Monday, April 18, 2016

FortiGate: How to create IPSec tunnel in FortiGate firewall ?

Go to VPN > IPsec > Auto Key (IKE)

Create Phase 1:

Name: local2remote
Remote Gateway: IP of external remote Int
Local Interface: The WAN int you are creating tunnel on
Mode: Main (ID Protection)
Authentication Method: RSA Signature
Certificate Name: Fortinet_Factory
Peer Options: Accept any Peer ID
Advanced: IPsec interface mode should be selected with all other defaults

Create Phase 2:

Name: local2remote2
Phase 1: local2remote

Assign address to your tunnel interfaces

Go to System > Network > Interface

  • Expand the port your tunnel is created on
  • Select local2remote and edit
  • Assign IP and Remote IP - This can be any address not used on your network ex. 172.2.2.1 and 172.2.2.2

Now you must create addresses for both the local and remote subnets

Go to Firewall > Address > Address

Create New:

Name: remote_subnet
Type: Subnet/IP range
Subnet/IP: 10.10.20.0
Interface: Any

Create New:

Name: local_subnet
Type: Subnet/IP range
Subnet/IP: 10.10.10.0
Interface: Any

Create Firewall Policies to allow VPN traffic

Go to Firewall > Policy > Policy

Create New: Inbound Tunnel

Source Interface: local2remote
Source Address: All
Destination Interface/Zone: Internal Interface(Lan)
Destination Address: local_subnet
Schedule: Always
Service: Any
Action: Accept

Create New: Outbound Tunnel

Source Interface: Internal(Lan)
Source Address: All
Destination Interface/Zone: local2remote
Destination Address: remote_subnet
Schedule: Always
Service: Any
Action: Accept

The last step is to create Policy routes to route only LAN traffic through tunnel

Go to Router > Static > Policy Route

Create New: Send all traffic from LAN to Wan for internet access

Incoming Interface: Internal(LAN)
Source Address/Mask: 0.0.0.0/0.0.0.0
Destination Address/Mask: 0.0.0.0/0.0.0.0
Force Traffic to:
Outgoing Interface: Wan

Create New: Send traffic from LAN to Tunnel for internal resources

Incoming Interface: Internal(LAN)
Source Address/Mask: 0.0.0.0/0.0.0.0
Destination Address/Mask: remote_subnet
Force Traffic to:
Outgoing Interface: local2remote This is the IPsec tunnel

NOTE: When creating Routing Policies be sure that the traffic destined for remote end is higher than traffic heading for internet as Policies take precedence from top to bottom. As is also the case with Firewall Polices

Now just repeat these steps on the remote firewall and bring up your IPsec tunnel:

Go to VPN > IPsec > Monitor

Click Bring Up


reference : http://corafamily.net/wiki5/tiki-index.php?page=Creating+ipsec+tunnel+with+Fortigate

No comments:

Post a Comment