Table of Contents
Advertisement
IPsec VPN
To configure the remote FortiGate as a dialup IPsec VPN client
The dialup IPsec VPN client should advertise its local subnet(s) using the phase 2 src-subnet option.
Dialup client configuration:
config vpn ipsec phase1-interface
edit "to-fgt7k"
set interface "v0020"
set peertype any
set remote-gw 1.2.0.1
set psksecret <password>
end
config vpn ipsec phase2-interface
edit "to-fgt7k"
set phase1name "to-fgt7k"
set src-subnet 4.2.6.0 255.255.255.0
set dst-subnet 4.2.0.0 255.255.0.0
next
edit "to-fgt7k-2"
set phase1name "to-fgt7k"
set src-subnet 4.2.7.0 255.255.255.0
set dst-subnet 4.2.0.0 255.255.0.0
end
Troubleshooting
Use the following commands to verify that IPsec VPN sessions are up and running.
Use the diagnose load-balance status command from the primary FIM interface module to determine
the primary FPM processor module. For FortiGate-7000 HA, run this command from the primary FortiGate-7000.
The third line of the command output shows which FPM is operating as the primary FPM.
diagnose load-balance status
FIM01: FIM04E3E16000074
Master FPM Blade: slot-4
Slot
3: FPM20E3E17900113
Status:Working
Link:
Heartbeat: Management: Good
Status Message:"Running"
Slot
4: FPM20E3E16800033
Status:Working
Link:
Heartbeat: Management: Good
Status Message:"Running"
FortiGate-7000
Fortinet Technologies Inc.
If there are multiple local subnets create a phase 2 for each one. Each phase 2 only
advertises one local subnet to the dialup IPsec VPN server. If more than one local
subnet is added to the phase 2, only the first one is advertised to the server.
Function:Active
Base: Up
Function:Active
Base: Up
Fabric: Up
Data: Good
Fabric: Up
Data: Good
Troubleshooting
54
Advertisement
Table of Contents
