Fortigate IKEv2 IPsec VPN CLI Templates
IKEv2 (Internet Key Exchange version 2) is the latest protocol for establishing IPsec VPN tunnels, offering improved performance, reliability and security over IKEv1. This blog post provides a comprehensive guide to configuring IKEv2 VPN tunnels on FortiGate firewalls, including templates for various scenarios.
To configure an IKEv2 VPN tunnel on a FortiGate firewall, you need the following information:
Phase 1 Configuration
- Encryption: The encryption algorithm (e.g. AES-256, AES-192, AES-128, 3DES)
- Integrity: The PRF hash algorithm (e.g. SHA-384, SHA-256, SHA-1, MD5)
- DH Group: The Diffie-Hellman group (e.g. 14, 19, 20, 21) for key exchange
- Lifetime: The lifetime of the IKE SA in seconds or kilobytes
- Pre-Shared Key (PSK): The shared secret key for authentication.
- Authentication Methods
- IKEv2 supports various authentication methods including Pre-Shared Key (PSK), EAP (Extensible Authentication Protocol) with RADIUS server, and certificate-based authentication. Generally, Pre-Shared Key is still used the majority of the time.
- Authentication Methods
Phase 2 Configuration
- Encryption: The encryption algorithm for data encryption
- Integrity: The PRF hash algorithm for data authentication
- PFS (Perfect Forward Secrecy): Enable or disable PFS for additional key exchange
- Lifetime: The lifetime of the Child SA in seconds or kilobytes
- Encryption Domain: The local and remote subnets included in the VPN tunnel
Route-Based vs Policy-Based Site to Site VPN
- Similar to IKEv1, FortiGate supports both route-based and policy-based VPN configurations for IKEv2:
Route-Based VPN
- Uses static routes or dynamic routing protocols to direct traffic into the VPN tunnel interface
- More scalable for complex topologies like hub-and-spoke
- Supports exchanging dynamic routing info over the tunnel
- Requires firewall policies for the virtual tunnel interface
Policy-Based VPN
- Uses security policies to define which traffic goes through the VPN tunnel
- Easier to configure for simple point-to-point VPNs
- Does not directly exchange routing information
- Limited by the number of policies supported
Other key differences:
- Route-based VPNs support NAT for the virtual tunnel interface, policy-based VPNs cannot use NAT
- Policy-based is easier to configure for simple point-to-point VPNs
- Route-based is more scalable for complex topologies like hub-and-spoke
Route-based is generally recommended for greater flexibility and scalability.
So in summary, policy-based uses separate security policies per tunnel, while route-based utilizes routing to direct traffic into the VPN tunnel interface. Route-based is generally recommended for greater flexibility and scalability
IKEv2 Customer Request VPN Template
Hello <customer>,
Please provide the necessary information below to complete this site-to-site VPN tunnel request:
Phase 1:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
Authentication: (Pre-Shared Key or RSA Signature)
Lifetime: (e.g., 28800 seconds, 86400 kilobytes)
DH Group: (e.g., 14, 5, 2, 1)
Phase 2:
------------------
Encryption: (e.g., AES-256, AES-192, AES-128, 3DES)
Hash: (e.g., SHA-256, SHA-1, MD5)
PFS: (Enable [DH Group 14, 5, 2] or Disable)
Lifetime: (e.g., 3600 seconds, 4608000 kilobytes)
Encryption Domain:
------------------
Local Networks: (e.g., 10.1.1.0/24, 192.168.1.0/24)
Remote Networks: (e.g., 10.2.2.0/24, 172.16.0.0/16)
Please provide the requested information, and I'll be happy to assist you further with configuring the IKEv1 VPN tunnel on your FortiGate firewall.Route Based IKEv2 VPN Template using Static Routing
Possible encryption & Hash combinations: #
aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512
Configuration Template:
config firewall address
edit "local_net1"
set subnet 10.1.1.0 255.255.255.0
next
edit "local_net2"
set subnet 10.1.2.0 255.255.255.0
next
edit "remote_net1"
set subnet 192.168.1.0 255.255.255.0
next
edit "remote_net2"
set subnet 192.168.2.0 255.255.255.0
next
end
config firewall addrgrp
edit "local_networks"
set member "local_net1" "local_net2"
next
edit "remote_networks"
set member "remote_net1" "remote_net2"
next
end
config vpn ipsec phase1-interface
edit "ike_route_vpn"
set interface "wan1"
set ike-version 2
set keylife 28800
set proposal aes256-prfsha256
set remote-gw <REMOTE_GATEWAY_IP>
set authmethod psk
set psk <PRE_SHARED_KEY>
next
end
config vpn ipsec phase2-interface
edit "ike_route_vpn"
set phase1name "ike_route_vpn"
set proposal aes256-prfsha256
set dhgrp 14
set pfs <[enable/disable]>
set keylifeseconds 3600
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end
config system interface
edit "ike_route_vpn"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.2 255.255.255.255
set interface "wan1"
next
end
config router static
edit 1
set device "ike_route_vpn"
set dst <REMOTE_NETWORK> <REMOTE_NETMASK>
next
end
config firewall policy
edit 1
set name "VPN-Traffic"
set srcintf "lan"
set dstintf "ike_route_vpn"
set srcaddr "local_networks"
set dstaddr "remote_networks"
set action accept
set schedule "always"
set service "ALL"
next
The key differences from the IKEv1 template are:
- set ike-version 2 in the phase1 config
- authmethod psk and psk <key> for pre-shared key auth
- Encryption/hash proposals use aes-prfsha format (e.g. aes256-prfsha256)
- No dpd or nattraversal settings needed
Route Based IKEv2 VPN Template using BGP Routing
Possible encryption & Hash combinations: #
aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512
Configuration Template:
config firewall address
edit "local_net1"
set subnet 10.1.1.0 255.255.255.0
next
edit "local_net2"
set subnet 10.1.2.0 255.255.255.0
next
edit "remote_net1"
set subnet 192.168.1.0 255.255.255.0
next
edit "remote_net2"
set subnet 192.168.2.0 255.255.255.0
next
end
config firewall addrgrp
edit "local_networks"
set member "local_net1" "local_net2"
next
edit "remote_networks"
set member "remote_net1" "remote_net2"
next
end
config vpn ipsec phase1-interface
edit "ike_route_vpn"
set interface "wan1"
set ike-version 2
set keylife 28800
set proposal aes256-prfsha256
set remote-gw <REMOTE_GATEWAY_IP>
set authmethod psk
set psk <PRE_SHARED_KEY>
next
end
config vpn ipsec phase2-interface
edit "ike_route_vpn"
set phase1name "ike_route_vpn"
set proposal aes256-prfsha256
set dhgrp 14
set pfs <[enable/disable]>
set keylifeseconds 3600
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end
config system interface
edit "ike_route_vpn"
set vdom "root"
set ip 10.10.10.1 255.255.255.255
set remote-ip 10.10.10.2 255.255.255.255
set interface "wan1"
next
end
config router bgp
set as 65412
set router-id 10.10.10.1
config neighbor
edit "ike_route_vpn"
set remote-as 65413
set interface "ike_route_vpn"
next
end
config network
edit 1
set prefix 10.1.1.0 255.255.255.0
next
edit 2
set prefix 10.1.2.0 255.255.255.0
next
end
end
config firewall policy
edit 1
set name "VPN-Traffic"
set srcintf "lan"
set dstintf "ike_route_vpn"
set srcaddr "local_networks"
set dstaddr "remote_networks"
set action accept
set schedule "always"
set service "ALL"
next
end
Policy Based IKEv2 VPN Template
Possible encryption & Hash combinations: #
aes128-sha1,aes128-sha256,aes128-sha384,aes128-sha512aes192-sha1,aes192-sha256,aes192-sha384,aes192-sha512aes256-sha1,aes256-sha256,aes256-sha384,aes256-sha512
Configuration Template:
## Address Objects [insert all needed local & remote networks or hosts]
config firewall address
edit "local_net1"
set subnet 10.1.1.0 255.255.255.0
next
edit "local_net2"
set subnet 10.1.2.0 255.255.255.0
next
edit "remote_net1"
set subnet 192.168.1.0 255.255.255.0
next
edit "remote_net2"
set subnet 192.168.2.0 255.255.255.0
next
end
## Address Groups [nest objects under one address group each side]
config firewall addrgrp
edit "local_networks"
set member "local_net1" "local_net2"
next
edit "remote_networks"
set member "remote_net1" "remote_net2"
next
end
## IKEv2 Phase 1 Configuration [insert phase 1 parameters as needed]
config vpn ipsec phase1-interface
edit "ike_policy_vpn"
set interface "wan1"
set ike-version 2
set dpd disable
set nattraversal enable
set keylife 28800
set proposal aes256-sha256
set remote-gw <REMOTE_GATEWAY_IP>
set authmethod psk
set psk <PRE_SHARED_KEY>
next
end
## IKEv2 Phase 2 Configuration [insert phase 2 parameters as needed]
config vpn ipsec phase2-interface
edit "ike_policy_vpn"
set phase1name "ike_policy_vpn"
set proposal aes256-sha256
set dhgrp 14
set pfs enable
set keylifeseconds 3600
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end
## Manual Key Configuration [insert remote gateway/interface/auth/encr]
config vpn ipsec manualkey-interface
edit "ike_policy_vpn"
set interface "wan1"
set remote-gw <REMOTE_GATEWAY_IP>
set auth-alg sha256
set encr-alg aes256
set auto-negotiate enable
next
end
config vpn ipsec phase2
edit "ike_policy_vpn"
set phase1name "ike_policy_vpn"
set src-addr-type name
set src-name "local_networks"
set dst-addr-type name
set dst-name "remote_networks"
next
end
## Firewall Policies [insert rules for separate inbound & outbound traffic]
config firewall policy
edit 1
set name "Inbound-VPN-Traffic"
set srcintf "wan1"
set dstintf "lan"
set srcaddr "remote_networks"
set dstaddr "local_networks"
set action ipsec
set schedule "always"
set service "ALL"
set inbound enable
next
edit 2
set name "Outbound-VPN-Traffic"
set srcintf "lan"
set dstintf "wan1"
set srcaddr "local_networks"
set dstaddr "remote_networks"
set action ipsec
set schedule "always"
set service "ALL"
next
end
