Fortigate dialup vpn ipsec from a 2nd Fortigate

FortiOS supports IPSEC dialup where a Fortigate is the dialup device that uses  a username/password with the PSK

The ciscoASA had this function for many years under easyVPN


Here's a basic view;

The light-blue firewall is connecting to the firewall on the left both of these are fortigates but in reality it could have been a FGT to any other dynamic dialup.


Here's the dark blue firewall cfg

We have a user defined and local usergroup named remote-fgts

FWF  # show user group remote-fgts 

config user group

    edit "remote-fgts"

        set member "remote-fgt"

    next

end

FWF # show user local remote-fgt 

config user local

    edit "remote-fgt"

        set type password

        set passwd-time 2019-08-11 18:01:01

        set passwd ENC bK70ALGrYzvTd/7+Das6DdQZpGUaUuq9+wZQGVb6P8A5xfQbrcBKPBlyGs4WrQ3NfGCUMPZsB4adzXg706DgkN3OYryXHub2eb1uvHO62m5M7F7n6AyKUmUPILCeFVyXNsMb1QShc5OqRx9oH2xNoUodDHeZWr6ca6cu1RZ84XM1/O/hxDm+DK1mMkSdFeaYD8x70g==

    next

end

The remote firewall configuration of the firewall in the right of the screenshot will use the correct username/password in its configuration

Note: always double-check the username and password for correctness if you see authentication error or using an external authenticator.


The cmd:   diag vpn ike gateway will show you details and the user that did authenticate

As you can see username "remote-fgt" authenticated. We can also double-check the phase2 details

to secure the dialup firewalls it best to set localid and peerids for both of the peers, in the below example we are defining a fqdn type set a ipsecremotes for the localid and remote peerid.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \