhaveitsIPassignedaccordingtotheChicagoaddress:
edit "New York"
set ip 10.100.0.4/32
next
end
RIP(forsimplicity,youcoulduseOSPForBGP)isthenconfiguredtorunontheIPsecinterfaceandonthe
Chicagosubnet(youcoulduseredistributeconnected,butwe'llallowforthefactthattheremaybeothersubnets
learnedfromanotherrouteronthe10.0.4.0/24subnet):
config router rip

edit 1
set prefix 10.100.0.0/16
next
edit 2
set prefix 10.0.4.0/24
next
end
Otherthanthefirewallpolicyandaminimalphase2configuration,thisconcludestheconfigurationforChicago.
Each spoke would have a similar configuration.

TheNewYorkhubwouldhaveadynamicphase1foritsspokeconnections,andtwostaticphase1sforits
connectionstotheotherhubs:
edit "Spokes"
set type dynamic
set interface wan1
set psk <New-York-PSK>
set auto-discovery-sender enable
set auto-discovery-psk enable
next
edit "London"
set type static
set interface wan1
set psk <New-York-London-PSK>
set auto-discovery-forwarder enable
next
edit "Shanghai"
set type static
set interface wan1
set psk <New-York-Shanghai-PSK>
set auto-discovery-forwarder enable
next
end
The'Spokes'connectionhasset auto-discovery-sender enabletoindicatethatwhenIPsectraffic

transitsthehubitshouldoptionallygenerateamessagetotheinitiatorofthetraffictoindicatethatitcould
perhapsestablishamoredirectconnection.Theset add-route disableensuresthatIKEdoesnot
automaticallyaddaroutebackoverthespokeandinsteadleavesroutingtoaseparatelyconfiguredrouting
protocol.
Thetwointer-hubconnectionshaveset auto-discovery-forwarder enabletoindicatethatthese

connectionscanparticipateintheauto-discoveryprocess.TheinterfaceIPaddressesareassigned:
edit "Spokes"
set ip 10.100.0.1/32
next
edit "London"
set ip 10.100.0.1/32
next
edit "London"
set ip 10.100.0.1/32

IPsec Auto-Discovery VPN (ADVPN) Example ADVPNconfiguration

next
end
Followingthis,RIPisenabledontherelevantinterfaces:
config router rip
edit 1
set prefix 10.100.0.0/16
next
edit 2
set prefix 10.0.1.0/24
next
end
A similar configuration would be used on the other two hubs.
Trafficflowandtunnelconnection
Withtheconfigurationinplaceatallspokesandhubs,assumingallthespokesareconnectedtoahub,then
Chicagowouldlearn(viaRIP)thattheroutetotheHongKongsubnet10.0.8.0/24isviaits"NewYork"interface.
IfadeviceontheChicagoprotectedsubnet(say10.0.4.45)attemptedtosendtraffictotheHongKongproected
subnet(say10.0.8.13)thenitshouldflowovertheNewYorkinterfacetoNewYork,whichshouldthentransmitit
overtheShanghaitunneltoShanghai,whichshouldthensenditoverthedynamicallynegotiatedHongKong
tunneltoHongKong.
AtthepointwhenthetraffictransitsNewYorkitshouldnoticethattheChicagoSpoketunnelandtheShanghai
tunnelhaveauto-discoveryenabled,causingtheNewYorkhubtosendamessageviaIKEtoChicagoinformingit
thatitmaywanttotryandnegotiateadirectconnectionfortrafficfrom10.0.4.45to10.0.8.13.
Onreceiptofthismessage,IKEonChicagocreatesthe(FortiOS-specific)IKEINFORMATIONALSHORTCUT-
QUERYmessagewhichcontainstheChicagopublicIPaddress,thesourceIPofthetraffic(10.0.4.45),the
desireddestinationIP(10.0.8.13),andthePSKthatshouldbeusedtosecureanydirecttunnel(ifcertificatesare
confgured,itisassumedthattheyallsharethesameCAandsonoadditionalauthenticationinformationis
required).ThismessageissentviaIKEtoNewYorksinceroutingindicatesthatNewYorkisthebestrouteto
10.0.8.13.
OnreceiptoftheIKEINFORMATIONALquery,NewYorkchecksitsroutingtabletoseewhoowns10.0.8.13.I t
findsthat10.0.8.13shouldberoutedviaShanghai,andsinceShanghaiismarkedasanauto-discovery-forwarder
thenthequeryisforwarded.
Shanghairepeatstheprocess,findsthat10.0.8.13shouldberoutedviaitsHongKongSpokeandsosendsitto
HongKong.HongKongchecks10.0.8.13,findsthatitownsthesubnet,soitrememberstheChicagopublicIP
address(andPSK)andcreatesanIKEINFORMATIONALreplymessagecontainingitsexternalIPaddress.To
workoutwheretosendtheIKEmessage,theFortiGatedoesaroutinglookupfortheoriginalsourceIP
(10.0.4.45),determinesthatthemessageshouldberoutedviaitsShanghaitunnelandsosendsthereplybackto
Shanghai.ThereplythenmakesitswaybacktoChicagofollowingthereverseofthepaththatitusedtoarriveat
HongKong.
WhenthereplymakesitbacktotheChicagoinitatorthenitnowknowstheIPaddressoftheHongKongdevice.
ChicagonowcreatesanewdynamictunnelwiththeremotegatewayastheHongKongpublicIPaddressand
initiatesanIKEnegotiation(thedynamictunnelnameisauto-generatedfromthetunneloverwhichitperformed
thequery;inthiscaseitwouldbecalled'NewYork_0').

ThisnegotiationshouldsucceedsinceHongKongissetuptoexpectanattemptednegotiationfromtheChicago
publicIPaddress.Oncethenegotiationsucceeds,RIPwillstarttorunonthenewlycreatedtunnelsatChicago
andHongKong.ThiswillupdatetheroutingonChicago(andHongKong)sothatthepreferedrouteto10.0.8.0
(10.0.4.0)isviathenewlycreatedtunnelratherthanviatheconnectiontoNewYork(Shanghai).
NotesaboutADVPNinFortiOS
l Auto-discoveryisonlysupportedbyIKEv1.
l AllSpokesmusthaveanIPaddressthatisroutablefromanyotherspoke;devicesbehindNATarenotcurrently
supported.
l Thefeaturerequirestheuseofadynamicroutingprotocol.ThereisnosupportforIKEhandlingrouting.
l RIPisnotaveryscalableroutingprotocol.Whentherearemorethanafewspokesitwouldbeadvisabletouse
routesummarizationtoavoidhugeRIPupdates.Betteryet,useBGPinsteadofRIP.
l Itisassumedthatspokeswillnotbeusedtotransitotherspoketraffic,forexample:trafficfromChicagotoTokyo
wouldnottransitanexistingChicagotoHongKongtunneleventhoughthathasashorterhopcountthanaroutevia
NewYorkandShanghai.
l Thereisnofacilitytoallowyoutofilterwhichtrafficthattransitsthehubshouldtriggerthemessagesenttothe
initiatorsuggestingitcreateadirectconnection.Currentlyanyandalltrafficwilltriggerit.

Loggingandmonitoring
ThissectionprovidessomegeneralloggingandmonitoringproceduresforVPNs.
MonitoringVPNconnections
VPNeventlogs
MonitoringVPNconnections
YoucanusethemonitortoviewactivityonIPsecVPNtunnelsandtostartorstopthosetunnels.Thedisplay
providesalistofaddresses,proxyIDs,andtimeoutinformationforallactivetunnels.
Monitoringconnectionstoremotepeers
ThelistoftunnelsprovidesinformationaboutVPNconnectionstoremotepeersthathavestaticIPaddressesor
domainnames.YoucanusethislisttoviewstatusandIPaddressinginformationforeachtunnelconfiguration.
Youcanalsostartandstopindividualtunnelsfromthelist.
Toviewthelistofstatic-IPanddynamic-DNStunnelsgotoMonitor>IPsecMonitor.
MonitoringdialupIPsecconnections
Thelistofdialuptunnelsprovidesinformationaboutthestatusoftunnelsthathavebeenestablishedfordialup
clients.ThelistdisplaystheIPaddressesofdialupclientsandthenamesofallactivetunnels.Thenumberof
tunnelsshowninthelistcanchangeasdialupclientsconnectanddisconnect.
ToviewthelistofdialuptunnelsgotoMonitor>IPsecMonitor.
IfyoutakedownanactivetunnelwhileadialupclientsuchasFortiClientisstillconnected,FortiClientwill
continuetoshowthetunnelconnectedandidle.Thedialupclientmustdisconnectbeforeanothertunnelcanbe
initiated.
Thelistofdialuptunnelsdisplaysthefollowingstatistics:
l TheNamecolumndisplaysthenameofthetunnel.
l ThemeaningofthevalueintheRemotegatewaycolumnchanges,dependingontheconfigurationofthenetwork
atthefarend:
l WhenaFortiClientdialupclientestablishesatunnel,theRemotegatewaycolumndisplayseitherthepublicIP
addressandUDPportoftheremotehostdevice(onwhichtheFortiClientEndpointSecurityapplicationis
installed),orifaNATdeviceexistsinfrontoftheremotehost,theRemotegatewaycolumndisplaysthepublic
IPaddressandUDPportoftheremotehost.
l WhenaFortiGatedialupclientestablishesatunnel,theRemotegatewaycolumndisplaysthepublicIP
addressandUDPportoftheFortiGatedialupclient.
l TheUsernamecolumndisplaysthepeerID,certificatename,orXAuthusernameofthedialupclient(ifapeerID,
certificatename,orXAuthusernamewasassignedtothedialupclientforauthenticationpurposes).

VPN event logs Logging and monitoring
l TheTimeoutcolumndisplaysthetimebeforethenextkeyexchange.Thetimeiscalculatedbysubtractingthetime
elapsedsincethelastkeyexchangefromthekeylife.
l TheProxyIDSourcecolumndisplaystheIPaddressesofthehosts,servers,orprivatenetworksbehindthe
FortiGateunit.Anetworkrangemaybedisplayedifthesourceaddressinthesecurityencryptionpolicywas
expressedasarangeofIPaddresses.
l ThemeaningofthevalueintheProxyIDDestinationcolumnchanges,dependingontheconfigurationofthe
networkatthefarend:
l WhenaFortiClientdialupclientestablishesatunnel:
l IfVIPaddressesarenotusedandtheremotehostconnectstotheInternetdirectly,theProxyIDDestination
fielddisplaysthepublicIPaddressoftheNetworkInterfaceCard(NIC)intheremotehost.
l IfVIPaddressesarenotusedandtheremotehostisbehindaNATdevice,theProxyIDDestinationfield
displaystheprivateIPaddressoftheNICintheremotehost.
l IfVIPaddresseswereconfigured(manuallyorthroughFortiGateDHCPrelay),theProxyIDDestinationfield
displayseithertheVIPaddressbelongingtoaFortiClientdialupclient,orasubnetaddressfromwhichVIP
addresseswereassigned.
l WhenaFortiGatedialupclientestablishesatunnel,theProxyIDDestinationfielddisplaystheIPaddressofthe
remoteprivatenetwork.
VPNeventlogs
YoucanconfiguretheFortiGateunittologVPNevents.ForIPsecVPNs,Phase1andPhase2authentication
andencryptioneventsarelogged.Forinformationabouthowtointerpretlogmessages,seetheFortiGateLog
MessageReference.
LoggingVPNevents
1. GotoLog&Report>LogSettings.
2. VerifythattheVPNactivityeventoptionisselected.
3. SelectApply.
Viewingeventlogs
1. GotoLog&Report>VPNEvents.
2. SelecttheLoglocation.
SendingtunnelstatisticstoFortiAnalyzer
Bydefault,loggedeventsincludetunnel-upandtunnel-downstatusevents.Otherevents,bydefault,willappear
intheFortiAnalyzerreportas"NoDataAvailable".Moreaccurateresultsrequirelogswithaction=tunnel-
stats,whichisusedingeneratingreportsontheFortiAnalyzer(ratherthanthetunnel-upandtunnel-down
eventlogs).TheFortiGatedoesnot,bydefault,sendtunnel-statsinformation.
ToallowVPNtunnel-statstobesenttoFortiAnalyzer,configuretheFortiGateunitasfollowsusingtheCLI:
set vpn-stats-log ipsec ssl
set vpn-stats-period 300
end

Troubleshooting
ThissectioncontainstipstohelpyouwithsomecommonchallengesofIPsecVPNs.
AVPNconnectionhasmultiplestagesthatcanbeconfirmedtoensuretheconnectionisworkingproperly.Itis
easiesttoseeifthefinalstageissuccessfulfirstsinceifitissuccessfultheotherstageswillbeworkingproperly.
Otherwise,youwillneedtoworkbackthroughthestagestoseewheretheproblemislocated.
WhenaVPNconnectionisproperlyestablished,trafficwillflowfromoneendtotheotherasifbothendswere
physicallyinthesameplace.Ifyoucandeterminetheconnectionisworkingproperlythenanyproblemsarelikely
problemswithyourapplications.
OnsomeFortiGateunits,suchastheFortiGate94D,youcannotpingovertheIPsectunnelwithoutfirstsettinga
source-IP.Inthisscenario,youmustassignanIPaddresstothevirtualIPSECVPNinterface.Anythingsourced
fromtheFortiGategoingovertheVPNwillusethisIPaddress.
Iftheegress/outgoinginterface(determinedbykernelroute)hasanIPaddress,thenusetheIPaddressofthe
egress/outgoinginterface.Otherwise,usetheIPaddressofthefirstinterfacefromtheinterfacelist(thathasan
IPaddress).
Thefirstdiagnosticcommandworthrunning,inanyIPsecVPNtroubleshootingsituation,isthefollowing:
diagnose vpn tunnel list
Thiscommandisveryusefulforgatheringstatisticaldatasuchasthenumberofpacketsencryptedversus
decrypted,thenumberofbytessentversusreceived,theSPIidentifier,etc.Thiskindofinformationinthe
resultingoutputcanmakeallthedifferenceindeterminingtheissuewiththeVPN.
Anotherappropriatediagnosticcommandworthtryingis:
diagnose debug flow
Thiscommandwillinformyouofanylackoffirewallpolicy,lackofforwardingroute,andofpolicyorderingissues.
Thefollowingisalistofsuchpotentialissues.Bearinmindthatthetroubleshootingsuggestionsbelowarenot
exhaustive,andmaynotreflectyournetworktopology.
Theoptionstoconfigurepolicy-basedIPsecVPNareunavailable.
GotoSystem>FeatureSelect.SelectShowMoreandturnonPolicy-basedIPsecVPN .
TheVPNconnectionattemptfails.
IfyourVPNfailstoconnect,checkthefollowing:
l Ensurethatthepre-sharedkeysmatchexactly(seeThepre-sharedkeydoesnotmatch(PSKmismatcherror).
below).
l EnsurethatbothendsusethesameP1andP2proposalsettings(seeTheSAproposalsdonotmatch(SAproposal
mismatch).below).
l Ensurethatyouhaveallowedinboundandoutboundtrafficforallnecessarynetworkservices,especiallyifservices
suchasDNSorDHCParehavingproblems.
l CheckthatastaticroutehasbeenconfiguredproperlytoallowroutingofVPNtraffic.
l EnsurethatyourFortiGateunitisinNAT/Routemode,ratherthanTransparent.

Troubleshooting
l CheckyourNATsettings,enablingNATtraversalinthePhase1configurationwhiledisablingNATinthesecurity
policy.YoumightneedtopinthePAT/NATsessiontable,orusesomeofkindofNAT-Tkeepalivetoavoidthe
expirationofyourPAT/NATtranslation.
l EnsurethatbothendsoftheVPNtunnelareusingMainmode,unlessmultipledial-uptunnelsarebeingused.
l Ifyouhavemultipledial-upIPsecVPNs,ensurethatthePeerIDisconfiguredproperlyonthe
l FortiGateandthatclientshavespecifiedthecorrectLocalID.
l IfyouareusingFortiClient,ensurethatyourversioniscompatiblewiththeFortiGatefirmwarebyreadingthe
FortiOSReleaseNotes.
l IfyouareusingPerfectForwardSecrecy(PFS),ensurethatitisusedonbothpeers.Youcanusethediagnose
vpn tunnel listcommandtotroubleshootthis.
l EnsurethattheQuickModeselectorsarecorrectlyconfigured.Ifpartofthesetupcurrentlyusesfirewall
addressesoraddressgroups,trychangingittoeitherspecifytheIPaddressesoruseanexpandedaddressrange.
ThisisespeciallyusefuliftheremoteendpointisnotaFortiGatedevice.
l IfXAUTHisenabled,ensurethatthesettingsarethesameforbothends,andthattheFortiGateunitissetto
EnableasServer.
l CheckIPsecVPNMaximumTransmissionUnit(MTU)size.A1500byteMTUisgoingtoexceedtheoverheadof
theESP-header,includingtheadditionalip_header,etc.Youcanusethediagnose vpn tunnel list
commandtotroubleshootthis.
l IfyourFortiGateunitisbehindaNATdevice,suchasarouter,configureportforwardingforUDPports500and
4500.
l RemoveanyPhase1orPhase2configurationsthatarenotinuse.IfaduplicateinstanceoftheVPNtunnel
appearsontheIPsecMonitor,rebootyourFortiGateunittotryandcleartheentry.
IfyouarestillunabletoconnecttotheVPNtunnel,runthefollowingdiagnosticcommandintheCLI:
diagnose debug application ike -1
diagnose debug enable
Theresultingoutputmayindicatewheretheproblemisoccurring.Whenyouarefinished,disablethediagnostics
byusingthefollowingcommand:
diagnose debug reset
diagnose debug disable
TheVPNtunnelgoesdownfrequently.
IfyourVPNtunnelgoesdownoften,checkthePhase2settingsandeitherincreasetheKeylifevalueorenable
AutokeyKeepAlive.
Thepre-sharedkeydoesnotmatch(PSKmismatcherror).
ItispossibletoidentifyaPSKmismatchusingthefollowingcombinationofCLIcommands:
diag vpn ike log filter name <phase1-name>
diag debug app ike -1
diag debug enable
ThiswillprovideyouwithcluesastoanyPSKorotherproposalissues.IfitisaPSKmismatch,youshouldsee
somethingsimilartothefollowingoutput:
ike 0:TRX:322: PSK auth failed: probable pre-shared key mismatch
ike Negotiate SA Error:

Troubleshooting
TheSAproposalsdonotmatch(SAproposalmismatch).
ThemostcommonproblemwithIPsecVPNtunnelsisamismatchbetweentheproposalsofferedbetweeneach
party.Withoutamatchandproposalagreement,Phase1canneverestablish.Usethefollowingcommandto
showtheproposalspresentedbybothparties.
diag debug app ike -1
diag debug enable
Theresultingoutputshouldincludesomethingsimilartothefollowing,wherebluerepresentstheremoteVPN
device,andgreenrepresentsthelocalFortiGate.
responder received SA_INIT msg
incoming proposal:
proposal id = 1:
protocol = IKEv2:
encapsulation = IKEv2/none
type=ENCR, val=AES_CBC (key_len = 256)
type=INTEGR, val=AUTH_HMAC_SHA_96
type=PRF, val=PRF_HMAC_SHA
type=DH_GROUP, val=1536.
proposal id = 2:
protocol = IKEv2:
type=ENCR, val=3DES_CBC
type=INTEGR, val=AUTH_HMAC_SHA_2_256_128
type=PRF, val=PRF_HMAC_SHA2_256
proposal id = 1:
protocol = IKEv2:
type=ENCR, val=AES_CBC (key_len = 128)
type=INTEGR, val=AUTH_HMAC_SHA_96
type=PRF, val=PRF_HMAC_SHA
Pre-existingIPsecVPNtunnelsneedtobecleared.
ShouldyouneedtoclearanIKEgateway,usethefollowingcommands:
diagnose vpn ike restart
diagnose vpn ike gateway clear
LANinterfaceconnection
ToconfirmwhetheraVPNconnectionoverLANinterfaceshasbeenconfiguredcorrectly,issueapingor
traceroutecommandonthenetworkbehindtheFortiGateunittotesttheconnectiontoacomputerontheremote
network.Iftheconnectionisproperlyconfigured,aVPNtunnelwillbeestablishedautomaticallywhenthefirst
datapacketdestinedfortheremotenetworkisinterceptedbytheFortiGateunit.
Ifthepingortraceroutefail,itindicatesaconnectionproblembetweenthetwoendsofthetunnel.Thismayor
maynotindicateproblemswiththeVPNtunnel.YoucanconfirmthisbygoingtoMonitor>IPsecMonitor
whereyouwillbeabletoseeyourconnection.Agreenarrowmeansthetunnelisupandcurrentlyprocessing
traffic.Aredarrowmeansthetunnelisnotprocessingtraffic,andthisVPNconnectionhasaproblem.
Iftheconnectionhasproblems,seeTroubleshootingVPNconnectionsonpage217.

Troubleshooting
Dialupconnection
AdialupVPNconnectionhasadditionalsteps.ToconfirmthataVPNbetweenalocalnetworkandadialupclient
hasbeenconfiguredcorrectly,atthedialupclient,issueapingcommandtotesttheconnectiontothelocal
network.TheVPNtunnelinitializeswhenthedialupclientattemptstoconnect.
Ifthepingortraceroutefail,itindicatesaconnectionproblembetweenthetwoendsofthetunnel.Thismayor
maynotindicateproblemswiththeVPNtunnel,ordialupclient.AswiththeLANconnection,confirmtheVPN
tunnelisestablishedbycheckingMonitor>IPsecMonitor.
TroubleshootingVPNconnections
IfyouhavedeterminedthatyourVPNconnectionisnotworkingproperlythroughTroubleshootingonpage214,
thenextstepistoverifythatyouhaveaphase2connection.
IftrafficisnotpassingthroughtheFortiGateunitasyouexpect,ensurethetrafficdoesnotcontainIPcomp
packets(IPprotocol108,RFC3173).FortiGateunitsdonotallowIPcomppackets,theycompresspacket
payload,preventingitfrombeingscanned.
TestingPhase1and2connectionsisabitmoredifficultthantestingtheworkingVPN.Thisisbecausethey
requirediagnoseCLIcommands.ThesecommandsaretypicallyusedbyFortinetcustomersupporttodiscover
moreinformationaboutyourFortiGateunitanditscurrentconfiguration.
Beforeyoubegintroubleshooting,youmust:
l ConfigureFortiGateunitsonbothendsforinterfaceVPN
l RecordtheinformationinyourVPNPhase1andPhase2configurations-forourexampleheretheremoteIP
addressis10.11.101.10andthenamesofthephasesarePhase1andPhase2
l InstallatelnetorSSHclientsuchasputtythatallowsloggingofoutput
l EnsurethattheadmininterfacesupportsyourchosenconnectionprotocolsoyoucanconnecttoyourFortiGateunit
admininterface.
Forthisexample,defaultvalueswereusedunlessstatedotherwise.
ObtainingdiagnoseinformationfortheVPNconnection-CLI
1. LogintotheCLIasadminwiththeoutputbeingloggedtoafile.
2. StopanydiagnosedebugsessionsthatarecurrentlyrunningwiththeCLIcommand
3. Clearanyexistinglog-filtersbyrunning
diagnose vpn ike log-filter clear
4. Setthelog-filtertotheIPaddressoftheremotecomputer(10.11.101.10).ThisfiltersoutallVPNconnections
exceptonestotheIPaddressweareconcernedwith.Thecommandis
diagnose vpn ike log-filter dst-addr4 10.11.101.10.
5. SetupthecommandstooutputtheVPNhandshaking.Thecommandsare:
diagnose debug app ike 255
6. HavetheremoteFortiGateinitiatetheVPNconnectionintheweb-basedmanagerbygoingto
VPN>IPsecTunnelsandselectingBringup.

Troubleshooting VPN troubleshooting tips
ThismakestheremoteFortiGatetheinitiatorandthelocalFortiGatebecomestheresponder.Establishingthe
connectioninthismannermeansthelocalFortiGatewillhaveitsconfigurationinformationaswellasthe
informationtheremotecomputersends.Havingbothsetsofinformationlocallymakesiteasiertotroubleshoot
yourVPNconnection.
7. Watchthescreenforoutput,andafterroughly15secondsenterthefollowingCLIcommandtostoptheoutput.
8. Ifneeded,savethelogfileofthisoutputtoafileonyourlocalcomputer.Savingtheoutputtoafilecanmakeit
easiertosearchforaparticularphrase,andisusefulforcomparisons.
TroubleshootingaPhase1VPNconnection
UsingtheoutputfromObtainingdiagnoseinformationfortheVPNconnection-CLIonpage217,searchforthe
wordproposalintheoutput.Itmayoccuronceindicatingasuccessfulconnection,oritwilloccurtwoormore
timesforanunsuccessfulconnectiontherewillbeoneproposallistedforeachendofthetunnelandeach
possiblecombinationintheirsettings.Forexampleif10.11.101.10selectedbothDiffie-HellmanGroups1and5,
thatwouldbeatleast2proposalsset.
Asuccessfulnegotiationproposalwilllooksimilarto
IPsec SA connect 26 10.12.101.10->10.11.101.10:500
config found
created connection: 0x2f55860 26 10.12.101.10->10.11.101.10:500
IPsec SA connect 26 10.12.101.10->10.11.101.10:500 negotiating
no suitable ISAKMP SA, queuing quick-mode request and initiating ISAKMP SA negotiation
initiator: main mode is sending 1st message...
cookie 3db6afe559e3df0f/0000000000000000
out [encryption]
sent IKE msg (ident-i1send): 10.12.101.10:500->10.11.101.10:500, len=264,
id=3db6afe559e3df0f/0000000000000000
diaike 0: comes 10.12.101.1:500->10.11.101.1:500,ifindex=26....
Notethephraseinitiator: main mode is sending 1st message...whichshowsyouthe

handshakebetweentheendsofthetunnelisinprogress.Initiatorshowstheremoteunitissendingthefirst
message.
VPNtroubleshootingtips
Morein-depthVPNtroubleshootingcanbefoundintheTroubleshootingguide.
AttemptinghardwareoffloadingbeyondSHA1
Ifyouaretryingtooff-loadVPNprocessingtoanetworkprocessingunit(NPU),rememberthatonlySHA1
authenticationissupported.ForhighlevelsofauthenticationsuchasSHA256,SHA384,andSHA512hardware
offloadingisnotanoptionallVPNprocessingmustbedoneinsoftware.
Enable/disableIPsecASIC-offloading
MuchlikeNPU-offloadinIKEphase1configuration,youcanenableordisabletheusageofASIChardwarefor
IPsecDiffie-HellmankeyexchangeandIPsecESPtraffic.Bydefaulthardwareoffloadingisused.Fordebugging

General troubleshooting tips Troubleshooting
purposes,sometimesitisbestforallthetraffictobeprocessedbysoftware.
config sys global
set ipsec-asic-offload [enable | disable]
end
CheckPhase1proposalsettings
EnsurethatbothsideshaveatleastonePhase1proposalincommon.Otherwisetheywillnotconnect.Ifthere
aremanyproposalsinthelist,thiswillslowdownthenegotiatingofPhase1.Ifitstooslow,theconnectionmay
timeoutbeforecompleting.Ifthishappens,tryremovingsomeoftheunusedproposals.
NPUoffloadingissupportedwhenthelocalgatewayisaloopbackinterface.
Checkyourrouting
IfroutingisnotproperlyconfiguredwithanentryfortheremoteendoftheVPNtunnel,trafficwillnotflow
properly.Youmayneedstaticroutesonbothendsofthetunnel.Ifroutingistheproblem,theproposalwilllikely
setupproperlybutnotrafficwillflow.
TryenablingXAuth
IfoneendofanattemptedVPNtunnelisusingXAuthandtheotherendisnot,theconnectionattemptwillfail.
ThelogmessagesfortheattemptedconnectionwillnotmentionXAuthisthereason,butwhenconnectionsare
failingitisagoodideatoensurebothendshavethesameXAuthsettings.Ifyoudonotknowtheotherends
settingsenableordisableXAuthonyourendtoseeifthatistheproblem.
Generaltroubleshootingtips
MostconnectionfailuresareduetoaconfigurationmismatchbetweentheFortiGateunitandtheremotepeer.In
general,begintroubleshootinganIPsecVPNconnectionfailureasfollows:
1. Pingtheremotenetworkorclienttoverifywhethertheconnectionisup.SeeGeneraltroubleshootingtipsonpage
219.
2. Traceroutetheremotenetworkorclient.IfDNSisworking,youcanusedomainnames.OtherwiseuseIP
addresses.
3. Checktheroutingbehindthedialupclient.RoutingproblemsmaybeaffectingDHCP.Ifthisappearstobethe
case,configureaDHCPrelayservicetoenableDHCPrequeststoberelayedtoaDHCPserveronorbehindthe
FortiGateserver.
4. VerifytheconfigurationoftheFortiGateunitandtheremotepeer.CheckthefollowingIPsecparameters:
l ThemodesettingforIDprotection(mainoraggressive)onbothVPNpeersmustbeidentical.
l Theauthenticationmethod(presharedkeysorcertificates)usedbytheclientmustbesupportedonthe
FortiGateunitandconfiguredproperly.
l Ifpresharedkeysarebeingusedforauthenticationpurposes,bothVPNpeersmusthaveidenticalpreshared
keys.
l TheremoteclientmusthaveatleastonesetofPhase1encryption,authentication,andDiffie-Hellmansettings
thatmatchcorrespondingsettingsontheFortiGateunit.
l BothVPNpeersmusthavethesameNATtraversalsetting(enabledordisabled).

Troubleshooting Troubleshooting L2TPand IPsec
l TheremoteclientmusthaveatleastonesetofPhase2encryptionandauthenticationalgorithmsettingsthat
matchthecorrespondingsettingsontheFortiGateunit.
l Ifyouareusingmanualkeystoestablishatunnel,theRemoteSPIsettingontheFortiGateunitmustbe
identicaltotheLocalSPIsettingontheremotepeer,andviseversa.
5. Tocorrecttheproblem,seethefollowingtable.
VPNtrouble-shootingtips
Configurationproblem Correction
Modesettingsdonot Selectcomplementarymodesettings.SeePhase1parametersonpage
match. 47.
CheckPhase1configuration.DependingontheRemoteGatewayand
AuthenticationMethodsettings,youhaveachoiceofoptionsto
PeerIDorcertificatename
authenticateFortiGatedialupclientsorVPNpeersbyIDorcertificate
oftheremotepeeror
name(seePhase1parametersonpage47).
dialupclientisnot
recognizedbyFortiGate
IfyouareconfiguringauthenticationparametersforFortiClientdialup
VPNserver.
clients,refertotheAuthenticatingFortiClientDialupClientsTechnical
Note.
Presharedkeysdonot Reenterthepresharedkey.SeePhase1parametersonpage47.
match.
Phase1orPhase2key MakesurethatbothVPNpeershaveatleastonesetofproposalsin
exchangeproposalsare commonforeachphase.SeePhase1parametersonpage47andPhase2
mismatched. parametersonpage65.
NATtraversalsettingsare Selectorclearbothoptionsasrequired.SeePhase1parametersonpage
mismatched. 47andPhase1parametersonpage47.
AwordaboutNATdevices
WhenadevicewithNATcapabilitiesislocatedbetweentwoVPNpeersoraVPNpeerandadialupclient,that
devicemustbeNATtraversal(NAT-T)compatibleforencryptedtraffictopassthroughtheNATdevice.Formore
TroubleshootingL2TPandIPsec
ThissectiondescribessomechecksandtoolsyoucanusetoresolveissueswithL2TP-over-IPsecVPNs.
Thissectionincludes:
l Quickchecks
l MacOSXandL2TP
l Settinguplogging
l UsingtheFortiGateunitdebugcommands

Troubleshooting L2TPand IPsec Troubleshooting
Quickchecks
ThetablebelowisalistofcommonL2TPoverIPsecVPNproblemsandthepossiblesolutions.
Problem Whattocheck
IPsectunneldoesnotcome CheckthelogstodeterminewhetherthefailureisinPhase1orPhase2.
up.
Checkthesettings,includingencapsulationsetting,whichmustbe
transport-mode.
Checktheuserpassword.
ConfirmthattheuserisamemberoftheusergroupassignedtoL2TP.
OntheWindowsPC,checkthattheIPsecserviceisrunningandhasnot
beendisabled.SeeTroubleshootingL2TPandIPseconpage220.
Tunnelconnects,butthere DidyoucreateanACCEPTsecuritypolicyfromthepublicnetworktothe
isno protectednetworkfortheL2TPclients?SeeTroubleshootingL2TPand
communication. IPseconpage220.
MacOSXandL2TP
FortiOSallowsL2TPconnectionswithemptyAVPhostnamesandthereforeMacOSXL2TPconnectionscan
connecttotheFortiGate.
PriortoFortiOS4.0MR3,FortiOSrefusedL2TPconnectionswithemptyAVPhostnamesincompliancewith
RFC2661andRFC3931.
Settinguplogging
L2TPloggingmustbeenabledtorecordL2TPevents.AlertemailcanbeconfiguredtoreportL2TPerrors.
ConfiguringFortiGateloggingforL2TPoverIPsec
2. SelectEventLog.
3. SelecttheVPNactivityeventcheckbox.
4. SelectApply.
ViewingFortiGatelogs
2. SelecttheLoglocationifrequired.
3. AftereachattempttostarttheL2TPoverIPsecVPN,selectRefreshtoviewloggedevents.

Troubleshooting Troubleshooting L2TPand IPsec
UsingtheFortiGateunitdebugcommands
ViewingdebugoutputforIKEandL2TP
1. StartanSSHorTelnetsessiontoyourFortiGateunit.
2. EnterthefollowingCLIcommands
diagnose debug application l2tp -1
3. AttempttousetheVPNandnotethedebugoutputintheSSHorTelnetsession.
4. Enterthefollowingcommandtoresetdebugsettingstodefault:
Usingthepacketsniffer
1. StartanSSHorTelnetsessiontoyourFortiGateunit.
2. EnterthefollowingCLIcommand
diagnose sniffer packet any icmp 4
3. AttempttousetheVPNandnotethedebugoutput.
4. EnterCtrl-Ctoendsnifferoperation.
TypicalL2TPoverIPsecsessionstartuplogentries-rawformat
2010-01-11 16:39:58 log_id=0101037127 type=event subtype=ipsec pri=notice vd="root" msg="progress IPsec
Phase 1" action="negotiate" rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_
intf="port1" cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A" xauth_user="N/A" xauth_
group="N/A" vpn_tunnel="dialup_p1" status=success init=remote mode=main dir=outbound stage=1
role=responder result=OK

group="N/A" vpn_tunnel="dialup_p1" status=success init=remote mode=main dir=outbound stage=2

group="N/A" vpn_tunnel="dialup_p1" status=success init=remote mode=main dir=inbound stage=3
role=responder result=DONE

group="N/A" vpn_tunnel="dialup_p1_0" status=success init=remote mode=main dir=outbound stage=3

group="N/A" vpn_tunnel="dialup_p1_0" status=success init=remote mode=quick dir=outbound stage=1
2010-01-11 16:39:58 log_id=0101037133 type=event subtype=ipsec pri=notice vd="root" msg="install IPsec

SA" action="install_sa" rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500 out_
group="N/A" vpn_tunnel="dialup_p1_0" role=responder in_spi=61100fe2 out_spi=bd70fca1

Troubleshooting GREover IPsec Troubleshooting
2010-01-11 16:39:58 log_id=0101037139 type=event subtype=ipsec pri=notice vd="root" msg="IPsec Phase 2

status change" action="phase2-up" rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500 loc_port=500
out_intf="port1" cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A" xauth_user="N/A"
xauth_group="N/A" vpn_tunnel="dialup_p1_0" phase2_name=dialup_p2
2010-01-11 16:39:58 log_id=0101037138 type=event subtype=ipsec pri=notice vd="root" msg="IPsec

connection status change" action="tunnel-up" rem_ip=172.20.120.151 loc_ip=172.20.120.141 rem_port=500
loc_port=500 out_intf="port1" cookies="5f6da1c0e4bbf680/d6a1009eb1dde780" user="N/A" group="N/A" xauth_
user="N/A" xauth_group="N/A" vpn_tunnel="dialup_p1_0" tunnel_ip=172.20.120.151 tunnel_id=1552003005
tunnel_type=ipsec duration=0 sent=0 rcvd=0 next_stat=0 tunnel=dialup_p1_0

group="N/A" vpn_tunnel="dialup_p1_0" status=success init=remote mode=quick dir=inbound stage=2
2010-01-11 16:39:58 log_id=0101037122 type=event subtype=ipsec pri=notice vd="root" msg="negotiate IPsec

group="N/A" vpn_tunnel="dialup_p1_0" status=success role=responder esp_transform=ESP_3DES esp_auth=HMAC_
SHA1
2010-01-11 16:39:58 log_id=0103031008 type=event subtype=ppp vd=root pri=information action=connect

status=success msg="Client 172.20.120.151 control connection started (id 805), assigned ip 192.168.0.50"
2010-01-11 16:39:58 log_id=0103029013 type=event subtype=ppp vd=root pri=notice pppd is started
2010-01-11 16:39:58 log_id=0103029002 type=event subtype=ppp vd=root pri=notice user="user1"

local=172.20.120.141 remote=172.20.120.151 assigned=192.168.0.50 action=auth_success msg="User 'user1'
using l2tp with authentication protocol MSCHAP_V2, succeeded"
2010-01-11 16:39:58 log_id=0103031101 type=event subtype=ppp vd=root pri=information action=tunnel-up

tunnel_id=1645784497 tunnel_type=l2tp remote_ip=172.20.120.151 tunnel_ip=192.168.0.50 user="user1"
group="L2TPusers" msg="L2TP tunnel established"
TroubleshootingGREoverIPsec
ThissectiondescribessomechecksandtoolsyoucanusetoresolveissueswiththeGRE-over-IPsecVPN.
Quickchecks
Hereisalistofcommonproblemsandwhattoverify.
Problem Whattocheck
Nocommunicationwith Usetheexecute pingcommandtopingtheCiscodevicepublicinterface.

remote
network. UsetheFortiGateVPNMonitorpagetoseewhethertheIPsectunnelisupor
canbebroughtup.
CheckthelogstodeterminewhetherthefailureisinPhase1orPhase2.
Checkthattheencryptionandauthenticationsettingsmatchthoseonthe
IPsectunneldoesnot
Ciscodevice.
comeup.
Checktheencapsulationsetting:tunnel-modeortransport-mode.Bothdevices
mustusethesamemode.

Troubleshooting Troubleshooting GREover IPsec
Problem Whattocheck
Tunnelconnects,but Checkthesecuritypolicies.SeeTroubleshootingGREoverIPseconpage223.
thereisno
communication. Checkrouting.SeeTroubleshootingGREoverIPseconpage223.
Settinguplogging
ConfiguringFortiGateloggingforIPsec
2. SelecttheEventLogging.
3. SelectVPNactivityevent.
4. SelectApply.
ViewingFortiGatelogs
2. Selectthelogstoragetype.
3. SelectRefreshtoviewanyloggedevents.
GREtunnelkeepalives
IntheeventthateachGREtunnelendpointhaskeepaliveenabled,firewallpoliciesallowingGREarerequiredin
bothdirections.Thepolicyshouldbeconfiguredasfollows(wheretheIPaddressesandinterfacenamesarefor
examplepurposesonly):
edit < id >
set srcintf "gre"
set dstintf "port1"
set srcaddr "1.1.1.1"
set dstaddr "2.2.2.2"
set action accept
set service "GRE"
next
end
Ciscocompatiblekeep-alivesupportforGRE
TheFortiGatecansendaGREkeepaliveresponsetoaCiscodevicetodetectaGREtunnel.Ifitfails,itwill
removeanyroutesovertheGREinterface.
Configuringkeepalivequery-CLI:
edit <id>
set keepalive-interval <value: 0-32767>
set keepalive-failtimes <value: 1-255>
next

Troubleshooting GREover IPsec Troubleshooting
end
GREtunnelwithmulticasttraffic
IfyouwantmulticasttraffictotraversetheGREtunnel,youneedtoconfigureamulticastpolicyaswellasenable
multicastforwarding.
l Toconfigureamulticastpolicy,usetheconfig firewall multicast-policycommand.

l Toenablemulticastforwarding,usethefollowingcommands:
set multicast-forward enable
end
Usingdiagnosticcommands
Therearesomediagnosticcommandsthatcanprovideusefulinformation.Whenusingdiagnosticcommands,it
isbestpracticethatyouconnecttotheCLIusingaterminalprogram,suchaspuTTY,thatallowsyoutosave
outputtoafile.Thiswillallowyoutoreviewthedatalateronatyourownspeedwithoutworryaboutmisseddata
asthediagoutputscrollsby.
Usingthepacketsniffer-CLI:
1. EnterthefollowingCLIcommand:
diag sniff packet any icmp 4
2. PinganaddressonthenetworkbehindtheFortiGateunitfromthenetworkbehindtheCiscorouter.
TheoutputwillshowpacketscominginfromtheGREinterfacegoingoutoftheinterfacethatconnectstothe
protectednetwork(LAN)andviceversa.Forexample:
114.124303 gre1 in 10.0.1.2 -> 10.11.101.10: icmp: echo request
114.124367 port2 out 10.0.1.2 -> 10.11.101.10: icmp: echo request
114.124466 port2 in 10.11.101.10 -> 10.0.1.2: icmp: echo reply
114.124476 gre1 out 10.11.101.10 -> 10.0.1.2: icmp: echo reply
3. EnterCTRL-Ctostopthesniffer.
ViewingdebugoutputforIKE-CLI:
1. EnterthefollowingCLIcommands
2. AttempttousetheVPNorsetuptheVPNtunnelandnotethedebugoutput.
3. EnterCTRL-Ctostopthedebugoutput.
4. Enterthefollowingcommandtoresetdebugsettingstodefault:

Copyright 2016 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Fortigate Ipsecvpn 54

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Fortigate Ipsecvpn 54

Hochgeladen von

Copyright:

Verfügbare Formate

IPsec

ENDUSER LICENSE AGREEMENT

IPsec VPN for FortiOS 5.4.1 8

9 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 10

11 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 12

13 IPsec VPN for FortiOS 5.4.1

config vpn ipsec phase1-interface

IPsec VPN for FortiOS 5.4.1 14

15 IPsec VPN for FortiOS 5.4.1

Theset dpd enablecommandhaschangedtoset dpd on-idle(totriggerDPDwhenIPsecisidle).Set

IPsec VPN for FortiOS 5.4.1 16

17 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 18

VPNType RemoteDeviceType NATOptions Description

SitetoSite FortiGate l NoNATbetweensites Statictunnelbetween

Cisco l NoNATbetweensites Statictunnelbetween

19 IPsec VPN for FortiOS 5.4.1

VPNType RemoteDeviceType NATOptions Description

RemoteAccess FortiClientVPNforOSX, N/A On-demandtunnelfor

iOSNative N/A On-demandtunnelfor

AndroidNative N/A On-demandtunnelfor

WindowsNative N/A On-demandtunnelfor

CiscoClient N/A On-demandtunnelfor

Custom N/A N/A NoTemplate.

IPsec VPN for FortiOS 5.4.1 20

21 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 22

23 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 24

25 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 26

27 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 28

29 IPsec VPN for FortiOS 5.4.1

Features Policy-based Route-based

BothNATandtransparent Yes NATmodeonly

L2TP-over-IPsecsupported Yes Yes

NumberofpoliciesperVPN Onepolicycontrolsconnectionsin Aseparatepolicyisrequiredfor

IPsec VPN for FortiOS 5.4.1 30

31 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 32

33 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 34

35 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 36

IPsectunnelidletimer config vpn ipsec phase1-interface

37 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 38

39 IPsec VPN for FortiOS 5.4.1

l Phase1contains"set fragmentation enable".

IPsec VPN for FortiOS 5.4.1 40

41 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 42

43 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 44

45 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 46

47 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 48

49 IPsec VPN for FortiOS 5.4.1

IPsec VPN for FortiOS 5.4.1 50