Fortinet black logo

Cookbook

Creating the data center side of the IPsec VPN

Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:667783
Download PDF

Creating the data center side of the IPsec VPN

To facilitate zero touch provisioning of new spokes to establish VPNs on each data center FortiGate, this example uses dial-up VPNs with auto-discovery-sender enabled in the ADVPN configuration.

Also, add-route is disabled to support multiple dynamic tunnels to the same host advertising the same network. This dynamic discovery of the network is facilitated by the BGP configuration.

Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel. In this example, IPsec VPN is added to each FortiGate interface connected to the Internet.

The Phase 1 configuration includes:
  • A dynamic VPN tunnel name that is 11 characters or less.
  • Setting type to dynamic
  • Setting interface to the Internet connected interface
  • Setting peertype to any
  • Setting add-route to disable
  • Setting auto-discovery-sender to enable

config vpn ipsec phase1-interface

edit "vpn-brl-1"

set type dynamic

set interface "vlan-3510"

set peertype any

set proposal aes256-sha256

set add-route disable

set dhgrp 5

set auto-discover-sender enable

set psksecret <password>

next

edit "vpn-brl-2"

set type dynamic

set interface "vlan-3511"

set peertype any

set proposal aes256-sha256

set dhgrp 5

set auto-discovery-sender enable

set psksecret <password>

end

The Phase 2 configuration includes:
  • Setting phase1name to the name of the phase 1 configuration
  • Disabling pfs and replay

config vpn ipsec phase2-interface

edit "vpn-brl-1_ps"

set phase1name "vpn-isp-a"

set proposal aes256-sha256

set pfs disable

set replay disable

next

edit "vpn-br1-2_p2"

set phase1name "vpn-isp-b"

set proposal aes256-sha256

set pfs disable

set replay disable

end

Creating the data center side of the IPsec VPN

To facilitate zero touch provisioning of new spokes to establish VPNs on each data center FortiGate, this example uses dial-up VPNs with auto-discovery-sender enabled in the ADVPN configuration.

Also, add-route is disabled to support multiple dynamic tunnels to the same host advertising the same network. This dynamic discovery of the network is facilitated by the BGP configuration.

Wildcard security associations are used for phase 2 since BGP routes determine whether traffic is sent over the IPSec VPN tunnel. In this example, IPsec VPN is added to each FortiGate interface connected to the Internet.

The Phase 1 configuration includes:
  • A dynamic VPN tunnel name that is 11 characters or less.
  • Setting type to dynamic
  • Setting interface to the Internet connected interface
  • Setting peertype to any
  • Setting add-route to disable
  • Setting auto-discovery-sender to enable

config vpn ipsec phase1-interface

edit "vpn-brl-1"

set type dynamic

set interface "vlan-3510"

set peertype any

set proposal aes256-sha256

set add-route disable

set dhgrp 5

set auto-discover-sender enable

set psksecret <password>

next

edit "vpn-brl-2"

set type dynamic

set interface "vlan-3511"

set peertype any

set proposal aes256-sha256

set dhgrp 5

set auto-discovery-sender enable

set psksecret <password>

end

The Phase 2 configuration includes:
  • Setting phase1name to the name of the phase 1 configuration
  • Disabling pfs and replay

config vpn ipsec phase2-interface

edit "vpn-brl-1_ps"

set phase1name "vpn-isp-a"

set proposal aes256-sha256

set pfs disable

set replay disable

next

edit "vpn-br1-2_p2"

set phase1name "vpn-isp-b"

set proposal aes256-sha256

set pfs disable

set replay disable

end