Site-to–site IPv4 over IPv6 VPN example

In this example, two private networks with IPv4 addressing communicate securely over IPv6 infrastructure.

 

Example IPv4-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv6 public network and port 3 connects to the IPv4 LAN.

config system interface edit port2

config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f2/64 end

next

edit port3

set 192.168.2.1/24 end

 

Configure FortiGate A IPsec settings

The Phase 1 configuration is the same as in the IPv6 over IPv6 example.

config vpn ipsec phase1-interface edit toB

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

 

The Phase 2 configuration is the same as you would use for an IPv4 VPN. By default, Phase 2 selectors are set to accept all subnet addresses for source and destination.

 

config vpn ipsec phase2-interface edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable end

 

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. These are IPv4 security policies.

config firewall policy edit 1

set srcintf port3 set dstintf toB set srcaddr all set dstaddr all set action accept set service ANY

set schedule always next

edit 2

set srcintf toB set dstintf port3 set srcaddr all

set dstaddr all set action accept set service ANY

set schedule always end

 

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv4 static route. A default route sends all IPv6 traffic, including the IPv6 IPsec packets, out on port2.

 

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toB

set dst 192.168.3.0/24 end

 

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. The IPsec Phase 2 configuration has IPv4 selectors.

IPv4 security policies enable traffic to pass between the private network and the IPsec interface. An IPv4 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to the public network.

 

config system interface edit port2

config ipv6

set ip6-address fec0::0003:fe83:25c7/64 end

next

edit port3

set 192.168.3.1/24 end

config vpn ipsec phase1-interface edit toA

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd [disable | on-idle | on-demand]

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable end

config firewall policy

edit 1

set srcintf port3 set dstintf toA set srcaddr all set dstaddr all set action accept set service ANY

set schedule always next

edit 2

set srcintf toA set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY

set schedule always end

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toA

set dst 192.168.2.0/24 end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 IPsec VPNs

This chapter describes how to configure your FortiGate unit’s IPv6 IPsec VPN functionality.

 

By default IPv6 configurations to not appear on the Web-based Manager. You need to enable the feature first.

To enable IPv6

1. Go to System > Feature Select.

2. Enable IPv6.

3. Select Apply.

 

The following topics are included in this section:

• Overview of IPv6 IPsec support
• Configuring IPv6 IPsec VPNs
• Site-to-site IPv6 over IPv6 VPN example
• Site-to-site IPv4 over IPv6 VPN example
• Site-to-site IPv6 over IPv4 VPN example

 

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

 

Overview of IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support. FortiOS 4.0 MR3 is IPv6 Ready Logo Program Phase 2 certified.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can combine IPv6 and IPv4 addressing in an auto- keyed VPN in the following ways:

IPv4 over IPv6                           The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The Phase 2 configurations at either end use IPv4 selectors.

 

IPv6 over IPv4

The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The Phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

• Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
• Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
• Redundant IPv6 tunnels are not supported.

 

Certificates

On a VPN with IPv6 Phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Transparent mode VPNs

This section describes transparent VPN configurations, in which two FortiGate units create a VPN tunnel between two separate private networks transparently.

The following topics are included in this section:

• Configuration overview
• Configure the VPN peers

Configuration overview

In transparent mode, all interfaces of the FortiGate unit except the management interface (which by default is assigned IP address 10.10.10.1/255.255.255.0) are invisible at the network layer. Typically, when a FortiGate unit runs in transparent mode, different network segments are connected to the FortiGate interfaces. The figure below shows the management station on the same subnet. The management station can connect to the FortiGate unit directly through the web-based manager.

 

Management station on internal network

An edge router typically provides a public connection to the Internet and one interface of the FortiGate unit is connected to the router. If the FortiGate unit is managed from an external address (see the figure below), the router must translate (NAT) a routable address to direct management traffic to the FortiGate management interface.

 

Management station on external network

In a transparent VPN configuration, two FortiGate units create a VPN tunnel between two separate private networks transparently. All traffic between the two networks is encrypted and protected by FortiGate security policies.

Both FortiGate units may be running in transparent mode, or one could be running in transparent mode and the other running in NAT mode. If the remote peer is running in NAT mode, it must have a static public IP address.

VPNs between two FortiGate units running in transparent mode do not support inbound/outbound NAT (supported through CLI commands) within the tunnel. In addi- tion, a FortiGate unit running in transparent mode cannot be used in a hub-and-spoke configuration.

Encrypted packets from the remote VPN peer are addressed to the management interface of the local FortiGate unit. If the local FortiGate unit can reach the VPN peer locally, a static route to the VPN peer must be added to the routing table on the local FortiGate unit. If the VPN peer connects through the Internet, encrypted packets from the local FortiGate unit must be routed to the edge router instead. For information about how to add a static route to the FortiGate routing table, see the Advanced Routing Guide.

In the example configuration shown above, Network Address Translation (NAT) is enabled on the router. When an encrypted packet from the remote VPN peer arrives at the router through the Internet, the router performs inbound NAT and forwards the packet to the FortiGate unit. Refer to the software supplier’s documentation to configure the router.

If you want to configure a VPN between two FortiGate units running in transparent mode, each unit must have an independent connection to a router that acts as a gateway to the Internet, and both units must be on separate networks that have a different address space. When the two networks linked by the VPN tunnel have different address spaces (see the figure below), at least one router must separate the two FortiGate units, unless the packets can be redirected using ICMP (as shown in the following figure).

 

Link between two FortiGate units in transparent mode

In the figure below, interface C behind the router is the default gateway for both FortiGate units. Packets that cannot be delivered on Network_1 are routed to interface C by default. Similarly, packets that cannot be delivered on Network_2 are routed to interface C. In this case, the router must be configured to redirect packets destined for Network_1 to interface A and redirect packets destined for Network_2 to interface B.

 

ICMP redirecting packets to two FortiGate units in transparent mode

If there are additional routers behind the FortiGate unit (see the figure below) and the destination IP address of an inbound packet is on a network behind one of those routers, the FortiGate routing table must include routes to those networks. For example, in the following figure, the FortiGate unit must be configured with static routes to interfaces A and B in order to forward packets to Network_1 and Network_2 respectively.

 

Destinations on remote networks behind internal routers

 

Transparent VPN infrastructure requirements

• The local FortiGate unit must be operating in transparent mode.
• The management IP address of the local FortiGate unit specifies the local VPN gateway. The management IP address is considered a static IP address for the local VPN peer.
• If the local FortiGate unit is managed through the Internet, or if the VPN peer connects through the Internet, the edge router must be configured to perform inbound NAT and forward management traffic and/or encrypted packets to the FortiGate unit.
• If the remote peer is operating in NAT mode, it must have a static public IP address.

 

A FortiGate unit operating in transparent mode requires the following basic configuration to operate as a node on the IP network:

• The unit must have sufficient routing information to reach the management station.
• For any traffic to reach external destinations, a default static route to an edge router that forwards packets to the Internet must be present in the FortiGate routing table.
• When all of the destinations are located on the external network, the FortiGate unit may route packets using a single default static route. If the network topology is more complex, one or more static routes in addition to the default static route may be required in the FortiGate routing table.

 

Only policy-based VPN configurations are possible in transparent mode.

 

Before you begin

An IPsec VPN definition links a gateway with a tunnel and an IPsec policy. If your network topology includes more than one virtual domain, you must choose components that were created in the same virtual domain. Therefore, before you define a transparent VPN configuration, choose an appropriate virtual domain in which to create the required interfaces, security policies, and VPN components. For more information, see the Virtual Domains guide.

 

 

Configure the VPN peers

1. The local VPN peer need to operate in transparent mode.

To determine if your FortiGate unit is in transparent mode, go to the Dashboard > System Information widget. Select [change]. Select transparent for the Operation Mode. Two new fields will appear to enter the Management IP/Netmask, and the Default Gateway.

In transparent mode, the FortiGate unit is invisible to the network. All of its interfaces are on the same subnet and share the same IP address. You only have to configure a management IP address so that you can make configuration changes.

The remote VPN peer may operate in NAT mode or transparent mode.

2. At the local FortiGate unit, define the Phase 1 parameters needed to establish a secure connection with the remote peer. See Phase 1 parameters on page 1624. Select Advanced and enter these settings in particular:

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the public interface to the remote peer. If the remote peer is a FortiGate unit running in transparent mode, type the IP address of the remote management interface.

Advanced                                   Select Nat-traversal, and type a value into the Keepalive Frequency field. These settings protect the headers of encrypted packets from being altered by external NAT devices and ensure that NAT address mappings do not change while the VPN tunnel is open. For more information, see Phase 1 parameters on page 1624 and Phase 1 parameters on page 1624.

3. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. See Phase 2 parameters on page 1642. Select the set of Phase 1 parameters that you defined for the remote peer. The name of the remote peer can be selected from the Static IP Address list.

4. Define the source and destination addresses of the IP packets that are to be transported through the VPN tunnel.

See Defining VPN security policies on page 1648. Enter these settings in particular:

• For the originating address (source address), enter the IP address and netmask of the private network behind the local peer network. for the management interface, for example, 10.10.10.0/24. This address needs to be a range to allow traffic from your network through the tunnel. Optionally select any for this address.
• For the remote address (destination address), enter the IP address and netmask of the private network behind the remote peer (for example, 192.168.10.0/24). If the remote peer is a FortiGate unit running in transparent mode, enter the IP address of the remote management interface instead.

5. Define an IPsec security policy to permit communications between the source and destination addresses. See

Defining VPN security policies on page 1648. Enter these settings in particular:

Incoming Interface                   Select the local interface to the internal (private) network.

Source Address                        Select the source address that you defined in Step 4.

Outgoing Interface                   Select the interface to the edge router. When you configure the IPsec secur- ity policy on a remote peer that operates in NAT mode, you select the pub- lic interface to the external (public) network instead.

Destination Address                 Select the destination address that you defined in Step 4.

VPN Tunnel                                Select Use Existing and select the name of the Phase 2 tunnel con- figuration that you created in Step 3 from the drop-down list.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

6. Place the policy in the policy list above any other policies having similar source and destination addresses.

7. Define another IPsec security policy to permit communications between the source and destination addresses in the opposite direction. This security policy and the previous one form a bi-directional policy pair. See Defining VPN security policies on page 1648. Enter these settings in particular:

Incoming Interface                   Select the interface to the edge router. When you configure the IPsec secur- ity policy on a remote peer that operates in NAT mode, you select the pub- lic interface to the external (public) network instead.

Source Address                        Select the destination address that you defined in Step 4..

Outgoing Interface                   Select the local interface to the internal (private) network.

Destination Address                 Select the source address that you defined in Step 4.

VPN Tunnel                                Select Use Existing and select the name of the Phase 2 tunnel con- figuration that you created in Step 3 from the drop-down list.

Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

8. Repeat this procedure at the remote FortiGate unit to create bidirectional security policies. Use the local interface and address information local to the remote FortiGate unit.

For more information on transparent mode, see the System Administration Guide.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Partially–redundant route-based VPN example

This example demonstrates how to set up a partially redundant IPsec VPN between a local FortiGate unit and a remote VPN peer that receives a dynamic IP address from an ISP before it connects to the FortiGate unit. For more information about FortiGate dialup-client configurations, see FortiGate dialup-client configurations on page 1716.

When a FortiGate unit has more than one interface to the Internet (see FortiGate_1), you can configure redundant routes. If the primary connection fails, the FortiGate unit can establish a VPN using the redundant connection.

In this case, FortiGate_2 has only one connection to the Internet. If the link to the ISP were to go down, the connection to FortiGate_1 would be lost, and the tunnel would be taken down. The tunnel is said to be partially redundant because FortiGate_2 does not support a redundant connection.

In the configuration example:

• Both FortiGate units operate in NAT mode.
• Two separate interfaces to the Internet (192.168.10.2 and 172.16.20.2) are available on FortiGate_1. Each interface has a static public IP address.
• FortiGate_2 has a single connection to the Internet and obtains a dynamic public IP address (for example, 172.16.30.1) when it connects to the Internet.
• FortiGate_2 forwards IP packets from the SOHO network (10.31.101.0/24) to the corporate network (10.21.101.0/24) behind FortiGate_1 through a partially redundant IPsec VPN. Encrypted packets from FortiGate_2 are addressed to the public interface of FortiGate_1. Encrypted packets from FortiGate_1 are addressed to the public IP address of FortiGate_2.

 

There are two possible paths for communication between the two units. In this example, these paths, listed in descending priority, are:

• FortiGate_1 WAN 1 to FortiGate_2 WAN 1
• FortiGate_1 WAN 2 to FortiGate_2 WAN 1

For each path, VPN configuration, security policies and routing are defined. By specifying a different routing distance for each path, the paths are prioritized. A VPN tunnel is established on each path, but only the highest priority one is used. If the highest priority path goes down, the traffic is automatically routed over the next highest priority path. You could use dynamic routing, but to keep this example simple, static routing is used.

 

Example partially redundant route-based configuration

 

Configuring FortiGate_1

Whenconfiguring FortiGate_1, you must:

• Configure the interfaces involved in the VPN.
• Define the Phase 1 configuration for each of the two possible paths, creating a virtual IPsec interface for each one.
• Define the Phase 2 configuration for each of the two possible paths.
• Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 10.21.101.2/255.255.255.0

3. Select the WAN1 interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.10.2/255.255.255.0

4. Select the WAN2 interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.20.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_1_A

Remote Gateway                       Dialup User

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_B

Remote Gateway                       Dialup User

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the two VPNs

1. Open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_1_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_1_B

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

 

Configuring FortiGate_2

The configuration for FortiGate_2 is similar to that of FortiGate_1. You must

• configure the interface involved in the VPN
• define the Phase 1 configuration for the primary and redundant paths, creating a virtual IPsec interface for each one
• define the Phase 2 configurations for the primary and redundant paths, defining the internal network as the source address so that FortiGate_1 can automatically configure routing
• configure the routes for the two IPsec interfaces, assigning the appropriate priorities
• configure security policies between the internal interface and each of the virtual IPsec interfaces

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and select Edit. Enter the following information and select OK:

Addressing mode                     Manual

IP/Netmask                                 10.31.101.2/255.255.255.0

3. Select the WAN1 interface and select Edit. Set the Addressing mode to DHCP.

 

To configure the two IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_2_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the two VPNs

1. Open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_2_A

Advanced

Source Address                        10.31.101.0/24

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_2_B

Advanced

Source Address                        10.31.101.0/24

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_A

Distance (Advanced)                1

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_B

Distance (Advanced)                2

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

 

Creating a backup IPsec interface

You can configure a route-based VPN that acts as a backup facility to another VPN. It is used only while your main VPN is out of service. This is desirable when the redundant VPN uses a more expensive facility.

You can configure a backup IPsec interface only in the CLI. The backup feature works only on interfaces with static addresses that have dead peer detection enabled. The monitor option creates a backup VPN for the specified Phase 1 configuration.

In the following example, backup_vpn is a backup for main_vpn.

 

config vpn ipsec phase1-interface edit main_vpn

set dpd on

set interface port1

set nattraversal enable

set psksecret “hard-to-guess” set remote-gw 192.168.10.8

set type static end

edit backup_vpn set dpd on

set interface port2 set monitor main_vpn

set nattraversal enable

set psksecret “hard-to-guess” set remote-gw 192.168.10.8

set type static end

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Redundant route-based VPN configuration example

This example demonstrates a fully redundant site-to-site VPN configuration using route-based VPNs. At each site, the FortiGate unit has two interfaces connected to the Internet through different ISPs. This means that there are four possible paths for communication between the two units. In this example, these paths, listed in descending priority, are:

• FortiGate_1 WAN 1 to FortiGate_2 WAN 1
• FortiGate_1 WAN 1 to FortiGate_2 WAN 2
• FortiGate_1 WAN 2 to FortiGate_2 WAN 1
• FortiGate_1 WAN 2 to FortiGate_2 WAN 2

 

Example redundant route-based VPN configuration

For each path, VPN configuration, security policies and routing are defined. By specifying a different routing distance for each path, the paths are prioritized. A VPN tunnel is established on each path, but only the highest priority one is used. If the highest priority path goes down, the traffic is automatically routed over the next highest priority path. You could use dynamic routing, but to keep this example simple, static routing is used.

 

Configuring FortiGate_1

When configuring FortiGate_1, you must:

• Configure the interfaces involved in the VPN.
• Define the Phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one.
• Define the Phase 2 configuration for each of the four possible paths.
• Configure routes for the four IPsec interfaces, assigning the appropriate priorities.
• Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and select Edit.

3. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 10.21.101.0/255.255.255.0

4. Select the WAN1 interface and select Edit, enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.10.2/255.255.255.0

5. Select the WAN2 interface and select Edit, enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.20.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_1_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.30.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

5. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_C

Remote Gateway                       Static IP Address

IP Address                                 192.168.20.2

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

6. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_1_D

Remote Gateway                       Static IP Address

IP Address                                 172.16.30.2

Local Interface                          WAN2

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the four VPNs

1. Open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_1_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_1_B

4. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_C

Phase 1                                       Site_1_C

5. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_D

Phase 1                                       Site_1_D

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and then select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_A

Distance (Advanced)                1

4. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_B

Distance (Advanced)                2

5. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_C

Distance (Advanced)                3

6. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.31.101.0/255.255.255.0

Device                                        Site_1_D

Distance (Advanced)                4

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and then select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Site_1_A

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

7. Select Create New.

8. Enter the following information, and select OK:

Incoming Interface                   Site_1_B

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Select Create New.

10. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_C

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

11. Select Create New.

12. Enter the following information, and select OK:

Incoming Interface                   Site_1_C

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

13. Select Create New.

14. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_1_D

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

16. Enter the following information, and select OK:

Incoming Interface                   Site_1_D

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

 

Configuring FortiGate_2

The configuration for FortiGate_2 is very similar to that of FortiGate_1. You must:

• Configure the interfaces involved in the VPN.
• Define the Phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one.
• Define the Phase 2 configuration for each of the four possible paths.
• Configure routes for the four IPsec interfaces, assigning the appropriate priorities.
• Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.

 

To configure the network interfaces

1. Go to Network > Interfaces.

2. Select the Internal interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 10.31.101.0/255.255.255.0

3. Select the WAN1 interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 192.168.20.2/255.255.255.0

4. Select the WAN2 interface and then select Edit. Enter the following information and then select OK:

Addressing mode                     Manual

IP/Netmask                                 172.16.30.2/255.255.255.0

 

To configure the IPsec interfaces (Phase 1 configurations)

1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.

2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).

3. Enter the following information, and select OK:

Name                                           Site_2_A

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

4. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_B

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

5. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_C

Remote Gateway                       Static IP Address

IP Address                                 192.168.10.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

6. Create a new tunnel and enter the following Phase 1 information:

Name                                           Site_2_D

Remote Gateway                       Static IP Address

IP Address                                 172.16.20.2

Local Interface                          WAN1

Mode                                           Main

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key.

Peer Options                             Any peer ID

Advanced

Dead Peer Detection                 Select

 

To define the Phase 2 configurations for the four VPNs

1. On the first VPN route, open the Phase 2 Selectors panel.

2. Enter the following information and select OK:

Name                                           Route_A

Phase 1                                       Site_2_A

3. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_B

Phase 1                                       Site_2_B

4. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_C

Phase 1                                       Site_2_C

5. Enter the following Phase 2 information for the subsequent route:

Name                                           Route_D

Phase 1                                       Site_2_D

 

To configure routes

1. Go to Network > Static Routes.

2. Select Create New, enter the following default gateway information and then select OK:

Destination IP/Mask                 0.0.0.0/0.0.0.0

Device                                         WAN1

Gateway                                     192.168.10.1

Distance (Advanced)                10

3. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_A

Distance (Advanced)                1

4. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_B

Distance (Advanced)                2

5. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_C

Distance (Advanced)                3

6. Select Create New, enter the following information and then select OK:

Destination IP/Mask                 10.21.101.0/255.255.255.0

Device                                        Site_2_D

Distance (Advanced)                4

 

To configure security policies

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_A

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

3. Select Create New.

4. Enter the following information, and select OK:

Incoming Interface                   Site_2_A

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

5. Select Create New.

6. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_B

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

7. Select Create New.

8. Enter the following information, and select OK:

Incoming Interface                   Site_2_B

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Select Create New.

10. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_C

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

11. Select Create New.

12. Enter the following information, and select OK:

Incoming Interface                   Site_2_C

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

13. Select Create New.

14. Enter the following information, and select OK:

Incoming Interface                   Internal

Source Address                        All

Outgoing Interface                   Site_2_D

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

15. Select Create New.

16. Enter the following information, and select OK:

Incoming Interface                   Site_2_D

Source Address                        All

Outgoing Interface                   Internal

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configure the VPN peers – route-based VPN

VPN peers are configured using Interface Mode for redundant tunnels. Configure each VPN peer as follows:

1. Ensure that the interfaces used in the VPN have static IP addresses.

2. Create a Phase 1 configuration for each of the paths between the peers.

3. Enable dead peer detection so that one of the other paths is activated if this path fails.

4. Enter these settings in particular, and any other VPN settings as required:

Path 1

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the primary interface of the remote peer.

Local Interface                          Select the primary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 2

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the secondary interface of the remote peer.

Local Interface                          Select the primary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 3

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the primary interface of the remote peer.

Local Interface                          Select the secondary public interface of this peer.

Dead Peer Detection                 Enable

 

Path 4

Remote Gateway                       Select Static IP Address.

IP Address                                 Type the IP address of the secondary interface of the remote peer.

Local Interface                          Select the secondary public interface of this peer.

Dead Peer Detection                 Enable

For more information, see Phase 1 parameters on page 1624.

5. Create a Phase 2 definition for each path. See Phase 2 parameters on page 1642. Select the Phase 1 configuration (virtual IPsec interface) that you defined for this path. You can select the name from the Static IP Address part of the list.

6. Create a route for each path to the other peer. If there are two ports on each peer, there are four possible paths between the peer devices.

Destination IP/Mask                 The IP address and netmask of the private network behind the remote peer.

Device                                         One of the virtual IPsec interfaces on the local peer.

Distance                                     For each path, enter a different value to prioritize the paths.

7. Define the security policy for the local primary interface. See Defining VPN security policies on page 1648. You need to create two policies for each path to enable communication in both directions. Enter these settings in particular:

Incoming Interface                   Select the local interface to the internal (private) network.

Source Address                        All

Outgoing Interface                   Select one of the virtual IPsec interfaces you created in Step 2.

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

8. Select Create New, leave the Policy Type as Firewall and leave the Policy Subtype as Address, and enter these settings:

Incoming Interface                   Select one of the virtual IPsec interfaces you created in Step 2.

Source Address                        All

Outgoing Interface                   Select the local interface to the internal (private) network.

Destination Address                 All

Schedule                                    Always

Service                                       Any

Action                                         ACCEPT

9. Place the policy in the policy list above any other policies having similar source and destination addresses.

10. Repeat this procedure at the remote FortiGate unit.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!