Fortigate Site2Site VPN

VPN Wizard in NGFW mode: Profile

Use VPN Wizard will set traffic selectors, phase2 pfs, and create static route and firewall policies.

1. Start IPsec Wizard, give it a Name

2. Specify remote IP and Pre-shared Key

3. Specify local and remote network

4. Review the setting

Blackhole route (null route) is used when VPN tunnel is down.

5. Once remote peer also completes configuration, Bring Up the tunnel.

status can also be viewed:

6. If need add more subnet to the VPN tunnel, just add them to the Address Group created by VPN Wizard.

With VPN Wizard, DPD default is On Demand, best practice is change it to On Idle, default is 3 try with 20 sends interval, so it will take more than a minute to detect peer is dead.

Better method is to create link monitor from local FG LAN IP to remote FG LAN IP. in case primary/secondary VPN tunnel failover, link monitor can reduce ping lost just to 1.

Custom Configuration

1. Create VPN IPSec Tunnel
This will create an tunnel Interface behind the scene, the tunnel interface then can used in step2 static route and step3 firewall policy.
in cli, this will generate "vpn ipsec phase1-interface" and "vpn ipsec phase2-interface" commands.

VPN > IPSec Tunnels > Create New IPSec Tunnel >Custom
Name
Peer IP
Outgoing Interface
Pre-Shard Key
IKE Version
P1 Parameters: Encryption, Authentication, DH Group
P1 Lifetime (Optional, has default value 24 hours)
P2 Traffic Selectors
P2 Parameters: Encryption, Authentication, DH Group
P2 Lifetime (Optional, has default value 12 hours)

2. Create static route for remote subnet
Network > Static Routes > Create New
Remote Subnet
Skip Gateway Address
IPSec Tunnel Interface

3. Create Bi-directional Security Policies
Policy & Objects > Security Policy
One outbound policy from local (LAN) to remote (VPN Interface)
One inbound policy from remote (VPN Interface) to local (LAN)

In Profile mode, disable NAT in Firewall Policy, in Policy mode, NAT exemption is Not required since there is tunnel interface is created in step1

======================

Auto-negotiate

On: Bring up tunnel even no traffic.
Off: Bring up tunnel only when there is traffic.

Keepalive

Ensure tunnel stays up, no expiration, even no traffic.

===========CLI Verification==============

Check Phase 1

FG72 # get vpn ike gateway
vd: root/0
name: VPN-TO-FG70
version: 1
interface: port1 3
addr: 192.168.2.107:500 -> 192.168.2.106:500
created: 540s ago
IKE SA created: 1/2 established: 1/1 time: 0/0/0 ms
IPsec SA created: 1/1 established: 1/1 time: 0/0/0 ms
id/spi: 20 8a33d73e237e78e3/9e090af8c921878f
direction: responder
status: established 512-512s ago = 0ms
proposal: des-md5
key: 0aef6f183276cd59
lifetime/rekey: 86400/85617
DPD sent/recv: 00000000/00000001
FG72 #

Check Phase 2

FG72 # get vpn ipsec tunnel sum
'VPN-TO-FG70' 192.168.2.106:0 selectors(total,up): 1/1 rx(pkt,err): 10/0 tx(pkt,err): 5/1

FG72 # get vpn ipsec tunnel name VPN-TO-FG70
gateway
name: 'VPN-TO-FG70'
local-gateway: 192.168.2.107:0 (static)
remote-gateway: 192.168.2.106:0 (static)
dpd-link: on
mode: ike-v1
interface: 'port1' (3)
rx packets: 10 bytes: 840 errors: 0
tx packets: 5 bytes: 420 errors: 1
dpd: on-demand/negotiated idle: 20000ms retry: 3 count: 0
selectors
name: 'VPN-TO-FG70'
auto-negotiate: disable
mode: tunnel
src: 0:192.168.112.0/255.255.255.0:0
dst: 0:192.168.111.0/255.255.255.0:0
SA
lifetime/rekey: 43200/41981
mtu: 1446
tx-esp-seq: 6
replay: enabled
qat: 0
inbound
spi: 336bdd84
enc: des 738fa17ae8458caa
auth: md5 ba9a5886e72a8959cf1f6284c9ac79dd
outbound
spi: e1bbed72
enc: des de3c1cf402e91fb8
auth: md5 f4fc7793eaed6deaab4957a8c0036025
NPU acceleration: none
FG72 #

==========Troubleshooting=========

1. Verify VPN is up
VPN > IPsec Tunnels

2. Bring up/down VPN, see PhaseI & PhaseII status, and bidirectional traffic

Dashoard > Network > IPsec

3. Forward traffic log

4. VPN relate log
Log&Report > Events > VPN Events

5. Check PhaseI and PhaseII states

FortiFW # diagnose vpn ike gateway list [name xxxx]

vd: root/0
name: VPN-TO-SITE_B
version: 1
interface: port1 3
addr: 192.168.2.101:500 -> 192.168.2.102:500
created: 40509s ago
IKE SA: created 2/2 established 2/2 time 10/1510/3010 ms
IPsec SA: created 1/1 established 1/1 time 0/0/0 ms
id/spi: 11 ab814ba46c7d8434/d13aa1ff8d98b93f
direction: responder
status: established 40506-40506s ago = 10ms
proposal: des-md5
key: 25e7081e8b8d0822
lifetime/rekey: 86400/45623
DPD sent/recv: 00000000/00000000
id/spi: 10 206062a66999fdf4/ce054c9db41be277
direction: initiator
status: established 40509-40506s ago = 3010ms
proposal: des-md5
key: f22f72ab123e1885
lifetime/rekey: 86400/45593
DPD sent/recv: 00000001/00000000

FortiFW # diagnose vpn tunnel list | grep name
FortiFW # diagnose vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=VPN-TO-SITE_B ver=1 serial=1 192.168.2.101:0->192.168.2.102:0 dst_mtu=1500
bound_if=3 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=12 ilast=15 olast=40015 ad=/0
stat: rxp=4 txp=4 rxb=544 txb=336
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=P2-SiteB proto=0 sa=1 ref=2 serial=1
src: 0:192.168.10.0/255.255.255.0:0
dst: 0:192.168.12.0/255.255.255.0:0
SA: ref=3 options=30202 type=00 soft=0 mtu=1446 expire=2885/0B replaywin=2048
seqno=5 esn=0 replaywin_lastseq=00000005 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42928/43200
dec: spi=5051fbb6 esp=des key=8 389bcdbaae830615
ah=md5 key=16 3c29c39c6b68c8bf3eb70262951cdace
enc: spi=752ca803 esp=des key=8 26815606c4cb218a
ah=md5 key=16 88a4c9d57fffd8c8cda32584497ba693
dec:pkts/bytes=4/336, enc:pkts/bytes=4/544
run_tally=1
FortiFW #

6. Packet capture
can do on tunnel interface as well.

7. Debug ike

FortiFW #

diagnose debug application ike -1
diagnose debug enable

Debug messages will be on for 30 minutes.

If the PSK failed to match, the following error shows up in the debug output:

ike 0:to_HQ2:15037: parse error
ike 0:to_HQ2:15037: probable pre-shared secret mismatch'

Traffic selector mismatch
specified selectors mismatch
no matching phase2 found
failed to get responder proposal

diagnose debug disable
diagnose debug reset (reset debug level)

8. Debug flow
if tunnel is up

example:

diag debug flow filter proto 1
diag debug flow filter addr x.x.x.x

diag debug flow trace start 10

diag debug enable

diag debug disable

diag debug flow trace stop

if the tunnel is up, but fw has no vpn route back to peer, the traffic comes from tunnel will be dropped due to "reverse path check fail"

========Traffic Selector============

when configured with traffic selector, it is equivalent of policy-based VPN, when leave traffic selector all "0", it is a routed-based VPN.

===========Tested==========

1. IKEv1 s2s VPN between FortiGate FW

2. IKEv1 s2s VPN between ASA (policy-based) and FortiGate FW

3. IKEv2 s2s VPN between ASA (policy-based) and FortiGate FW

4. IKEv2 s2s VPN between ASA (Routed-based) and FortiGate FW (no traffic selector configured)

*************************************

VPN Tunnel interface with IP address

VPN is up, created by VPN Wizard, which is actually policy-based VPN, after configure tunnel interface IPs, ping doesn't, need add interface IP to VPN address group.

1. Configure vpn tunnel interface IP

FG1: modified: remote netmask is /32