Creating the data center side of the IPsec VPN
To facilitate zero touch provisioning of new spokes to establish VPNs on each data center FortiGate, this example uses dial-up VPNs with auto-discovery-sender enabled in the ADVPN configuration.
Also, add-route is disabled to support multiple dynamic tunnels to the same host advertising the same network. This dynamic discovery of the network is facilitated by the BGP configuration.
Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel. In this example, IPsec VPN is added to each FortiGate interface connected to the Internet.
The Phase 1 configuration includes:
- A dynamic VPN tunnel name that is 11 characters or less.
- Setting
type
todynamic
- Setting
interface
to the Internet connected interface - Setting
peertype
toany
- Setting
add-route
todisable
- Setting
auto-discovery-sender
toenable
config vpn ipsec phase1-interface
edit "vpn-brl-1"
set type dynamic
set interface "vlan-3510"
set peertype any
set proposal aes256-sha256
set add-route disable
set dhgrp 5
set auto-discover-sender enable
set psksecret <password>
next
edit "vpn-brl-2"
set type dynamic
set interface "vlan-3511"
set peertype any
set proposal aes256-sha256
set dhgrp 5
set auto-discovery-sender enable
set psksecret <password>
end
The Phase 2 configuration includes:
- Setting
phase1name
to the name of the phase 1 configuration - Disabling
pfs
andreplay
config vpn ipsec phase2-interface
edit "vpn-brl-1_ps"
set phase1name "vpn-isp-a"
set proposal aes256-sha256
set pfs disable
set replay disable
next
edit "vpn-br1-2_p2"
set phase1name "vpn-isp-b"
set proposal aes256-sha256
set pfs disable
set replay disable
end