Continuing this theme, this time it’s a site-to-site VPN between FTGs
https://xrcd2.blogspot.com/2025/07/fortigate-site-to-site-vpn-lab.html
https://xrcd2.blogspot.com/2023/02/ospf-over-ipsec-for-paloalto-and.html
CLI config example
(1)
FortiGate-BH (VPN-TO-HQ) # show
config vpn ipsec phase1-interface
edit "VPN-TO-HQ"
set interface "port1"
set local-gw 68.10.1.1
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set dhgrp 14 5
set encapsulation gre
set remote-gw 210.10.1.1
set psksecret FortiPWD168
next
end
FortiGate-BH (VPN-TO-HQ) # show
config vpn ipsec phase2-interface
edit "VPN-TO-HQ"
set phase1name "VPN-TO-HQ"
set proposal des-md5 des-sha1
set dhgrp 14 5
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end
FortiGate-BH (VPN-TO-HQ) # show
config system interface
edit "VPN-TO-HQ"
set vdom "root"
set ip 192.168.1.2 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.1.1 255.255.255.252
set snmp-index 15
set interface "port1"
next
end
FortiGate-HQ (VPN-TO-BH) # show
config vpn ipsec phase1-interface
edit "VPN-TO-BH"
set interface "port1"
set local-gw 210.10.1.1
set peertype any
set net-device disable
set proposal des-md5 des-sha1
set dhgrp 14 5
set encapsulation gre
set remote-gw 68.10.1.1
set psksecret FortiPWD168
next
end
FortiGate-HQ (VPN-TO-BH) # show
config vpn ipsec phase2-interface
edit "VPN-TO-BH"
set phase1name "VPN-TO-BH"
set proposal des-md5 des-sha1
set dhgrp 14 5
set auto-negotiate enable
set encapsulation transport-mode
set protocol 47
next
end
FortiGate-HQ (VPN-TO-BH) # show
config system interface
edit "VPN-TO-BH"
set vdom "root"
set ip 192.168.1.1 255.255.255.255
set allowaccess ping
set type tunnel
set remote-ip 192.168.1.2 255.255.255.252
set snmp-index 15
set interface "port1"
next
end
========================================
