Fortinet

Prev Next

Available in Classic.

This section describes how to configure resources on a customer VPN gateway to create an IPsec VPN Tunnel. If the VPN gateway equipment is Fortinet's FG series product, please refer to the following.

Note

The local network becomes the customer network, and the remote network becomes the NAVER Cloud Platform’s private subnet. Peer IP also becomes NAVER Cloud Platform's VPN gateway public IP.

Interface IP setting

The following describes how to set an interface IP.

config system interface
    edit "<define external interface name>"
        set ip <public IP> <subnet mask>
        set allowaccess ping https ssh http
    next

    edit "<define internal interface name>"
        set ip <internal private IP> <subnet mask>
        set allowaccess ping https ssh http
    next
end

IKE setting

To set up IKE, you need to configure IKEv1 and IKEv2.

Note

Password and authentication algorithm settings must be the same as those of the IPsec VPN Gateway created in NAVER Cloud Platform console.

IKEv1 configuration

The following describes how to configure an IKEv1.

config vpn ipsec phase1-interface
    edit "<define VPN tunnel name>"
        set interface "<external interface name>"
        set keylife 28800
        set peertype any
        set proposal aes128-sha1
        set dhgrp 2
        set remote-gw <Peer IP>
        set psksecret <Pre-shared key value>
    next
end
  • D-H Group: 2
  • Encryption algorithm: aes-128
  • Hash Algorithm: sha-1
  • lifetime: 28800

IKEv2 configuration

The following describes how to configure an IKEv2.

config vpn ipsec phase2-interface
    edit "<define VPN tunnel name>"
        set phase1name "<VPN tunnel name you entered when configuring IKEv1>"
        set proposal aes128-sha1
        set pfs disable
        set replay disable
        set keylifeseconds 28800
        set src-subnet <internal private IP>
        set dst-subnet <remote network private IP>
    next
end
  • Protocol: esp
  • Encryption algorithm: aes-128
  • Hash Algorithm: sha-1
  • lifetime: 28800

Routing setting

Please set the external and internal routing respectively and set the firewall policy. The following describes how to configure settings.

  • External routing setting

    config router static
    edit 0
        set gateway <VPN gateway public IP>
        set device "<external interface name>"
    next
end

  • Internal routing settings (after VPN tunnel creation)

    config router static
    edit 0
        set dst <remote network private IP> <subnet mask>
        set device "<VPN tunnel name>"
    next
end

  • Configuring firewall policy

    config firewall address
    edit "<remote network private IP name>"
        set subnet 192.168.100.0 255.255.255.0
    next
    edit "<internal private IP name>"
        set subnet 10.20.0.0 255.255.255.0
    next
end

config firewall policy
    edit 0
        set srcintf "<VPN tunnel name>"
        set dstintf "<internal interface name>"
        set srcaddr "192.168.100.0/24"
        set dstaddr "10.20.0.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 0
        set srcintf "<internal interface name>"
        set dstintf "<VPN tunnel name>"
        set srcaddr "10.20.0.0/24"
        set dstaddr "192.168.100.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
    • Remote network private IP: 192.168.100.0/24
    • Internal private IP: 10.20.0.0/24
    • Subnet mask: 255.255.255.0

Check IKE tunnel

After finishing all the process, you can check the IKE tunnel status. The following shows an example of how to check.

  • IKEv1
    hostname# get vpn ike gateway

vd: root/0
name: <VPN tunnel name>
version: 1
interface: wan1 5
addr: <local network public IP>:500 -> <remote network public IP>:500
created: 82s ago
IKE SA  created: 1/1  established: 1/1  time: 0/0/0 ms
IPsec SA  created: 1/1  established: 1/1  time: 0/0/0 ms

  id/spi: 74 96afabb40e5f226b/5bdcb3e03a940caf
  direction: initiator
  status: established 82-82s ago = 0ms
  proposal: aes-128-sha1
  key: 86c774a5b2e6deb9-a54dbbccef6c8c54
  lifetime/rekey: 28800/28417
  DPD sent/recv: 00000000/00000000
  • IKEv2
    hostname# get vpn ipsec tunnel details

gateway
  name: <VPN tunnel name>
  type: route-based
  local-gateway: <local network public IP>: :0 (static)
  remote-gateway: <remote network public IP>: :0 (static)
  mode: ike-v1
  interface: 'wan1' (5)
  rx  packets: 252  bytes: 30240  errors: 0
  tx  packets: 252  bytes: 15120  errors: 0
  dpd: on-demand/negotiated  idle: 20000ms  retry: 3  count: 0
  selectors
    name: <VPN tunnel name>
    auto-negotiate: disable
    mode: tunnel
    src: 0:10.20.0.0/255.255.255.0:0
    dst: 0:192.168.100.0/255.255.255.0:0
    SA
      lifetime/rekey: 28800/28402
      mtu: 1438
      tx-esp-seq: fd
      replay: disabled
      inbound
        spi: c14a02a6
        enc:  aes-cb  d196d60e927236afd6a54bdabf9de0c9
        auth:   sha1  315284852a4b4a331a3b7d2c6baa8f8cc9b91442
      outbound
        spi: 31e9297d
        enc:  aes-cb  72b17243e79a44583319efb28e3936f9
        auth:   sha1  4c4c858a74f2d16c2d7d77a4bf70e6f0b237bfd1