FortiGate CLI: Configure IPsec VPN Tunnel Like A Pro
Alright, guys, let's dive into setting up an IPsec VPN tunnel using the FortiGate CLI. If you're managing network security, understanding how to configure IPsec tunnels is super important. This guide will walk you through each step, making it easy to secure your communications. We're going to cover everything from the initial configuration to verifying that your tunnel is up and running smoothly. Let's get started!
Understanding IPsec VPNs
Before we jump into the CLI commands, let's quickly recap what an IPsec VPN is and why you might need it. IPsec (Internet Protocol Security) is a suite of protocols used to secure IP communications by authenticating and encrypting each IP packet of a communication session. Think of it as creating a super-secure tunnel between two points over the internet.
Why use IPsec VPNs?
- Secure Communication: Encrypts data, preventing eavesdropping.
- Data Integrity: Ensures data isn't tampered with during transit.
- Authentication: Verifies the identity of the sender.
- Site-to-Site Connectivity: Connects entire networks securely, like branch offices to a headquarters.
- Remote Access: Allows remote users to securely access network resources.
Using IPsec VPNs is crucial when you need to protect sensitive data as it travels across the internet. Whether it's connecting different parts of your business or allowing employees to work remotely, IPsec provides a robust and reliable security layer.
Prerequisites
Before you start configuring your IPsec tunnel on FortiGate, there are a few things you need to have in place. Make sure you've got these covered:
- Two FortiGate Firewalls: You'll need two FortiGate devices, one at each end of the tunnel.
- Static Public IP Addresses: Each FortiGate needs a static public IP address. This is how they'll find each other over the internet.
- Network Configuration: Know your internal network ranges behind each FortiGate. You'll need this info to set up the routing correctly.
- FortiGate Access: Make sure you can access the CLI of both FortiGate firewalls. You can use SSH or the web console.
- Security Policies: Ensure you have the necessary security policies in place to allow traffic to pass through the tunnel once it's up. This includes policies for both inbound and outbound traffic.
Having these prerequisites sorted out will make the configuration process much smoother and help avoid common pitfalls. Trust me, double-checking these now can save you a headache later!
Step-by-Step Configuration
Okay, let's get our hands dirty with the actual configuration. We'll break this down into manageable steps. We will configure FortiGate A and FortiGate B. Remember to replace the example IP addresses and network ranges with your own.
Phase 1 Configuration
Phase 1 sets up the initial secure connection between the two FortiGate firewalls. This is where we define the encryption and authentication methods.
FortiGate A Configuration
First, log into the CLI of FortiGate A. Enter the following commands:
config vpn ipsec phase1-interface
edit "to-FortiGate-B" // Name of the tunnel
set interface "wan1" // Interface connected to the internet
set mode aggressive
set proposal aes256-sha256 aes128-sha1 // Encryption and hashing algorithms
set pre-shared-key "YourSecretPresharedKey" // Replace with your own secure key
set remote-gw 203.0.113.2 // Public IP of FortiGate B
set psksecret your_strong_psk
set type static
next
end
What do these commands do?
config vpn ipsec phase1-interface: Enters the configuration mode for Phase 1 IPsec settings.edit "to-FortiGate-B": Creates or edits a Phase 1 configuration named "to-FortiGate-B".set interface "wan1": Specifies that the VPN tunnel will use the WAN1 interface to connect to the internet.set mode aggressive: Sets the IKE mode to aggressive, which is faster but less secure than main mode. Use main mode in production environments.set proposal aes256-sha256 aes128-sha1: Defines the encryption and hashing algorithms to be used for the VPN tunnel. In this case, it uses AES256 with SHA256 and AES128 with SHA1.set pre-shared-key "YourSecretPresharedKey": Sets the pre-shared key (PSK) for authentication. Replace "YourSecretPresharedKey" with a strong, unique key.set remote-gw 203.0.113.2: Specifies the public IP address of the remote FortiGate device (FortiGate B).set psksecret your_strong_psk: This command is used to set the pre-shared key (PSK) secret for authentication. The PSK is a secret key that is shared between the two devices participating in the VPN tunnel.set type static: Sets the tunnel type to static, meaning it will always attempt to establish a connection with the remote gateway.
FortiGate B Configuration
Now, log into the CLI of FortiGate B and enter these commands:
config vpn ipsec phase1-interface
edit "to-FortiGate-A" // Name of the tunnel
set interface "wan1" // Interface connected to the internet
set mode aggressive
set proposal aes256-sha256 aes128-sha1 // Encryption and hashing algorithms
set pre-shared-key "YourSecretPresharedKey" // Replace with your own secure key
set remote-gw 192.0.2.1 // Public IP of FortiGate A
set psksecret your_strong_psk
set type static
next
end
Key Differences:
remote-gw: This should be the public IP address of FortiGate A.- Ensure the
pre-shared-keyis identical on both FortiGate devices.
Phase 2 Configuration
Phase 2 defines the security parameters for the actual data transfer through the tunnel.
FortiGate A Configuration
config vpn ipsec phase2-interface
edit "to-FortiGate-B-phase2" // Name of the Phase 2 settings
set phase1name "to-FortiGate-B" // Reference to the Phase 1 configuration
set proposal aes256-sha256 aes128-sha1 des-md5 des-sha1 // Encryption and hashing algorithms
set pfs disable // Perfect Forward Secrecy
set auto-negotiate enable
set keylifeseconds 3600
next
end
What's happening here?
config vpn ipsec phase2-interface: Enters the configuration mode for Phase 2 IPsec settings.edit "to-FortiGate-B-phase2": Creates or edits a Phase 2 configuration named "to-FortiGate-B-phase2".set phase1name "to-FortiGate-B": Links this Phase 2 configuration to the Phase 1 configuration we created earlier.set proposal aes256-sha256 aes128-sha1 des-md5 des-sha1: Defines the encryption and hashing algorithms to be used for data transfer. It includes multiple options for negotiation.set pfs disable: Disables Perfect Forward Secrecy (PFS). Enabling PFS is more secure but requires more processing power.set auto-negotiate enable: Enables automatic negotiation of the Phase 2 parameters.set keylifeseconds 3600: Sets the key life time for the IPSec tunnel.
FortiGate B Configuration
config vpn ipsec phase2-interface
edit "to-FortiGate-A-phase2" // Name of the Phase 2 settings
set phase1name "to-FortiGate-A" // Reference to the Phase 1 configuration
set proposal aes256-sha256 aes128-sha1 des-md5 des-sha1 // Encryption and hashing algorithms
set pfs disable // Perfect Forward Secrecy
set auto-negotiate enable
set keylifeseconds 3600
next
end
Important:
- The
phase1nameshould match the name you gave the Phase 1 configuration on each FortiGate.
Create firewall address objects
Create address objects to identify the internal networks behind each FortiGate. This will be used in the firewall policies to route traffic through the VPN tunnel.
FortiGate A Configuration
config firewall address
edit LAN_A
set subnet 192.168.1.0 255.255.255.0
next
end
FortiGate B Configuration
config firewall address
edit LAN_B
set subnet 192.168.2.0 255.255.255.0
next
end
Configure Static Routes
You need to create static routes to direct traffic destined for the remote network through the IPsec tunnel interface.
FortiGate A Configuration
config router static
edit 1
set dst 192.168.2.0 255.255.255.0
set device "to-FortiGate-B"
next
end
FortiGate B Configuration
config router static
edit 1
set dst 192.168.1.0 255.255.255.0
set device "to-FortiGate-A"
next
end
Create Firewall Policies
Firewall policies allow traffic to flow through the tunnel. You'll need two policies on each FortiGate: one for outbound traffic and one for inbound traffic.
FortiGate A Configuration
config firewall policy
edit 1
set name "LAN_A_to_LAN_B"
set srcintf "port1" // Interface connected to the internal network
set dstintf "to-FortiGate-B" // IPsec tunnel interface
set srcaddr "LAN_A" // Source address object
set dstaddr "LAN_B" // Destination address object
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "LAN_B_to_LAN_A"
set srcintf "to-FortiGate-B" // IPsec tunnel interface
set dstintf "port1" // Interface connected to the internal network
set srcaddr "LAN_B" // Source address object
set dstaddr "LAN_A" // Destination address object
set action accept
set schedule "always"
set service "ALL"
next
end
FortiGate B Configuration
config firewall policy
edit 1
set name "LAN_B_to_LAN_A"
set srcintf "port1" // Interface connected to the internal network
set dstintf "to-FortiGate-A" // IPsec tunnel interface
set srcaddr "LAN_B"
set dstaddr "LAN_A"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "LAN_A_to_LAN_B"
set srcintf "to-FortiGate-A" // IPsec tunnel interface
set dstintf "port1" // Interface connected to the internal network
set srcaddr "LAN_A"
set dstaddr "LAN_B"
set action accept
set schedule "always"
set service "ALL"
next
end
Verifying the Tunnel
Once you've configured both FortiGate devices, it's time to verify that the tunnel is up and running. Here's how you can do it:
Check IPsec Monitor
In the FortiGate web interface, go to Monitor > IPsec Monitor. This will show you the status of your IPsec tunnels. Look for your tunnel and make sure it shows as "Up".
CLI Command
You can also use the CLI to check the tunnel status. Enter the following command:
diag vpn ike gateway list
This command will display the status of all IKE gateways, including your newly configured tunnel. Look for your tunnel name and ensure that the status is UP.
Ping Test
The most straightforward way to test the tunnel is to ping a device on the remote network. For example, from a computer on the 192.168.1.0/24 network, ping a device on the 192.168.2.0/24 network.
ping 192.168.2.10
If you get a response, congratulations! Your IPsec tunnel is working correctly.
Troubleshooting Tips
Sometimes things don't go as planned. Here are some common issues and how to troubleshoot them:
- Tunnel Not Coming Up:
- Check Phase 1 Settings: Ensure the
pre-shared-key,remote-gw, andproposalsettings match on both FortiGate devices. - Firewall Rules: Verify that your firewall rules allow traffic to initiate the tunnel (IKE traffic on UDP ports 500 and 4500).
- Check Phase 1 Settings: Ensure the
- Data Not Passing Through the Tunnel:
- Phase 2 Settings: Make sure the
proposalsettings in Phase 2 are compatible on both sides. - Static Routes: Double-check your static routes to ensure traffic is being directed through the tunnel interface.
- Firewall Policies: Ensure you have the correct firewall policies in place to allow traffic to flow between the networks.
- Phase 2 Settings: Make sure the
- MTU Issues:
- Adjust MTU: If you're experiencing connectivity issues, try reducing the MTU (Maximum Transmission Unit) size on the tunnel interface. You can do this with the command
set mtu <value>under the tunnel configuration.
- Adjust MTU: If you're experiencing connectivity issues, try reducing the MTU (Maximum Transmission Unit) size on the tunnel interface. You can do this with the command
Conclusion
And there you have it! You've successfully configured an IPsec VPN tunnel using the FortiGate CLI. This setup provides a secure connection between two networks, ensuring your data is protected. Remember to always use strong pre-shared keys and keep your firmware updated to maintain the best possible security. Happy networking!
