Establish IPSec VPN with FortiGate

Establish IPSec VPN with FortiGate

FortiWAN supports the IPSec VPN established with a FortiGate unit. However, the deployment of IPSec VPN established between FortiWAN and FortiGate is limited by the Spec. of FortiWAN’s IPSec (See “About FortiWAN IPSec VPN”). For example, IPSec Transport mode, IKE v2, authentication with certificates, IKE phase 1 aggressive mode, NAT traversal, dynamic IP address, and some algorithms are not supported for this deployment. An example for explaining how to set up a simple IPSec VPN (Tunnel mode) between a FortiWAN and a FortiGate is introduced below:

In this example, the common parameters for establishing IPSec SAs between the two units are as follows:

l Authentication Method: Pre-shared Key l Phase 1 Mode: Main (ID protection) l Dead Peer Detection: disable l Phase 1 Encryption: DES l Phase 1 Authentication: MD5 l Phase 1 DH Group: 5 l Phase 1 Keylife: 1200 Secs l Phase 2 Encryption: DES l Phase 2 Authentication: MD5 l Perfect Forward Secrecy (PFS): enable l Phase 2 DH Group: 5 l Phase 2 Keylife: 120 Secs

Configurations on FortiWAN

To set up the IPSec VPN, configurations of Network Setting, Auto Routing, NAT and IPSec are required on FortiWAN (See “Define routing policies for an IPSec VPN”).

Network Setting

WAN settings

Go to System > Network Setting > WAN Setting, and create a WAN link configuration:

WAN Link 1
WAN Type Routing Mode
WAN Port Port1
IPv4 Localhost IP 10.12.102.42
IPv4 Netmask 255.255.255.0
IPv4 Default Gateway 10.12.102.254

For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.

LAN private subnets

Go to System > Network Setting > LAN Private Subnet, and create a LAN subnet configuration:

IP(s) on Localhost 2.2.2.254
Netmask 255.255.255.0
LAN Port Port3

For the details of LAN private subnet setting, see “LAN Private Subnet”.

Auto Routing

Go to Service > Auto Routing, and create a policy and two IPv4 filters for IKE negotiations and IPSec communication.

Policy
Label IPSec_WAN1 (Any name you desire)
T Enable Threshold or not
Algorithm Fixed
Parameter Only 1 is checked
IPv4 Filter

Two IPv4 filters: one for IKE negotiations, and another for general IPSec communication.

When All-Time   All-Time
Input Port Any Port Any Port (or the LAN port, PortX)
Source Localhost 2.2.2.0/255.255.255.0
Destination 10.12.136.180 1.1.1.0/255.255.255.0
Service Any or IKE(500) Any
Routing Policy IPSec_WAN1 IPSec_WAN1
Fail-Over Policy NO-ACTION NO-ACTION

For the details of Auto Routing, see “Auto Routing”.

NAT

Go to Service > NAT, and create a NAT rule:

When All-Time
Source 2.2.2.0/255.255.255.0
Destination 1.1.1.0/255.255.255.0
Service Any
Translated No NAT

For the details of NAT, see “NAT”.

IPSec

Go to Service > IPSec, and create a Tunnel Mode:

Phase 1
Name IPSec_FGT_P1
Local IP 10.12.102.42
Remote IP 10.12.136.180
Authentication Method Pre-shared Key: 12345
Internet Key Exchange v1
Mode Main (ID protection)
Dead Peer Detection Disable
Proposal  
Encryption DES
Authentication MD5
DH Group 5
Keylife 1200 Secs
Phase 2
Name IPSec_FGT_P2
Proposal  
Encryption DES
Authentication MD5
PFS Group 5
Keylife 120 Secs
Quick Mode  
Source 2.2.2.0/255.255.255.0
Port Any
Destination 1.1.1.0/255.255.255.0
Port Any
Protocol Any

So far, it is complete to set up the IPSec VPN on the FortiWAN side, configurations on the FortiGate side are introduced next. For the details of IPSec parameters, see “IPSec VPN in the Web UI”.

Configurations on FortiGate

To set up the IPSec VPN, configurations of Network, Router and VPN are required on FortiGate. For further information of FortiGate configurations, see FortiOS Handbook on Fortinet document site.

Network

Go to System > Network > Interface. Configure the setting for WAN 1 with IP address 10.12.136.180 on a physical interface.

Interface Name wan1
Type Physical Interface
Addressing mode Manual
IP/Network Mask 10.12.136.180/255.255.255.0

VPN

Go to VPN > IPsec > Tunnels and click Create New.

Name IPSec_to_FWN_P1

Select “Custom VPN Tunnel (No Template)” and click Next to configure the settings as follows: Network

IP Version IPv4
Remote Gateway Static IP Address
IP Address 10.12.102.42
Interface WAN1
Mode Config Disable
NAT Traversal Disable
Dead Peer Detection Disable
Authentication
Method Pre-shared key
Pre-shared key 12345
IKE  
Version V1
Mode Main (ID protection)
Phase 1 Proposal
Encryption DES
Authentication MD5
Diffie-Hellman Group 5
Key Lifetime (seconds) 1200
Local ID Keep it blank
XAUTH
Type Disable
Phase 2 Selectors
Name IPSec_to_FWN_P2
Local Address Subnet: 1.1.1.0/255.255.255.0
Remote Address Subnet: 2.2.2.0/255.255.255.0
Phase 2 Proposal
Encryption DES
Authentication MD5
Enable Replay Detection disable
Enable Perfect Forward Secrecy (PFS) enable
Diffie-Hellman Group 5
Local Port All check
Remote Port All check
Protocol All All check
Autokey keep Alive disable
Auto-negotiate disable
Key Lifetime Seconds
Seconds 120

Router

Go to Router > Static > Static Routes, and click Create New to create two rules for WAN1 and the IPSec tunnel – IPSec_to_FWN_P1:

Destination IP/Mask 0.0.0.0/0.0.0.0 2.2.2.0/255.255.255.0
Device wan1 IPSec_to_FWN_P1
Gateway 10.12.136.254 N/A

 

Firewall


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To Buy Your Fortinet Hardware From The Fortinet GURU

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.