Fortinet

Firmware upgrade from cli

execute restore image tftp <filename> nas-2.i.cfns.net

VTI Tunnel

Configuration for a dynamic client behind a NAT

NOTE: The tunnel will not come up unless there is a Policy that allows traffic on the tunnel interface to somewhere

Server Side

config vpn ipsec phase1-interface
    edit "VTI-1"
        set type ddns
        set interface "wan1"
        set ike-version 2
        set keylife 43200
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set localid "<ip address>"
        set dhgrp 21
        set nattraversal disable
        set remotegw-ddns "<fqdn>"
        set psksecret <password>
        set comments "Server Side VTI"
    next
end

config vpn ipsec phase2-interface
    edit "VTI-1"
        set phase1name "VTI-1"
        set proposal aes256-sha256
        set pfs disable
        set auto-negotiate enable
        set comments "Server Side"
    next
end

config system interface VTI-1
    edit "VTI-1"
        set vdom "root"
        set ip <local ip> 255.255.255.255
        set allowaccess ping ssh
        set type tunnel
        set remote-ip <remote ip> 255.255.255.255
        set interface "wan1"
    next
end

Client Side

config vpn ipsec phase1-interface
    edit "VTI-1"
        set interface "wan1"
        set ike-version 2
        set keylife 43200
        set peertype any
        set net-device disable
        set proposal aes256-sha256
        set localid "<fqdn>"
        set dpd on-idle
        set dhgrp 21
        set nattraversal disable
        set remote-gw 66.37.4.14
        set psksecret <password>
        set dpd-retryinterval 10
    next
end

config vpn ipsec phase2-interface
    edit "VTI-1"
        set phase1name "VTI-1"
        set proposal aes256-sha256
        set pfs disable
        set comments "Client Side"
    next
end

config system interface
    edit "VTI-1"
        set vdom "root"
        set ip <local ip> 255.255.255.255
        set allowaccess ping ssh
        set type tunnel        
        set remote-ip <remote ip> 255.255.255.255
        set interface "wan1"
    next
end

Diagnostics

Bypass NPU:
diagnose npu <xxx> fastpath-sniffer enable <port(s)_number>

diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 ....
diagnose vpn ike log-filter src-addr4 ....
diagnose debug application ike -1
diagnose debug enable
fortinet.txt · Last modified: 2022/11/29 11:00 by ksadmin
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0