Saturday, May 27, 2017

ipsec vpn F5 to Fortigate Firewall

In this blog we will look at how to  craft a ipsec-vpn from a f5 to a fortigate. The cfg is simple  to deploy and even simpler to trouble-shoot.



On the  FGT you will craft a route-base- vpn and specify the SRC/DST subnet like any other   route-based vpn solution.






Ensure the  proposal matches for  FGT and F5 side of things, also  don't forget the  route for the destination network  at the F5 and  the target local-subnet.


e.g

config router static
   edit 666  
    set dst  10.52.132.250/32
    set dev  f5
end


Now on the f5 side of things we need todo the following;


  •  set up a layer3  forwarding  VIP
  •  define the phase1 parameter ( remote-gw, proposal, df-grps, ask,etc...)
  • define a ipse-policy name  with the  proposal
  •  and a traffic-selector



Here's these steps;

PHASE1 aka ikeparameters for the IKE-SA





IPSEC-POLICY





TRAFFIC_SELECTOR FOR ENCRYPTION  of the SecurityAssociations






NOTE:  !!!!!!!  The  local/remote subnets needs to match the fortigate  dat/src-subnets exactly  !!!!!!.


Layer3 forwarding VIP




And finally use the  local raccoon.log for  the diagnostic on the  f5 appliance





 SPIs are bi-directional the FGT-outbound SA will be the f5-inbound SA and vice-versa.



You can use the WebGUI ipsec-diagnostic for any details & for  displaying these diagnostics,   but the raccoon.log provides a better diagnostic-details  and  with tunnel  creation times, errors and warnings.








Ken Felix



NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment