Fortigate IKEv1 IPsec VPN CLI Templates

Chase Woodard

6 min read
Fortigate IKEv1 IPsec VPN CLI Templates
Created By: Chase Woodard
IKEv1 (Internet Key Exchange version 1) is a widely used protocol for establishing IPsec VPN tunnels. This blog post provides a comprehensive guide to configuring IKEv1 VPN tunnels on FortiGate firewalls, including templates for various scenarios and security requirements.

To configure an IKEv1 VPN tunnel on a FortiGate firewall, you need the following information for the precheck list:

Phase 1 Configuration

  • Encryption: The encryption algorithm (e.g., AES-256, 3DES) to secure the IKE negotiation.
  • Authentication: The hash algorithm (e.g., SHA-256, SHA-1) for authentication.
  • Diffie-Hellman Group: The DH group (e.g., 14, 5) for key exchange.
  • Lifetime: The lifetime of the Phase 1 key in seconds or kilobytes.
  • Pre-Shared Key (PSK): The shared secret key for authentication.

Phase 2 Configuration

  • Encryption: The encryption algorithm (e.g., AES-256, 3DES) for data encryption.
  • Authentication: The hash algorithm (e.g., SHA-256, SHA-1) for data authentication.
  • PFS (Perfect Forward Secrecy): Enable or disable PFS for additional key exchange.
  • Lifetime: The lifetime of the Phase 2 key in seconds or kilobytes.
  • Encryption Domain: The local and remote subnets to be included in the VPN tunnel.

Route Based VS Policy Based VPN

  • A FortiGate firewall supports both policy-based and route-based IPsec VPN tunnels for IKEv1. Here are the key differences between the two approaches:

Policy-Based VPN

  • Uses security policies to define which traffic goes through the VPN tunnel
  • Requires creating a separate policy for each VPN tunnel, specifying the source, destination, service, and action as "IPSEC"
  • Needs a manual-key interface to be defined for each policy-based VPN
  • Does not use routing to determine which traffic goes into the tunnel
  • Cannot directly exchange dynamic routing information over the tunnel
  • Limited by the number of policies the FortiGate supports

Route-Based VPN

  • Uses static routes or dynamic routing protocols (BGP, OSPF etc.) to determine which traffic goes into the VPN tunnel
  • Creates a virtual IPsec interface for the VPN tunnel
  • Traffic matching the routes gets encrypted/decrypted by the virtual interface
  • Requires firewall policies allowing traffic to/from the virtual interface
  • Supports exchanging dynamic routing information through the tunnel interface
  • Limited by the number of virtual interfaces/routes the FortiGate supports

Other key differences:

  • Route-based VPNs support NAT for the virtual tunnel interface, policy-based VPNs cannot use NAT
  • Policy-based is easier to configure for simple point-to-point VPNs
  • Route-based is more scalable for complex topologies like hub-and-spoke
So in summary, policy-based uses separate security policies per tunnel, while route-based utilizes routing to direct traffic into the VPN tunnel interface. Route-based is generally recommended for greater flexibility and scalability

VPN Customer Template Request

Hello <customer>,

Please provide the necessary information below to complete this site-to-site VPN tunnel request:

Phase 1:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
Authentication: (Pre-Shared Key or RSA Signature)
Lifetime: (e.g., 28800 seconds, 86400 kilobytes)
DH Group: (e.g., 14, 5, 2, 1)

Phase 2:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
PFS: (Enable [DH Group 14, 5, 2] or Disable)
Lifetime: (e.g., 3600 seconds, 4608000 kilobytes)

Encryption Domain:
------------------
Local Networks: (e.g., 10.1.1.0/24, 192.168.1.0/24)
Remote Networks: (e.g., 10.2.2.0/24, 172.16.0.0/16)

Please provide the requested information, and I'll be happy to assist you further with configuring the IKEv1 VPN tunnel on your FortiGate firewall.

Route Based IKEv1 VPN Template using Static Routing

Possible encryption & Hash combinations: # des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512

Configuration Template:

config firewall address
edit "local_net1"
set subnet 10.1.1.0 255.255.255.0
next
edit "local_net2"
set subnet 10.1.2.0 255.255.255.0
next
edit "remote_net1"
set subnet 192.168.1.0 255.255.255.0
next
edit "remote_net2"
set subnet 192.168.2.0 255.255.255.0
next
end

config firewall addrgrp
edit "local_networks"
set member "local_net1" "local_net2"
next
edit "remote_networks"
set member "remote_net1" "remote_net2"
next
end

config vpn ipsec phase1-interface
edit "ike_route_vpn"
set interface "wan1"
set dpd disable
set nattraversal enable
set keylife 28800
set proposal aes256-sha256
set remote-gw <REMOTE_GATEWAY_IP>
set psksecret <PRE_SHARED_KEY>
next
end

config vpn ipsec phase2-interface
edit "ike_route_vpn"
set phase1name "ike_route_vpn"
set proposal aes256-sha256
set dhgrp 14
set pfs <[enabled/disabled]>
set keylifeseconds 3600
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end

config system interface
edit "ike_route_vpn"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.2 255.255.255.255
set interface "wan1"
next
end

config router static
edit 1
set device "ike_route_vpn"
set dst <REMOTE_NETWORK> <REMOTE_NETMASK>
next
end

config firewall policy
edit 1
set name "VPN-Traffic"
set srcintf "lan"
set dstintf "ike_route_vpn"
set srcaddr "local_networks"
set dstaddr "remote_networks"
set action accept
set schedule "always"
set service "ALL"
next
end

Route Based IKEv1 VPN Template using BGP Dynamic Routing

Possible encryption & Hash combinations: # des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512

Configuration Template:

config firewall address
edit "local_net1"
set subnet 10.1.1.0 255.255.255.0
next
edit "local_net2"
set subnet 10.1.2.0 255.255.255.0
next
edit "remote_net1"
set subnet 192.168.1.0 255.255.255.0
next
edit "remote_net2"
set subnet 192.168.2.0 255.255.255.0
next
end

config firewall addrgrp
edit "local_networks"
set member "local_net1" "local_net2"
next
edit "remote_networks"
set member "remote_net1" "remote_net2"
next
end

config vpn ipsec phase1-interface
edit "ike_route_vpn"
set interface "wan1"
set dpd disable
set nattraversal enable
set keylife 28800
set proposal aes256-sha256
set remote-gw <REMOTE_GATEWAY_IP>
set psksecret <PRE_SHARED_KEY>
next
end

config vpn ipsec phase2-interface
edit "ike_route_vpn"
set phase1name "ike_route_vpn"
set proposal aes256-sha256
set dhgrp 14
set pfs <[enabled/disabled]>
set keylifeseconds 3600
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end

config system interface
edit "ike_route_vpn"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.2 255.255.255.255
set interface "wan1"
next
end

config router bgp
set as <LOCAL_AS_NUMBER>
set router-id <ROUTER_ID>
config neighbor
edit <REMOTE_BGP_PEER_IP>
set remote-as <REMOTE_AS_NUMBER>
set interface "ike_route_vpn"
next
end

config firewall policy
edit 1
set name "VPN-Traffic"
set srcintf "lan"
set dstintf "ike_route_vpn"
set srcaddr "local_networks"
set dstaddr "remote_networks"
set action accept
set schedule "always"
set service "ALL"
next
end

Policy Based IKEv1 VPN Template

Possible encryption & Hash combinations: # des-md5, des-sha1, des-sha256, des-sha384, des-sha512, 3des-md5, 3des-sha1, 3des-sha256, 3des-sha384, 3des-sha512, aes128-md5, aes128-sha1, aes128-sha256, aes128-sha384, aes128-sha512, aes192-md5, aes192-sha1, aes192-sha256, aes192-sha384, aes192-sha512, aes256-md5, aes256-sha1, aes256-sha256, aes256-sha384, aes256-sha512, aria128-md5, aria128-sha1, aria128-sha256, aria128-sha384, aria128-sha512, aria192-md5, aria192-sha1, aria192-sha256, aria192-sha384, aria192-sha512, aria256-md5, aria256-sha1, aria256-sha256, aria256-sha384, aria256-sha512, seed-md5, seed-sha1, seed-sha256, seed-sha384, seed-sha512

Configuration Template:

config firewall address
edit "local_net1"
set subnet 10.1.1.0 255.255.255.0
next
edit "local_net2"
set subnet 10.1.2.0 255.255.255.0
next
edit "remote_net1"
set subnet 192.168.1.0 255.255.255.0
next
edit "remote_net2"
set subnet 192.168.2.0 255.255.255.0
next
end

config firewall addrgrp
edit "local_networks"
set member "local_net1" "local_net2"
next
edit "remote_networks"
set member "remote_net1" "remote_net2"
next
end

config vpn ipsec phase1-interface
edit "ike_policy_vpn"
set interface "wan1"
set dpd disable
set nattraversal enable
set keylife 28800
set proposal aes256-sha256
set remote-gw <REMOTE_GATEWAY_IP>
set psksecret <PRE_SHARED_KEY>
next
end

config vpn ipsec phase2-interface
edit "ike_policy_vpn"
set phase1name "ike_policy_vpn"
set proposal aes256-sha256
set dhgrp 14
set pfs <[enabled/disabled]>
set keylifeseconds 3600
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end

config vpn ipsec manualkey-interface
edit "ike_policy_vpn"
set interface "wan1"
set remote-gw <REMOTE_GATEWAY_IP>
set auth-alg <md5, sha1, sha256, sha384, sha512>
set encr-alg <des, 3des, aes128, aes192, aes256, aria128, aria192, aria256, seed>
set auto-negotiate enable
next
end

config vpn ipsec phase2
edit "ike_policy_vpn"
set phase1name "ike_policy_vpn"
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end

config firewall policy
edit 1
set name "Inbound-VPN-Traffic"
set srcintf "wan1"
set dstintf "lan"
set srcaddr "remote_networks"
set dstaddr "local_networks"
set action ipsec
set schedule "always"
set service "ALL"
set vpntunnel "vpn_tunnel_name"
set inbound enable
next
end


config firewall policy
edit 2
set name "Outbound-VPN-Traffic"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "local_networks"
set dstaddr "remote_networks"
set action ipsec
set schedule "always"
set service "ALL"
set vpntunnel "vpn_tunnel_name"
next
end

Read more