Technical Tip: How to configure IPsec Site-to-Site VPN between FortiGate and Opnsense

The lab environment consists of 1 FortiGate and 1 Opnsense device, both installed as virtual appliances on top of Hyper-V

More details on how to install FortiGate VM on Hyper-V can be found at this link:

Technical Tip: Install FortiGate-VM on Hyper-V and apply Permanent Trial License

Steps on how to set up Opnsense on top of Hyper-V can be found in the vendor knowledge base.

This article does not cover this topic. Below are the configurations that should be checked prior to setup ipsec tunnel.

Setup Opnsense: 

1. Interface configuration - Interfaces.
   1. LAN port with static IP address 172.16.1.20.
      
      
   2. WAN port with DHCP configuration (static config is similar to LAN port).
      
                                   

2. Routes and default route.

   System -> Gateways -> Configuration:
   
   
3. Firewall rules to allow IPsec traffic through WAN port.
   Create new rules under Firewall -> Rules -> WAN to allow IPsec traffic.
   
                                     
4. Phase 1: Interface configuration under VPN -> IPsec -> Tunnel Settings and press '+' under the Phase1 section.

   1. General information for phase1-interface.

      Connection method: default.
      Key Exchange version: V2.
      Internet Protocol: IPv4.
      Interface: WAN.
      Remote gateway: 192.168.179.54.
      Description: Connection to FortiGate WAN IP.

   2. Phase1-proposal (Authentication).
      Authentication method: Mutual PSK.
      My identifier: My IP address.
      Peer identifier: Peer IP address.
      Pre-Shared Key: pre-shared key.
   3. Phase1-proposal (Algorithms).
      Encryption algorithm: AES.
      Hash algorithm: SHA512.
      DH key group: 14 (2048 bit).
      Lifetime: 28800 sec.
   4. Advanced options.
      Rekey, NAT-T, and DPD can be configured under this section.
      For this test, DPD and NAT Traversal will be enabled.
      
      
5. Phase2 Interface configuration under VPN -> IPSEC -> Tunnel Settings and press + in front of phase1 that was just created.
   1. General settings:
      Mode: Tunnel IPv4.
      Description: LocalTraffic-to-FortigateInternalSubnet.
   2. Local Network.
      Type: LAN Subnet.
   3. Remote Network.
      Type: Network.
      Address: 10.10.10.0/24.
   4. Phase2 proposal SA-KeyExchange.
      The final view should be like this:
      
                                                           
6. Create firewall addresses for local and remote subnets to link them in firewall rules.
   Firewall: Aliases.
   Name: FortiGateLan.
   Type: Networks.
   Content: 10.10.10.0/24.
   
                                       
7. Firewall Rules to allow traffic from the local network to the remote network and the return traffic as well
   Firewall -> Rules -> IPsec.
   Create 2 rules for in and out traffic.
   
                                                
8. Setup FortiGate IPsec.

config vpn ipsec phase1-interface
    edit "ToOpnsense"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes256-sha256

        set comments "VPN: ToOpnsense (Created by VPN wizard)"

        set dhgrp 14

        set wizard-type static-fortigate

        set remote-gw 192.168.178.96

        set psksecret ENC ******

    next

end

GUI Setup:

Phase2 interface:

config vpn ipsec phase2-interface
    edit "TrafficSelectors"
        set phase1name "ToOpnsense"
        set proposal aes256-sha512 
        set dhgrp 14
        set src-subnet 10.10.10.0 255.255.255.0
        set dst-subnet 172.16.1.0 255.255.255.0
    next
end

Note that if private IP ranges are used for testing purposes, Opensense will block them unless 'Block private networks' under Interfaces –> WAN is disabled.

Related document:

IPsec VPN tunnels - Fortinet Community