Saturday, May 27, 2017

ipsec vpn F5 to Fortigate Firewall

In this blog we will look at how to  craft a ipsec-vpn from a f5 to a fortigate. The cfg is simple  to deploy and even simpler to trouble-shoot.

On the  FGT you will craft a route-base- vpn and specify the SRC/DST subnet like any other   route-based vpn solution.

Ensure the  proposal matches for  FGT and F5 side of things, also  don't forget the  route for the destination network  at the F5 and  the target local-subnet.


config router static
   edit 666  
    set dst
    set dev  f5

Now on the f5 side of things we need todo the following;

  •  set up a layer3  forwarding  VIP
  •  define the phase1 parameter ( remote-gw, proposal, df-grps, ask,etc...)
  • define a ipse-policy name  with the  proposal
  •  and a traffic-selector

Here's these steps;

PHASE1 aka ikeparameters for the IKE-SA


TRAFFIC_SELECTOR FOR ENCRYPTION  of the SecurityAssociations

NOTE:  !!!!!!!  The  local/remote subnets needs to match the fortigate  dat/src-subnets exactly  !!!!!!.

Layer3 forwarding VIP

And finally use the  local raccoon.log for  the diagnostic on the  f5 appliance

 SPIs are bi-directional the FGT-outbound SA will be the f5-inbound SA and vice-versa.

You can use the WebGUI ipsec-diagnostic for any details & for  displaying these diagnostics,   but the raccoon.log provides a better diagnostic-details  and  with tunnel  creation times, errors and warnings.

Ken Felix

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
        /  \

No comments:

Post a Comment