Connecting branch offices or partners through a secure VPN tunnel is one of the most common FortiGate tasks.
This guide shows how to configure a manual IPsec site-to-site VPN between two FortiGate 40F units running different firmware versions:
| Site | Model | Firmware |
|---|---|---|
| Site B | FortiGate-40F | v7.6.3, build 3510 (GA.F) |
| Site C | FortiGate-40F | v6.4.7, build 8726 (GA) |
๐งฉ Network Plan
| Parameter | Site B | Site C |
|---|---|---|
| WAN IP | 172.16.10.109 | 172.16.10.111 |
| LAN Subnet | 192.168.20.0/24 | 192.168.30.0/24 |
| Tunnel Name | vpn-to-SiteC | SiteB |
| Pre-Shared Key | Forti@123 | Forti@123 |
โ๏ธ Step 1 โ Create Phase 1 Interface (IKE Negotiation)
๐ Site B ( FortiOS v7.x )
config vpn ipsec phase1-interface
edit "vpn-to-siteC"
set interface "wan" # WAN interface carrying IKE
set ike-version 2 # IKEv2 (default in v7)
set peertype any
set net-device disable
set proposal aes256-sha256 # Encryption / authentication
set dhgrp 14 # Diffie-Hellman group
set transport auto # <โ New in FortiOS 7.x, auto-selects UDP 500/4500
set remote-gw 172.16.10.111 # Peerโs WAN IP
set psksecret "Forti@123" # Shared key
next
end
๐ Site C ( FortiOS v6.x )
config vpn ipsec phase1-interface
edit "SiteB"
set interface "wan"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 14
# โ 'set transport' not available in v6.x
set remote-gw 172.16.10.109
set psksecret "Forti@123"
next
end
๐ Explanation:
- Phase 1 defines how the two peers authenticate and exchange encryption keys.
ike-version 2โ modern and more stable.dhgrpmust match on both sides.transport(v7 only) automatically handles NAT-Traversal; in v6 FortiGate does it by default when needed.
โ๏ธ Step 2 โ Create Phase 2 Interface (Traffic Selectors)
๐ Site B (v7)
config vpn ipsec phase2-interface
edit "Site_C"
set phase1name "vpn-to-siteC"
set proposal aes256-sha256
set src-subnet 192.168.20.0 255.255.255.0
set dst-subnet 192.168.30.0 255.255.255.0
next
end
๐ Site C (v6)
config vpn ipsec phase2-interface
edit "Site_B"
set phase1name "SiteB"
set proposal aes256-sha256
set src-subnet 192.168.30.0 255.255.255.0
set dst-subnet 192.168.20.0 255.255.255.0
next
end
๐ Explanation:
- Phase 2 defines which networks are encrypted inside the tunnel.
- Subnets must mirror each other (local โ remote).
โ๏ธ Step 3 โ Add Firewall Policies
Both sides need two policies:
- LAN โ VPN
- VPN โ LAN
๐ Site B (v7)
config firewall policy
edit 0
set name "LAN-to-SiteC"
set srcintf "lan"
set dstintf "vpn-to-siteC"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
edit 0
set name "SiteC-to-LAN"
set srcintf "vpn-to-siteC"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end
๐ Site C (v6)
config firewall policy
edit 0
set name "LAN-to-SiteB"
set srcintf "lan"
set dstintf "SiteB"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
edit 0
set name "SiteB-to-LAN"
set srcintf "SiteB"
set dstintf "lan"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat disable
next
end
๐ Explanation:
- NAT must be disabled so that private subnets pass unmodified.
- Policies are statefulโresponses automatically return.
โ๏ธ Step 4 โ Add Static Routes
Each site needs a route to the opposite LAN through the VPN interface.
๐ Site B
config router static
edit 0
set dst 192.168.30.0 255.255.255.0
set device "vpn-to-siteC"
next
end
๐ Site C
config router static
edit 0
set dst 192.168.20.0 255.255.255.0
set device "SiteB"
next
end
โ๏ธ Step 5 โ Bring Up and Verify the Tunnel
Check tunnel summary
get vpn ipsec tunnel summary
Detailed info
diagnose vpn tunnel list
Force tunnel initiation
diagnose vpn tunnel up name vpn-to-siteC
Test reachability
execute ping-options source 192.168.20.1
execute ping 192.168.30.1
๐ง Step 6 โ Debug If Tunnel Fails
diagnose debug reset
diagnose vpn ike log-filter clear
diagnose vpn ike log-filter dst-addr4 172.16.10.111
diagnose debug application ike -1
diagnose debug enable
Look for:
no proposal chosenโ mismatch in Phase 1/2 encryption.AUTHENTICATION_FAILEDโ wrong pre-shared key.invalid id informationโ subnet mismatch.
Stop debug:
diagnose debug disable
๐งฐ Optional: Stability Enhancements (v7 and v6)
config vpn ipsec phase1-interface
edit "vpn-to-siteC"
set dpd on-idle
set keylife 28800
set keepalive enable
next
end
๐ Version Differences Quick Reference
| Command | v7.x | v6.x | Description |
|---|---|---|---|
set transport auto | โ | โ | Controls NAT-T / UDP encapsulation (v7+) |
set ike-version 2 | โ | โ | Enables IKEv2 |
set net-device disable | โ | โ | Use interface-mode VPN |
set dpd on-idle | โ | โ | Dead Peer Detection |
set psksecret "..." | โ | โ | Shared key |
set proposal aes256-sha256 | โ | โ | Cipher / hash pair |
๐งพ Final Verification Checklist
| Test | Command | Expect |
|---|---|---|
| Tunnel status | get vpn ipsec tunnel summary | up/active |
| Routing table | get router info routing-table all | Remote LAN via VPN |
| Ping test | execute ping 192.168.30.1 | Success |
| Log | diagnose vpn tunnel list | Established = yes |
โ Summary
With these CLI commands, any engineerโjunior or seniorโcan configure a secure, working site-to-site IPsec VPN between different FortiGate firmware versions.
The key is to mirror Phase 1/2 parameters, ensure no NAT, and verify routing and policies.