Establish IPSec VPN with FortiGate

Establish IPSec VPN with FortiGate

FortiWAN supports the IPSec VPN established with a FortiGate unit. However, the deployment of IPSec VPN established between FortiWAN and FortiGate is limited by the Spec. of FortiWAN’s IPSec (See “About FortiWAN IPSec VPN”). For example, IPSec Transport mode, IKE v2, authentication with certificates, IKE phase 1 aggressive mode, NAT traversal, dynamic IP address, and some algorithms are not supported for this deployment. An example for explaining how to set up a simple IPSec VPN (Tunnel mode) between a FortiWAN and a FortiGate is introduced below:

In this example, the common parameters for establishing IPSec SAs between the two units are as follows:

l Authentication Method: Pre-shared Key l Phase 1 Mode: Main (ID protection) l Dead Peer Detection: disable l Phase 1 Encryption: DES l Phase 1 Authentication: MD5 l Phase 1 DH Group: 5 l Phase 1 Keylife: 1200 Secs l Phase 2 Encryption: DES l Phase 2 Authentication: MD5 l Perfect Forward Secrecy (PFS): enable l Phase 2 DH Group: 5 l Phase 2 Keylife: 120 Secs

Configurations on FortiWAN

To set up the IPSec VPN, configurations of Network Setting, Auto Routing, NAT and IPSec are required on FortiWAN (See “Define routing policies for an IPSec VPN”).

Network Setting

WAN settings

Go to System > Network Setting > WAN Setting, and create a WAN link configuration:

WAN Link 1
WAN Type Routing Mode
WAN Port Port1
IPv4 Localhost IP
IPv4 Netmask
IPv4 Default Gateway

For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.

LAN private subnets

Go to System > Network Setting > LAN Private Subnet, and create a LAN subnet configuration:

IP(s) on Localhost
LAN Port Port3

For the details of LAN private subnet setting, see “LAN Private Subnet”.

Auto Routing

Go to Service > Auto Routing, and create a policy and two IPv4 filters for IKE negotiations and IPSec communication.

Label IPSec_WAN1 (Any name you desire)
T Enable Threshold or not
Algorithm Fixed
Parameter Only 1 is checked
IPv4 Filter

Two IPv4 filters: one for IKE negotiations, and another for general IPSec communication.

When All-Time   All-Time
Input Port Any Port Any Port (or the LAN port, PortX)
Source Localhost
Service Any or IKE(500) Any
Routing Policy IPSec_WAN1 IPSec_WAN1

For the details of Auto Routing, see “Auto Routing”.


Go to Service > NAT, and create a NAT rule:

When All-Time
Service Any
Translated No NAT

For the details of NAT, see “NAT”.


Go to Service > IPSec, and create a Tunnel Mode:

Phase 1
Name IPSec_FGT_P1
Local IP
Remote IP
Authentication Method Pre-shared Key: 12345
Internet Key Exchange v1
Mode Main (ID protection)
Dead Peer Detection Disable
Encryption DES
Authentication MD5
DH Group 5
Keylife 1200 Secs
Phase 2
Name IPSec_FGT_P2
Encryption DES
Authentication MD5
PFS Group 5
Keylife 120 Secs
Quick Mode  
Port Any
Port Any
Protocol Any

So far, it is complete to set up the IPSec VPN on the FortiWAN side, configurations on the FortiGate side are introduced next. For the details of IPSec parameters, see “IPSec VPN in the Web UI”.

Configurations on FortiGate

To set up the IPSec VPN, configurations of Network, Router and VPN are required on FortiGate. For further information of FortiGate configurations, see FortiOS Handbook on Fortinet document site.


Go to System > Network > Interface. Configure the setting for WAN 1 with IP address on a physical interface.

Interface Name wan1
Type Physical Interface
Addressing mode Manual
IP/Network Mask


Go to VPN > IPsec > Tunnels and click Create New.

Name IPSec_to_FWN_P1

Select “Custom VPN Tunnel (No Template)” and click Next to configure the settings as follows: Network

IP Version IPv4
Remote Gateway Static IP Address
IP Address
Interface WAN1
Mode Config Disable
NAT Traversal Disable
Dead Peer Detection Disable
Method Pre-shared key
Pre-shared key 12345
Version V1
Mode Main (ID protection)
Phase 1 Proposal
Encryption DES
Authentication MD5
Diffie-Hellman Group 5
Key Lifetime (seconds) 1200
Local ID Keep it blank
Type Disable
Phase 2 Selectors
Name IPSec_to_FWN_P2
Local Address Subnet:
Remote Address Subnet:
Phase 2 Proposal
Encryption DES
Authentication MD5
Enable Replay Detection disable
Enable Perfect Forward Secrecy (PFS) enable
Diffie-Hellman Group 5
Local Port All check
Remote Port All check
Protocol All All check
Autokey keep Alive disable
Auto-negotiate disable
Key Lifetime Seconds
Seconds 120


Go to Router > Static > Static Routes, and click Create New to create two rules for WAN1 and the IPSec tunnel – IPSec_to_FWN_P1:

Destination IP/Mask
Device wan1 IPSec_to_FWN_P1
Gateway N/A



Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos