VPNs on Fortinet Fortigate

 

Yesterday I had to troubleshoot a bunch of VPNs on a Fortigate. It was a migration from ASA to Fortigate. I have a license for FortiConverter but it screwed up the ‘nat’ statements and created a ‘policy’ for each of them. I used it to import the object but the rest I did by hand. Here goes it:

Lets start with the basic components for a VPN on a Fortigate:

1. A Tunnel interface attached to the ‘outside’ interface.
2. A Static Route pointing to the remote networks (in Phase II) using the ‘Tunnel Interface’
3. IKE Phase I object
4. IPSec Phase II object containing the Proxy IDs.

Although you are able to do this via the GUI, I recommend using the command line for Phase II with multiple networks.
—————————————————————————
Here is the scenario:

Local Side
Peer IP: 1.1.1.1
Local Networks: 10.1.1.0/24, 10.3.0.0/24, 10.10.0.0/24, 192.168.1.0/24

Remote Side
Peer IP 2.2.2.2
Remote Networks: 172.16.1.0/24, 172.16.2.0/24, 172.17.1.0/24

Phase I
Pre-shared key
DH Group 5
Encryption Algorithm: AES 256
Hashing SHA1
NAT-T Enabled

Phase II
ESP (Encapsulation Security Payload)
Encryption Algorithm: AES 256
Hashing SHA1
PFS Enabled
Phase 2
—————————————————————————

Here are the CLI commands for creating the ‘tunnel-interface’

config system interface
edit “Tunnel-to-NYC”
set vdom “root”
set distance 5
set dhcp-relay-service disable
set ip 0.0.0.0 0.0.0.0
set type tunnel
set tcp-mss 0
set inbandwidth 0
set outbandwidth 0
set description ”
set alias ”
set interface “outside”
next

Some of the options were removed for brevity.

Next we are going to add the static routers

config router static
edit 0
set status enable
set dst 172.16.10 255.255.255.0
set distance 10
set weight 0
set priority 0
set device “NYC-VPN”
set comment “VPN-to-NYC”
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
next

edit 0
set status enable
set dst 172.16.2.0 255.255.255.0
set distance 10
set weight 0
set priority 0
set device “NYC-VPN”
set comment “VPN-to-NYC”
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
next

edit 0
set status enable
set dst 172.17.1.0 255.255.255.0
set distance 10
set weight 0
set priority 0
set device “NYC-VPN”
set comment “VPN-to-NYC”
set blackhole disable
set dynamic-gateway disable
set virtual-wan-link disable
next

Now that we have the static routes in, we will move on to the Phase I configuration

config vpn ipsec phase1-interface
edit “NYC-VPN”
set type static
set interface “outside”
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set keylife 86400
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes256-sha1
set exchange-interface-ip disable
set localid ”
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd on-demand
set forticlient-enforcement disable
set comments “VPN-NYC”
set npu-offload enable
set dhgrp 5
set mesh-selector-type disable
set nattraversal enable
set remote-gw 2.2.2.2
set monitor ”
set add-gw-route disable
set psksecret
set keepalive 10
set auto-negotiate enable
set dpd-retrycount 3
set dpd-retryinterval 20
next

I will get back to the section ‘set mesh-selector-type disable’

Here is where it gets tricky on the Fortigate. Where as in the ASA you can create an ‘object’ or ‘object-group’ Fortinet is not great in giving you the info that you can use the same type of object.

Option I

config vpn encryption phase2-interface
edit “NYC-PHASEII-01”
set phase1name “NYC-VPN”
set proposal aes256-sha1
set pfs enable
set dhgrp 2
set replay enable
set keepalive disable
set auto-negotiate disable
set auto-discovery-sender phase1
set auto-discovery-forwarder phase1
set keylife-type seconds
set encapsulation tunnel-mode
set comments “VPN-to-NYC”
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 43200
set src-subnet 10.1.1.0 255.255.255.0
set dst-subnet 172.16.1.0 255.255.255.0
Next

With this option, you will need to create a separate ‘phase2-interfaces’ for each combination. That is,
10.1.1.0/24 to 172.16.1.0/24 and 172.16.2.0/24 and 172.17.1.0/24. Then you need to do the same thing for 10.3.0.0/24, 10.10.0.0/24 as well as 192.168.1.0/24. As you can see for large networks that you are unable to summarize, it is going to be a while.

Option II
You can create ‘Address’ objects and use those instead, however when you go into the IPsec Monitor, it will show you one Phase II SA instead of a breakdown of the multiple SAs. This is troublesome when you are identifying VPN issues. To get around this limitation, you need to set the phase 1 option

set mesh-selector-type disabled
to
set mesh-selector-type subnet

This will show you the separate SAs. You will need to create some address object first.

edit “LOCAL-1″
set type ipmask
set comment ”
set visibility enable
set associated-interface ”
set color 0
set allow-routing disable
set subnet 10.1.1.0 255.255.255.0
next

edit “LOCAL-2″
set type ipmask
set comment ”
set visibility enable
set associated-interface ”
set color 0
set allow-routing disable
set subnet 10.3.0.0 255.255.255.0
next

edit “LOCAL-3″
set type ipmask
set comment ”
set visibility enable
set associated-interface ”
set color 0
set allow-routing disable
set subnet 10.10.0.0 255.255.255.0
next

edit “LOCAL-4″
set type ipmask
set comment ”
set visibility enable
set associated-interface ”
set color 0
set allow-routing disable
set subnet 192.168.1.0 255.255.255.0
next

edit “NYC-LOCAL”
set member “LOCAL-1” “LOCAL-2” “LOCAL-3” “LOCAL-4″
set comment ”
set visibility enable
set color 0

 

You will need to do the same for the remote side. Then you will need to change the Phase II section.

set src-subnet 10.1.1.0 255.255.255.0
set dst-subnet 172.16.1.0 255.255.255.0
to

set src-name “NYC-LOCAL”
set dst-name “NYC-REMOTE”

Now you need to create a policy for the traffic.
The following policy permits traffic from Local to Remote

config firewall policy
edit 0
set name “VPN<—MIA-to-NYC”
set srcintf “port2”
set dstintf “NYC-VPN”
set srcaddr “NYC-LOCAL”
set dstaddr “NYC-REMOTE”
set rtp-nat disable
set learning-mode disable
set action accept
set status enable
set schedule “always”
set schedule-timeout disable
set service “ALL”
set utm-status disable
set logtraffic utm
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set wanopt disable
set webcache disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments
set block-notification disable
set replacemsg-override-group ”
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set ssl-mirror disable
set scan-botnet-connections disable
set dsri disable
set delay-tcp-npu-sessoin disable
set traffic-shaper ”
set traffic-shaper-reverse ”
set per-ip-shaper ”
set nat disable
set match-vip disable
next

config firewall policy

The following policy permits traffic from Remote to Local

edit 0
set name “VPN—>NYC-to-MIA”
set srcintf “NYC-VPN”
set dstintf “port2”
set srcaddr “NYC-REMOTE”
set dstaddr “NYC-LOCAL”
set rtp-nat disable
set learning-mode disable
set action accept
set status enable
set schedule “always”
set schedule-timeout disable
set service “ALL”
set utm-status disable
set logtraffic utm
set logtraffic-start disable
set capture-packet disable
set auto-asic-offload enable
set wanopt disable
set webcache disable
set session-ttl 0
set vlan-cos-fwd 255
set vlan-cos-rev 255
set wccp disable
set disclaimer disable
set natip 0.0.0.0 0.0.0.0
set diffserv-forward disable
set diffserv-reverse disable
set tcp-mss-sender 0
set tcp-mss-receiver 0
set comments
set block-notification disable
set replacemsg-override-group ”
set srcaddr-negate disable
set dstaddr-negate disable
set service-negate disable
set timeout-send-rst disable
set captive-portal-exempt disable
set ssl-mirror disable
set scan-botnet-connections disable
set dsri disable
set delay-tcp-npu-sessoin disable
set traffic-shaper ”
set traffic-shaper-reverse ”
set per-ip-shaper ”
set nat disable
set match-vip disable
next

You may need to move the policies around as needed.

Some useful command for debugging

diag debug en
diag debug flow filter add <ipaddress>
diag debug flow filter proto 1 —–> proto 1 to file the ICMP or ping traffic
diag debug flow show console en
diag debug flow trace start 100
diag debug en

diag vpn ike log filter name <phase1-name>
diag debug app ike -1
1- only major errors will be shown
2- configuration changes
4- connection attempts
8- phase 1 and 2 negotiation messages
16- NAT-T messages
32- DPD messages
The most common values for the bit-mask are -1 and 63.
diag debug en