fortinet

Fortigate IKEv2 IPsec VPN CLI Templates

Chase Woodard

6 min read
Fortigate IKEv2 IPsec VPN CLI Templates
IKEv2 (Internet Key Exchange version 2) is the latest protocol for establishing IPsec VPN tunnels, offering improved performance, reliability and security over IKEv1. This blog post provides a comprehensive guide to configuring IKEv2 VPN tunnels on FortiGate firewalls, including templates for various scenarios.

To configure an IKEv2 VPN tunnel on a FortiGate firewall, you need the following information:

Phase 1 Configuration

  • Encryption: The encryption algorithm (e.g. AES-256, AES-192, AES-128, 3DES)
  • Integrity: The PRF hash algorithm (e.g. SHA-384, SHA-256, SHA-1, MD5)
  • DH Group: The Diffie-Hellman group (e.g. 14, 19, 20, 21) for key exchange
  • Lifetime: The lifetime of the IKE SA in seconds or kilobytes
  • Pre-Shared Key (PSK): The shared secret key for authentication.
    • Authentication Methods
      • IKEv2 supports various authentication methods including Pre-Shared Key (PSK), EAP (Extensible Authentication Protocol) with RADIUS server, and certificate-based authentication. Generally, Pre-Shared Key is still used the majority of the time.

Phase 2 Configuration

  • Encryption: The encryption algorithm for data encryption
  • Integrity: The PRF hash algorithm for data authentication
  • PFS (Perfect Forward Secrecy): Enable or disable PFS for additional key exchange
  • Lifetime: The lifetime of the Child SA in seconds or kilobytes
  • Encryption Domain: The local and remote subnets included in the VPN tunnel

Route-Based vs Policy-Based Site to Site VPN

  • Similar to IKEv1, FortiGate supports both route-based and policy-based VPN configurations for IKEv2:

Route-Based VPN

  • Uses static routes or dynamic routing protocols to direct traffic into the VPN tunnel interface
  • More scalable for complex topologies like hub-and-spoke
  • Supports exchanging dynamic routing info over the tunnel
  • Requires firewall policies for the virtual tunnel interface

Policy-Based VPN

  • Uses security policies to define which traffic goes through the VPN tunnel
  • Easier to configure for simple point-to-point VPNs
  • Does not directly exchange routing information
  • Limited by the number of policies supported

Other key differences:

  • Route-based VPNs support NAT for the virtual tunnel interface, policy-based VPNs cannot use NAT
  • Policy-based is easier to configure for simple point-to-point VPNs
  • Route-based is more scalable for complex topologies like hub-and-spoke

Route-based is generally recommended for greater flexibility and scalability.

So in summary, policy-based uses separate security policies per tunnel, while route-based utilizes routing to direct traffic into the VPN tunnel interface. Route-based is generally recommended for greater flexibility and scalability

IKEv2 Customer Request VPN Template

Hello <customer>,

Please provide the necessary information below to complete this site-to-site VPN tunnel request:

Phase 1:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
Authentication: (Pre-Shared Key or RSA Signature)
Lifetime: (e.g., 28800 seconds, 86400 kilobytes)
DH Group: (e.g., 14, 5, 2, 1)

Phase 2:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
PFS: (Enable [DH Group 14, 5, 2] or Disable)
Lifetime: (e.g., 3600 seconds, 4608000 kilobytes)

Encryption Domain:
------------------
Local Networks: (e.g., 10.1.1.0/24, 192.168.1.0/24)
Remote Networks: (e.g., 10.2.2.0/24, 172.16.0.0/16)

Please provide the requested information, and I'll be happy to assist you further with configuring the IKEv1 VPN tunnel on your FortiGate firewall.

Route Based IKEv2 VPN Template using Static Routing

Possible encryption & Hash combinations: # aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512Configuration Template:config firewall address edit "local_net1" set subnet 10.1.1.0 255.255.255.0 next edit "local_net2" set subnet 10.1.2.0 255.255.255.0 next edit "remote_net1" set subnet 192.168.1.0 255.255.255.0 next edit "remote_net2" set subnet 192.168.2.0 255.255.255.0 nextendconfig firewall addrgrp edit "local_networks" set member "local_net1" "local_net2" next edit "remote_networks" set member "remote_net1" "remote_net2" nextendconfig vpn ipsec phase1-interface edit "ike_route_vpn" set interface "wan1" set ike-version 2 set keylife 28800 set proposal aes256-prfsha256 set remote-gw set authmethod psk set psk nextendconfig vpn ipsec phase2-interface edit "ike_route_vpn" set phase1name "ike_route_vpn" set proposal aes256-prfsha256 set dhgrp 14 set pfs <[enable/disable]> set keylifeseconds 3600 set src-addr-type name set src-name "local_networks" set dst-addr-type name set dst-name "remote_networks" nextendconfig system interface edit "ike_route_vpn" set vdom "root" set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.2 255.255.255.255 set interface "wan1" nextendconfig router static edit 1 set device "ike_route_vpn" set dst nextendconfig firewall policy edit 1 set name "VPN-Traffic" set srcintf "lan" set dstintf "ike_route_vpn" set srcaddr "local_networks" set dstaddr "remote_networks" set action accept set schedule "always" set service "ALL" nextThe key differences from the IKEv1 template are:set ike-version 2 in the phase1 configauthmethod psk and psk  for pre-shared key authEncryption/hash proposals use aes-prfsha format (e.g. aes256-prfsha256)No dpd or nattraversal settings needed

Route Based IKEv2 VPN Template using BGP Routing

Possible encryption & Hash combinations: # aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512Configuration Template:config firewall address edit "local_net1" set subnet 10.1.1.0 255.255.255.0 next edit "local_net2" set subnet 10.1.2.0 255.255.255.0 next edit "remote_net1" set subnet 192.168.1.0 255.255.255.0 next edit "remote_net2" set subnet 192.168.2.0 255.255.255.0 nextendconfig firewall addrgrp edit "local_networks" set member "local_net1" "local_net2" next edit "remote_networks" set member "remote_net1" "remote_net2" nextendconfig vpn ipsec phase1-interface edit "ike_route_vpn" set interface "wan1" set ike-version 2 set keylife 28800 set proposal aes256-prfsha256 set remote-gw set authmethod psk set psk nextendconfig vpn ipsec phase2-interface edit "ike_route_vpn" set phase1name "ike_route_vpn" set proposal aes256-prfsha256 set dhgrp 14 set pfs <[enable/disable]> set keylifeseconds 3600 set src-addr-type name set src-name "local_networks" set dst-addr-type name set dst-name "remote_networks" nextendconfig system interface edit "ike_route_vpn" set vdom "root" set ip 10.10.10.1 255.255.255.255 set remote-ip 10.10.10.2 255.255.255.255 set interface "wan1" nextendconfig router bgp set as 65412 set router-id 10.10.10.1 config neighbor edit "ike_route_vpn" set remote-as 65413 set interface "ike_route_vpn" next end config network edit 1 set prefix 10.1.1.0 255.255.255.0 next edit 2 set prefix 10.1.2.0 255.255.255.0 next endendconfig firewall policy edit 1 set name "VPN-Traffic" set srcintf "lan" set dstintf "ike_route_vpn" set srcaddr "local_networks" set dstaddr "remote_networks" set action accept set schedule "always" set service "ALL" nextend

Policy Based IKEv2 VPN Template

Possible encryption & Hash combinations: # aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512Configuration Template:## Address Objects [insert all needed local & remote networks or hosts]config firewall address edit "local_net1" set subnet 10.1.1.0 255.255.255.0 next edit "local_net2" set subnet 10.1.2.0 255.255.255.0 next edit "remote_net1" set subnet 192.168.1.0 255.255.255.0 next edit "remote_net2" set subnet 192.168.2.0 255.255.255.0 nextend## Address Groups [nest objects under one address group each side]config firewall addrgrp edit "local_networks" set member "local_net1" "local_net2" next edit "remote_networks" set member "remote_net1" "remote_net2" nextend## IKEv2 Phase 1 Configuration [insert phase 1 parameters as needed]config vpn ipsec phase1-interface edit "ike_policy_vpn" set interface "wan1" set ike-version 2 set dpd disable set nattraversal enable set keylife 28800 set proposal aes256-sha256 set remote-gw set authmethod psk set psk nextend## IKEv2 Phase 2 Configuration [insert phase 2 parameters as needed]config vpn ipsec phase2-interface edit "ike_policy_vpn" set phase1name "ike_policy_vpn" set proposal aes256-sha256 set dhgrp 14 set pfs enable set keylifeseconds 3600 set src-addr-type name set src-name "local_networks" set dst-addr-type name set dst-name "remote_networks" nextend## Manual Key Configuration [insert remote gateway/interface/auth/encr]config vpn ipsec manualkey-interface edit "ike_policy_vpn" set interface "wan1" set remote-gw set auth-alg sha256 set encr-alg aes256 set auto-negotiate enable nextendconfig vpn ipsec phase2 edit "ike_policy_vpn" set phase1name "ike_policy_vpn" set src-addr-type name set src-name "local_networks" set dst-addr-type name set dst-name "remote_networks" next end## Firewall Policies [insert rules for separate inbound & outbound traffic]config firewall policy edit 1 set name "Inbound-VPN-Traffic" set srcintf "wan1" set dstintf "lan" set srcaddr "remote_networks" set dstaddr "local_networks" set action ipsec set schedule "always" set service "ALL" set inbound enable next edit 2 set name "Outbound-VPN-Traffic" set srcintf "lan" set dstintf "wan1" set srcaddr "local_networks" set dstaddr "remote_networks" set action ipsec set schedule "always" set service "ALL" nextend

Read more