Scribd
Upload
35 views4 pages

Branch 1

The document configures two IPsec VPN tunnels using IKEv2 between interfaces port1 and port2 and remote gateways. It configures BGP neighbors over the tunnels. It also configures SD-WAN zones, health checks, services and firewall policies for the VPN and overlay network.

Uploaded by

aripang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
35 views4 pages

Branch 1

The document configures two IPsec VPN tunnels using IKEv2 between interfaces port1 and port2 and remote gateways. It configures BGP neighbors over the tunnels. It also configures SD-WAN zones, health checks, services and firewall policies for the VPN and overlay network.

Uploaded by

aripang
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 4

config vpn ipsec phase1-interface

edit "inet-111"
set interface "port1"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set network-overlay enable
set network-id 1
set remote-gw 192.168.101.1
set psksecret fortinet
set dpd-retrycount 2
set dpd-retryinterval 10
next
edit "mpls-121"
set interface "port2"
set ike-version 2
set keylife 28800
set peertype any
set net-device enable
set mode-cfg enable
set proposal aes256-sha256 aes256gcm-prfsha384
set add-route disable
set dpd on-idle
set idle-timeout enable
set idle-timeoutinterval 5
set auto-discovery-receiver enable
set network-overlay enable
set network-id 5
set remote-gw 172.16.0.1
set psksecret fortinet
set dpd-retrycount 2
set dpd-retryinterval 10
next
end
config vpn ipsec phase2-interface
edit "inet-111_p2"
set phase1name "inet-111"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
edit "mpls-121_p2"
set phase1name "mpls-121"
set proposal aes256-sha256 aes256gcm
set keepalive enable
set keylifeseconds 1800
next
end
config system interface
edit "inet-111"
set allowaccess ping
next
edit "mpls-121"
set allowaccess ping
next
end
config router bgp
set as 65001
set ibgp-multipath enable
set additional-path enable
set additional-path-select 4
set keepalive-timer 5
set holdtime-timer 15
config neighbor
edit "10.255.1.254"
set advertisement-interval 1
set link-down-failover enable
set soft-reconfiguration enable
set interface "inet-111"
set remote-as 65001
set connect-timer 1
set additional-path receive
next
edit "10.255.5.254"
set advertisement-interval 1
set link-down-failover enable
set soft-reconfiguration enable
set interface "mpls-121"
set remote-as 65001
set connect-timer 1
set additional-path receive
next
end
config network
edit 0
set prefix 10.0.1.0 255.255.255.0
next
end
end
config firewall address
edit "RFC_1918_10"
set subnet 10.0.0.0 255.0.0.0
next
edit "RFC_1918_172_16"
set subnet 172.16.0.0 255.240.0.0
next
edit "RFC_1918_192_168"
set subnet 192.168.0.0 255.255.0.0
next
end
config firewall addrgrp
edit "RFC_1918_ALL"
set member "RFC_1918_10" "RFC_1918_172_16" "RFC_1918_192_168"
next
end
config system sdwan
set status enable
config zone
edit "Overlays"
next
end
config members
edit 0
set interface "inet-111"
set zone "Overlays"
set priority 10
next
edit 0
set interface "mpls-121"
set zone "Overlays"
set priority 10
next
end
config health-check
edit "Hub_HC"
set server "10.255.127.254"
set sla-fail-log-period 10
set sla-pass-log-period 10
set members 1 2
config sla
edit 1
set latency-threshold 200
set jitter-threshold 20
set packetloss-threshold 2
next
end
next
end
config service
edit 0
set name "Branch_Traffic"
set mode sla
set dst "RFC_1918_ALL"
set src "RFC_1918_ALL"
set hold-down-time 20
config sla
edit "Hub_HC"
set id 1
next
end
set priority-members 1 2
next
end
end
## Firewall policy is required for VPN to stand up - please lockdown these policies
as appropriate
config firewall policy
edit 0
set name "ADVPN Out"
set srcintf "any"
set dstintf "Overlays"
set srcaddr "RFC_1918_ALL"
set dstaddr "RFC_1918_ALL"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
edit 0
set name "ADVPN In"
set srcintf "Overlays"
set dstintf "any"
set srcaddr "RFC_1918_ALL"
set dstaddr "RFC_1918_ALL"
set action accept
set schedule "always"
set service "ALL"
set logtraffic disable
next
end

You might also like