Accelerated policy-based VPN configuration

Chapter 11 IPsec VPN for FortiOS 5.0 : Hardware offloading and acceleration : IPsec offloading configuration examples : Accelerated policy-based VPN configuration

To configure FortiGate_1

1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1.

2. Configure Phase 1 settings (name FGT_1_IPsec), plus

• Select Advanced.

• Ensure that the Enable IPsec Interface Mode check box is not selected.

• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.1, which is the IP address of FortiGate_1’s FortiGate-ASM-FB4 module on port 2.

3. Select OK.

4. Select Create Phase 2 and configure Phase 2 settings, including

• Select Enable replay detection.

• set enc-offload-antireplay to enable using the config system npu CLI command.

5. Go to Policy > Policy > Policy.

6. Configure an IPsec VPN policy to apply the Phase 1 IPsec tunnel you configured in step 2 to traffic between FortiGate-ASM-FB4 module ports 1 and 2.

7. Go to Router > Static > Static Routes.

For low-end FortiGate units, go to System > Network > Routing.

8. Configure a static route to route traffic destined for FortiGate_2’s protected network to FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASM-FB4 module’s port 2 (device).

To add the static route from the CLI:

config router static

edit 0

set device "AMC-SW1/2"

set dst 2.2.2.0 255.255.255.0

set gateway 3.3.3.1

end

To configure FortiGate_2

1. Go to VPN > IPsec > Auto Key (IKE) and select Create Phase 1.

2. Configure Phase 1 settings (name FGT_2_IPsec), plus

• Select Advanced.

• Select Enable IPsec Interface Mode.

• In Local Gateway IP, select Specify and enter the VPN IP address 3.3.3.2, which is the IP address of FortiGate_2’s FortiGate-ASM-FB4 module on port 2.

3. Select OK.

4. Select Create Phase 2 and configure Phase 2 settings, including

• Select Enable replay detection.

• set enc-offload-antireplay to enable using the config system npu CLI command.

5. Go to Policy > Policy > Policy.

6. Configure an IPsec VPN policy to apply the Phase 1 IPsec tunnel you configured in step 2 to traffic between FortiGate-ASM-FB4 module ports 1 and 2.

7. Go to Router > Static > Static Routes.

For low-end FortiGate units, go to System > Network > Routing.

8. Configure a static route to route traffic destined for FortiGate_1’s protected network to FortiGate_2’s VPN gateway, 3.3.3.2, through the FortiGate-ASM-FB4 module’s port 2 (device).

To add the static route from the CLI:

config router static

edit 0

set device "AMC-SW1/2"

set dst 1.1.1.0 255.255.255.0

set gateway 3.3.3.2

end

To test the VPN

1. Activate the IPsec tunnel by sending traffic between the two protected networks.

2. To verify tunnel activation, go to VPN > Monitor > IPsec Monitor.