Table of Contents
Fortinet
Firmware upgrade from cli
execute restore image tftp <filename> 10.29.0.7
Useful commands
| Command | Notes |
|---|---|
VTI Tunnel
Configuration for a dynamic client behind a NAT
NOTE: The tunnel will not come up unless there is a Policy that allows traffic on the tunnel interface to somewhere
Server Side
config vpn ipsec phase1-interface
edit "VTI-1"
set type ddns
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<ip address>"
set dhgrp 21
set nattraversal disable
set remotegw-ddns "<fqdn>"
set psksecret <password>
set comments "Server Side VTI"
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set auto-negotiate enable
set comments "Server Side"
next
end
config system interface VTI-1
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
Client Side
config vpn ipsec phase1-interface
edit "VTI-1"
set interface "wan1"
set ike-version 2
set keylife 43200
set peertype any
set net-device disable
set proposal aes256-sha256
set localid "<fqdn>"
set dpd on-idle
set dhgrp 21
set nattraversal disable
set remote-gw 66.37.4.14
set psksecret <password>
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "VTI-1"
set phase1name "VTI-1"
set proposal aes256-sha256
set pfs disable
set comments "Client Side"
next
end
config system interface
edit "VTI-1"
set vdom "root"
set ip <local ip> 255.255.255.255
set allowaccess ping ssh
set type tunnel
set remote-ip <remote ip> 255.255.255.255
set interface "wan1"
next
end
Diagnostics
config system np6xlite
edit "np6xlite_0"
set fastpath disable
next
end
Bypass NPU:
diagnose npu <xxx> fastpath-sniffer enable <port(s)_number>
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 ....
diagnose vpn ike log-filter src-addr4 ....
diagnose debug application ike -1
diagnose debug enable
VRF Interface Routing
IN PROGRESS
I don't have routing working as expected and there are some odd behaviors.
Kinda weird. To control routing you need to isolate interfaces in a VRF. To pass traffic back and forth use a VDOM interface, but it's only available in multi-vdom mode. So we flip over build the interface and flip back
Example assumes the isolated WAN interface in VRF 2.
VRF 2 / ISP Handoff
Stick an AirLink devce on the “b” interface in VRF 2. Pick your poison here based on your device, break out an internalX or whatever. Add a default route via the interface to airlink's default .31 address.
config system interface
edit "b"
set vdom "root"
set vrf 2
set ip 192.168.13.1 255.255.255.0
set allowaccess ping
set type physical
set alias "ISP-3"
set lldp-reception enable
set estimated-upstream-bandwidth 1000
set estimated-downstream-bandwidth 3000
set role wan
next
end
config router static
edit 10
set gateway 192.168.13.31
set distance 100
set device "b"
set comment "Default via ISP-3"
next
end
VDOM Interface Setup
First thing you need is to enable ip overlap so the VDOM interfaces are allowed to chat
config system settings
set allow-subnet-overlap enable
end
Then turn on multi-vdom
config system global set vdom-mode multi-vdom end
This triggers a restart of the cli, now add the vdom links config system vdom-link
edit link-199- next
end
config system interface
edit link-199-0
set vdom "root"
set vrf 0
set ip 10.29.199.1/30
set allowaccess ping
set type vdom-link
next
edit link-199-1
set vdom "root"
set vrf 2
set ip 10.29.199.2/30
set allowaccess ping
set type vdom-link
next
end
Turn off multi-vdom
config system global set vdom-mode no-vdom end
Routing Between the VDOM Interfaces
Now statically route the Airlink subnet 192.168.13.0/24 via the vdom link into VRF 2
config router static
edit 10
set dst 192.168.13.0 255.255.255.0
set gateway 10.29.199.2
set device "link-199-0"
set comment "VRF0->VRF2"
next
edit 11
set dst 10.0.0.0 255.0.0.0
set gateway 10.29.199.1
set device "link-199-1"
set comment "VRF2 -> VRF0"
next
edit 12
set gateway 10.29.13.31
set distance 100
set device "internal6"
set comment "Default via ISP-3"
next
end
</code>
Firewall Rules to Allow traffic
Allow all reserved addresses to our interface
config firewall address
edit "VRF-2-ALL"
set subnet 192.168.13.0/24
next
edit "IANA-10"
set comment "IANA Reserved Netblock"
set subnet 10.0.0.0 255.0.0.0
next
edit "IANA-172.16"
set comment "IANA Reserved Netblock"
set subnet 172.16.0.0 255.240.0.0
next
edit "IANA-192.168"
set comment "IANA Reserved Netblock"
set subnet 192.168.0.0 255.255.0.0
next
end
config firewall addrgrp
edit IANA-ALL
set member "IANA-10" "IANA-172.16" "IANA-192.168"
next
end
config firewall policy
edit 1991
set name "VRF-2-OUT"
set srcintf "any"
set dstintf "b"
set action accept
set srcaddr "IANA-ALL"
set dstaddr "VRF-2-ALL"
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 1992
set status disable
set name "VRF-2-IN"
set srcintf "any"
set dstintf "link-199-0" "link-199-1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
end
BGP Routing / Whatever
Now you can set up BGP or statically route traffic between the two link interfaces as needed. Policy route for tiered failover etc.
