Fortigate IKEv1 IPsec VPN CLI Templates

IKEv1 (Internet Key Exchange version 1) is a widely used protocol for establishing IPsec VPN tunnels. This blog post provides a comprehensive guide to configuring IKEv1 VPN tunnels on FortiGate firewalls, including templates for various scenarios and security requirements.

To configure an IKEv1 VPN tunnel on a FortiGate firewall, you need the following information for the precheck list:

Phase 1 Configuration

• Encryption: The encryption algorithm (e.g., AES-256, 3DES) to secure the IKE negotiation.
• Authentication: The hash algorithm (e.g., SHA-256, SHA-1) for authentication.
• Diffie-Hellman Group: The DH group (e.g., 14, 5) for key exchange.
• Lifetime: The lifetime of the Phase 1 key in seconds or kilobytes.
• Pre-Shared Key (PSK): The shared secret key for authentication.

Phase 2 Configuration

• Encryption: The encryption algorithm (e.g., AES-256, 3DES) for data encryption.
• Authentication: The hash algorithm (e.g., SHA-256, SHA-1) for data authentication.
• PFS (Perfect Forward Secrecy): Enable or disable PFS for additional key exchange.
• Lifetime: The lifetime of the Phase 2 key in seconds or kilobytes.
• Encryption Domain: The local and remote subnets to be included in the VPN tunnel.

Route Based VS Policy Based VPN

• A FortiGate firewall supports both policy-based and route-based IPsec VPN tunnels for IKEv1. Here are the key differences between the two approaches:

Policy-Based VPN

• Uses security policies to define which traffic goes through the VPN tunnel
• Requires creating a separate policy for each VPN tunnel, specifying the source, destination, service, and action as "IPSEC"
• Needs a manual-key interface to be defined for each policy-based VPN
• Does not use routing to determine which traffic goes into the tunnel
• Cannot directly exchange dynamic routing information over the tunnel
• Limited by the number of policies the FortiGate supports

Route-Based VPN

• Uses static routes or dynamic routing protocols (BGP, OSPF etc.) to determine which traffic goes into the VPN tunnel
• Creates a virtual IPsec interface for the VPN tunnel
• Traffic matching the routes gets encrypted/decrypted by the virtual interface
• Requires firewall policies allowing traffic to/from the virtual interface
• Supports exchanging dynamic routing information through the tunnel interface
• Limited by the number of virtual interfaces/routes the FortiGate supports

Other key differences:

• Route-based VPNs support NAT for the virtual tunnel interface, policy-based VPNs cannot use NAT
• Policy-based is easier to configure for simple point-to-point VPNs
• Route-based is more scalable for complex topologies like hub-and-spoke

So in summary, policy-based uses separate security policies per tunnel, while route-based utilizes routing to direct traffic into the VPN tunnel interface. Route-based is generally recommended for greater flexibility and scalability

VPN Customer Template Request

Hello <customer>,

Please provide the necessary information below to complete this site-to-site VPN tunnel request:

Phase 1:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
Authentication: (Pre-Shared Key or RSA Signature)
Lifetime: (e.g., 28800 seconds, 86400 kilobytes)
DH Group: (e.g., 14, 5, 2, 1)

Phase 2:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
PFS: (Enable [DH Group 14, 5, 2] or Disable)
Lifetime: (e.g., 3600 seconds, 4608000 kilobytes)

Encryption Domain:
------------------
Local Networks: (e.g., 10.1.1.0/24, 192.168.1.0/24)
Remote Networks: (e.g., 10.2.2.0/24, 172.16.0.0/16)

Please provide the requested information, and I'll be happy to assist you further with configuring the IKEv1 VPN tunnel on your FortiGate firewall.