FortiWAN Planning your VPN

Leave a reply
For IPSec communication packets

By default, all the packets will be processed by NAT once Auto Routing determines a WAN link to the packets. However, IPSec VPN communication will go to failure if source IP address of the packets are translated (mismatching the Quick Mode selectors). To disable NAT for the packets:

1. Go to Service > NAT
  1. From the drop down menu WAN, select the WAN link used as the local interface of the IPsec VPN tunnel.
  2. Add a rule to NAT Rules to disable NAT translation for the packetsdefinition of the Quick Mode selector:
NAT Rule Local endpoint (Site A) Remote endpoint (Site B)
When All-Time All-Time
Source 192.168.10.0/255.255.255.0 192.168.100.0/255.255.255.0
Destination 192.168.100.0/255.255.255.0 192.168.10.0/255.255.255.0
NAT Rule Local endpoint (Site A) Remote endpoint (Site B)
Service Any Any
Translated No NAT No NAT

Make sure the NAT rule and Phase 2 Quick Mode selector are equal on Source, Destination and Service. For the details of NAT, see “NAT”.

Define IPSec parameters

Go to Service > IPSec

Add Phase 1 configurations for the IPSec tunnel mode VPN between site A’s WAN 1 (10.10.10.10) and site B’s WAN 1 (20.20.20.20). The other parameters are not listed here.

Phase 1 Local endpoint (Site A) Remote endpoint (Site B)
Name WAN1_WAN1_Phase1 WAN1_WAN1_Phase1
Local IP 10.10.10.10 20.20.20.20
Remote IP 20.20.20.20 10.10.10.10

Add Phase 2 configurations for the IPSec tunnel mode VPN between site A ‘s WAN 1 (10.10.10.10) and site B’s WAN 1 (20.20.20.20). The other parameters are not listed here.

Phase 2 Local endpoint (Site A) Remote endpoint (Site B)
Name WAN1_WAN1_Phase2 WAN1_WAN1_Phase2
Quick Mode    
Source 192.168.10.0/255.255.255.0 192.168.100.0/255.255.255.0
Source Port Any Any
Destination 192.168.100.0/255.255.255.0 192.168.10.0/255.255.255.0
Destination Port Any Any
Protocol Any Any

For the details of IPSec configuration, see “IPSec VPN in the Web UI”.

Procedures to set up a IPSec Tunnel-mode VPN

To set up a IPSec Tunnel-mode VPN, we suggest the steps to follow as below:

  1. Configure Network Settings on both units.
  2. Define correspondent Auto Routing and NAT policies on both units.
  3. Configure the settings of IPSec Tunnel mode Phase 1 and Phase 2 on both units.
Define Auto Routing and Tunnel Routing policies for an Tunnel Routing over IPSec Transport mode VPN

As previous descriptions, IPSec Transport mode provides secure data transmission without IP tunneling (IP encapsulation). However, IPSec Transport mode can give protections to FortiWAN’s Tunnel Routing, which brings a securer (compare to the original TR) and more efficient (compare to the “IPsec Tunnel mode VPN” on load balancing and fault tolerance) VPN application. Tunnel Routing distributes the encapsulated (GRE) packets over multiple tunnels (pairs of local WAN port and remote WAN port). With the IPSec SAs established on these TR tunnels, GRE packets will be protected (encrypted/decrypted) by correspondent SA when they pass through a TR tunnel (the local and remote WAN ports). Transport-mode IPSec SAs are required for each of Tunnel Routing’s GRE tunnels to associate Tunnel Routing with IPSec.

Example topology for the following policies

IPSec Transport mode protects the communications between private networks behind two FortiWAN units through two TR tunnels. For this example topology, we need to have configurations of Network Setting, Auto Routing, IPSec and Tunnel Routing as follows:

Network Setting

Network Setting on the local side:

WAN settings Go to System > Network Setting > WAN Setting
WAN Setting Local endpoint (Site A) Local endpoint (Site A) Remote endpoint (Site B) Remote endpoint (Site B)
WAN Link 1 2 1 2
WAN Type Routing Mode Routing Mode Routing Mode Routing Mode
WAN Port Port1 Port2 Port1 Port2
IPv4

Localhost IP

 10.10.10.10 11.11.11.11 20.20.20.20 21.21.21.21
IPv4

Netmask

 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
IPv4 Default Gateway 10.10.10.254 11.11.11.254 20.20.20.254 21.21.21.254

For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.

LAN private subnets Go to System > Network Setting > LAN Private Subnet
LAN Private Subnet Local endpoint (Site A) Remote endpoint (Site B)
IP(s) on Localhost 192.168.10.254 192.168.100.254
Netmask 255.255.255.0 255.255.255.0
LAN Port Port3 Port3

For the details of LAN private subnet setting, see “LAN Private Subnet”.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.