In today’s interconnected world, ensuring secure communication between networks is paramount. FortiGate, a leading network security appliance by Fortinet, offers robust IPsec VPN capabilities to facilitate encrypted data transmission across public networks.

Let’s start by discussing different IPsec VPN implementations available on FortiGate firewalls.

IPsec VPN Implementations

FortiGate supports two primary IPsec VPN configurations: Policy-based and Route-based:

• Policy-based VPN – this method integrates VPN configurations directly into firewall policies (rules). Traffic matching specific policy criteria is encrypted (policy “IPsec” action) and leaves a regular firewall’s interface as a VPN tunnel. While straightforward for simple deployments, policy-based VPNs can become cumbersome in complex network environments due to scalability limitations. This solution is similar to traditional crypto-map -based approach commonly used with Cisco products
• Route-based VPN – also known as interface-based VPN, this approach relies on a dedicated virtual interface representing a VPN tunnel. Network traffic designated for encryption is directed to the virtual interface (VPN) based on routing table entries, offering greater flexibility and scalability, especially in intricate network topologies. Route-based VPNs are generally recommended for most modern deployments due to their versatility. A firewall policy is still required to allow the VPN traffic through, but a normal “ACCEPT” policy action is used and VPN traffic is easily classified based on the virtual interface. This solution is similar to the VTI (Virtual Tunnel Interface) feature offered by certain Cisco products

IPsec VPN Configuration

There are three ways to configure an IPsec VPN tunnel on FortiGate – we can use CLI or two GUI methods: VPN Wizard and Custom IPsec Tunnel.

Using the VPN Wizard (VPN -> VPN Wizard) simplifies the configuration (we can choose a template for Site-Site, Hub and Spoke or Remote Access) since it all comes down to defining a peer’s IP address, VPN subnets, IKE version and authentication method.

Creating a Custom Tunnel (VPN -> VPN Tunnels) opens access to all VPN options we can potentially tune, but is more time-consuming.

As usually, CLI is the least obvious choice especially for someone who never worked with IPsec VPNs or does not fully understand the technology. The CLI IPsec VPN syntax starts with:

config vpn ipsec

Additional considerations:

• For Policy-based VPNs, create firewall policies that define which traffic should be encrypted and sent through the VPN. Use regular firewall interfaces (e.g. inside <-> outside) and apply the “IPsec” action
• For Route-based VPNs, set up static or dynamic routing to direct protected traffic through the virtual IPsec interface. Refer to the virtual VPN interface in the policy (e.g. inside <-> virtual_interface) and apply the “ACCEPT” action
• Adjust the tunnel settings as needed (e.g. cryptographic functions, PFS, IKE version, etc.)

Relevant Training

Check out our FortiGate Technologies video series to learn more about VPNs and their implementation on FortiGate firewalls.

—

By leveraging FortiGate’s IPsec VPN capabilities, you can establish secure, reliable connections between disparate networks, ensuring data integrity and confidentiality across your organization’s infrastructure.