Adding source and destination subnets to IPsec VPN phase 2 configurations
IPsec VPN
IPsec VPN
Adding source and destination subnets to IPsec VPN phase 2 configurations
If your FortiGate-7000 configuration includes IPsec VPNs you should enhance your IPsec VPN Phase 2
configurations as described in this section. If your FortiGate-7000 does not include IPsec VPNs you can proceed
with a normal firmware upgrade.
Because the FortiGate-7000 only allows 16-bit to 32-bit routes, you must add one or more destination subnets to
your IPsec VPN phase 2 configuration for FortiGate-7000 v5.4.5 using the following command:
config vpn ipsec phase2-interface
edit "to_fgt2"So
set phase1name <name>
set src-subnet <IP> <netmask>
set dst-subnet <IP> <netmask>
end
Where
src-subnet
is the subnet protected by the FortiGate that you are configuring and from which users connect to
the destination subnet. Configuring the source subnet is optional but recommended.
dst-subnet
is the destination subnet behind the remote IPsec VPN endpoint. Configuring the destination
subnet is required.
You can add the source and destination subnets either before or after upgrading to v5.4.5 as these settings are
compatible with both v5.4.3 and v5.4.5. However, if you make these changes after upgrading, your IPsec VPNs
may not work correctly until these configuration changes are made.
Example basic IPsec VPN Phase 2 configuration
In a simple configuration such as the one below with an IPsec VPN between two remote subnets you can just add
the subnets to the phase 2 configuration.
Enter the following command to add the source and destination subnets to the FortiGate-7000 IPsec VPN Phase
2 configuration.
config vpn ipsec phase2-interface
edit "to_fgt2"So
set phase1name "to_fgt2"
set src-subnet 172.16.1.0 255.255.255.0
51
FortiGate-7000
Fortinet Technologies Inc.