Gateway-to-gateway configurations

Configuring Phase 1 and Phase 2 for both peers

This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using the correct IP address for each. You may wish to vary the Phase 1 names but this is optional. Otherwise all steps are the same for each peer.

The Phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate FortiGate_2 and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate FortiGate_2. The same preshared key must be specified at both FortiGate units.

Before you define the Phase 1 parameters, you need to:

  • Reserve a name for the remote gateway.
  • Obtain the IP address of the public interface to the remote peer.
  • Reserve a unique value for the preshared key.

The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.

At the local FortiGate unit, define the Phase 1 configuration needed to establish a secure connection with the remote peer. See IPsec VPN in the web-based manager on page 1611.

 

To create Phase 1 to establish a secure connection with the remote peer

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK.

 

Name                                                  Enter peer_1.

A name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.

Remote Gateway                       Select Static IP Address.

IP Address                                         Enter 172.20.0.2 when configuring FortiGate_1.

Enter 172.18.0.2 when configuring FortiGate_2. The IP address of the remote peer public interface.

Local Interface                          Select wan1.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the Phase 2 parameters, you need to reserve a name for the tunnel. See IPsec VPN in the web-based manager on page 1611.

 

To configure Phase 2 settings

1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).

2. Enter a Name of peer_1_p2.

3. Select peer_1 from the Phase 1 drop-down menu.

 

Creating security policies

Security policies control all IP traffic passing between a source address and a destination address.

An IPsec security policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel.

Before you define security policies, you must first specify the IP source and destination addresses. In a gateway- to-gateway configuration:

  • The IP source address corresponds to the private network behind the local FortiGate unit.
  • The IP destination address refers to the private network behind the remote VPN peer.

 

When you are creating security policies, choose one of either route-based or policy-based methods and follow it for both VPN peers. DO NOT configure both route-based and policy-based policies on the same FortiGate unit for the same VPN tunnel.

 

The configuration of FortiGate_2 is similar to that of FortiGate_1. You must:

  • Define the Phase 1 parameters that FortiGate_2 needs to authenticate FortiGate_1 and establish a secure connection.
  • Define the Phase 2 parameters that FortiGate_2 needs to create a VPN tunnel with FortiGate_1.
  • Create the security policy and define the scope of permitted services between the IP source and destination addresses.

 

When creating security policies it is good practice to include a comment describing what the policy does. When creating security policies you need to be

  • Creating firewall addresses
  • Creating route-based VPN security policies
  • Configuring a default route for VPN interface or
  • Creating firewall addresses
  • Creating policy-based VPN security policy

 

Creating firewall addresses

Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the security policies that permit communication between the networks.

 

To define the IP address of the network behind FortiGate_1

1. Go to Policy & Objects > Addresses and select Create New.

2. Enter the Name of Finance_network.

3. Select a Type of Subnet.

4. Enter the Subnet of 21.101.0/24.

5. Select OK.

 

To specify the address of the network behind FortiGate_2

1. Go to Policy & Objects > Addresses and select Create New.

2. Enter the Name of HR_network.

3. Select a Type of Subnet.

4. Enter the Subnet/IP Range of 31.101.0/24.

5. Select OK.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.