Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ellenluo
Staff
Staff

Created on ‎06-11-2015 03:24 PM

Article Id 192813

How to use Auto IPSec to push IPSec config to remote FortiGates

Description
"Auto IPSec" works for notifying and pushing IPSec configuration to the branch offices when there is no FortiManager in organization.

There are two component for Auto IPSec, one is auto-ipsec gateway, another is auto-ipsec client.

The policy-based VPN config is added to the auto-ipsec gateway and then pushed to the client FortiGate (which has  auto-ipsec enabled).  Then VPN tunnel will be established automatically upon configuration being pushed.

Solution
In following config example, FWF60C is auto-ipsec gateway who will be pushing config to FWF40C who is auto-ipsec client

Topology:                                                                                                          IPsec VPN

    192.168.2.0/24 -------- 192.168.2.1 internal FWF60C dmz 172.17.97.99------------------ 172.17.97.132 wan1 FWF40C internal 192.168.1.1-------192.168.1.0/24

Configuration:

FWF60C (auto-ipsec gateway) Configuration


1. Configure policy-based IPsec phase1 "test_vpn" on FWF60C

     config vpn ipsec phase1
     edit "test_vpn"
     set interface "dmz"
     set autoconfig gateway
     set remote-gw 172.17.97.132
     set psksecret 123456

2. Configure firewall policy on FWF60C, make sure the srcaddr and dstaddr be a subnet or address having connected route instead of ALL
    
    FWF60C3G12006101 # get router info routing-table connected
   C 192.168.2.0/24 is directly connected, internal

   FWF40C3911000235 # get router info routing-table connected
   C 192.168.1.0/24 is directly connected, internal

FWF40C (auto-ipsec client) Configuration


3. Allow auto-ipsec on VPN interface(wan1) of FWF40C

    config system interface
    edit "wan1"
    set ip 172.17.97.132 255.255.255.0
    set allowaccess ping https ssh auto-ipsec
    set type physical
    set snmp-index 1

FWF60C (auto-ipsec gateway) Push

4. Push config from FWF60C to FWF40C by following CLI
 
    diagnose vpn auto-ipsec gateway notify test_vpn

FWF40C (auto-ipsec client) Accept


5. Accept config on FWF40C by following CLI

   diagnose vpn auto-ipsec bootstrap accept 123456

Debug:

FWF60C(Gateway)

FWF60C3G12006101 # diagnose vpn auto-ipsec gateway status

vd: root/0
name: test
serial: 0
version: 1
type: static
local: 0.0.0.0
remote: 172.17.97.132
mode: main
dpd: enable  retry-count 3  interval 5000ms
auth: psk
dhgrp:  5
fragmentation: disable
xauth: none
interface: dmz
phase2s:
  _test_tun_ proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0  dhgrp 5  replay  keep-alive  auto-negotiate
policy: yes
autoconfig-gateway: status connected

FWF40C(Client)

FWF40C3911000235 # diagnose vpn auto-ipsec client status

vd: root/0
name: _autogw0_
serial: 0
version: 1
type: static
local: 0.0.0.0
remote: 172.17.97.99
mode: main
dpd: enable  retry-count 3  interval 5000ms
auth: psk
dhgrp:  5
fragmentation: disable
xauth: none
interface: wan1
phase2s:
  __autogw0__tun_ proto 0 src 0.0.0.0/0.0.0.0:0 dst 0.0.0.0/0.0.0.0:0  dhgrp 5  replay  keep-alive  auto-negotiate
policies:
  IPv4 policy 1 src 'inside' dst 'wan1'
autoconfig-client: status connected



   

Labels:
5271
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.