Skip to main content
alif
Staff
alif
Staff
April 29, 2009

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

  • April 29, 2009
  • 0 replies
  • 230056 views

Description

 

This article explains the configuration of site to site VPN  where both sites have a static public IP on the WAN interface. 
 
It covers both wizard and manual configuration.


Scope

 

FortiGate v6.2 or higher. 

Solution


The following are the IP address information for both FortiGates.

Device
 FortiGate - I
 FortiGate - II
Wan IP 172.25.176.62 172.25.177.46
LAN IP 192.168.65.0/24 192.168.13.0/24

 

FortiGate: I Configuration.
To create an IPsec VPN tunnel on the FortiGate device, select VPN -> IPSec Wizard and input the tunnel name.

Select the Template Type as Site to Site, the 'Remote Device Type' as FortiGate, and select NAT Configuration as No NAT between sites.
 
 
Select 'Next' to move to the Authentication part.
In the Authentication step, set IP Address to the WAN IP address of the remote FortiGate (in the example, 172.25.177.46).
 
After the WAN IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
If a different interface should be used, this needs to be selected from the drop-down menu.
Set a secure Pre-shared Key (PSK). The remote peer can also be authenticated via a certificate, as explained here.
 
 
In the Policy & Routing step, set Local Interface to LAN.
The wizard adds the local subnet automatically.
Set Remote Subnets to the Branch network’s subnet (in the example, 192.168.13.0/24).
Set Internet Access to None.
 
 
A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes, and policies.
The wizard automatically configures the phase2 selectors, firewall address groups, firewall addresses, static routes, blackhole routes and firewall policies.
 
 
To view the VPN interface created by the wizard, go to Network -> Interfaces.
 
 
To view the firewall addresses created by the wizard, go to Policy & Objects - > Addresses.
 
 
To view the routes created by the wizard, go to Network -> Static Routes.
 
Note:
In cases where static routes were not automatically generated when the VPN wizard was not used, it is recommended to manually add a static route to the remote subnet(s) pointing to the tunnel interface and add a blackhole route to prevent VPN traffic from egressing the default route (typically to the public internet) when the VPN tunnel flaps.
 
 
  
To view the policies created by the wizard, go to Policy & Objects -> IPv4 Policy.
 
  
FortiGate: II Configuration.

To create a new IPsec VPN tunnel, connect to FGT-II, go to VPN > IPsec Wizard, and create a new tunnel.
In the VPN Setup step, set Template Type to Site to Site, set Remote Device Type to FortiGate, and set NAT Configuration to No NAT between sites.
 
 
 
In the Authentication step, set IP Address to the WAN IP address of FGT-I (in the example, 172.25.176.62).
After the IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
If a different interface needs to be used, select it from the drop-down menu.
 
Set the same secure Pre-shared Key (PSK) that was used for the VPN on FortiGate-I.
 
 
 
Note:
Make sure the remote public IP is reachable via the interface (in the example wan1).
 
Command to verify :
 
get router info routing-table details x.x.x.x         <----- x.x.x.x is the public of the remote site.
 
wan1routing.PNG
 
In the Policy & Routing step, set Local Interface to LAN. The wizard adds the local subnet automatically. Set Remote Subnets to the HQ network’s subnet (in the example, 192.168.65.0/24).
 
Set Internet Access to 'None'.
 
 
A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes, and policies.
 
 
To bring the VPN tunnel up, go to Monitor -> IPsec Monitor. Select 'Status' and select Bring Up.
 
 
There is an option to enable auto-negotiation so that phase2 selectors will always stay up which is explained in the attached article.
 
From FortiOS 7.6.x the GUI layout has changed:
 
FortiGate: Configuration:
Navigate to 'VPN Tunnels' from the Firewall GUI
 
Screenshot 2025-02-22 121859.jpg
Select IPsec tunnel from the template and choose 'Site to Site'.
 
2.jpg

 

Select 'Begin' at the bottom of the GUI 
 
3.jpg

 

Select the appropriate option in this section for 'Authentication Method', 'IKE' version, 'Transport', 'NAT Traversal', etc.

The 'Transport' option is new at v7.6.x and it is available for IKE version 2.

 

Move to the next section to configure the Remote Gateway and Remote Subnet.

 

4.jpg

 

Select 'next' and move to the next section.

 

5.jpg

 

In this section, the 'Outgoing interface', 'Local interface', and 'Local subnets that can access VPN' is configured. Select 'Next'.

 

6.jpg

 

After Review the configuration template can be submitted.

 

7.jpg

 

The Configuration is complete and once the remote side configuration is done correctly the tunnel is expected to come up and actively pass encrypted traffic.

 

Verification:
To verify if the LAN subnets can reach each other over the VPN tunnel, initiate an ICMP echo from the end device pinging the other end.

 

Or

 

Initiate a pingtest on the FortiGate.

 

execute ping-option source x.x.x.x        <-- The source IP should be owned by the FortiGate.

execute ping x.x.x.x          <-- Destination IP address of the end device on the remote site.


Troubleshooting:
If the tunnel UP is not visible, raise a support ticket. It will be helpful to collect the following debug output:

Debug commands:

 

diagnose debug disable
diagnose debug reset

diagnose vpn tunnel list
diagnose vpn ike log filter clear
diagnose vpn ike log-filter dst-addr4  x.x.x.x    <----- Where x.x.x.x is the WAN IP of the remote site.
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

Debugs for v7.4.x and v7.6.x firmware version:

 

diagnose debug disable
diagnose debug reset
diagnose vpn ike log filter clear
diagnose vpn ike log filter rem-addr4 x.x.x.x  {x.x.x.x}    <----- Where x.x.x.x is the WAN IP of the remote site.
diagnose debug application ike -1
diagnose debug console timestamp enable
diagnose debug enable

 

To Stop the debugs logs:

 

diagnose debug disable
diagnose debug reset

 

Open another CLI and run the packet capture commands below.

 

Packet capture:

 

diagnose sniffer packet any "host <x.x.x.x> and (port 500 or port 4500)" 4 0 a      <----- Where x.x.x.x is the WAN IP of the remote site.

 

Once the commands are executed, try to bring the tunnel UP from the GUI (VPN -> IPsec Monitor -> Bring UP or with the command):

 

diagnose vpn tunnel up “vpn_tunnel_name        <----- Where 'vpn_tunnel_name' is the phase1 name of the respective VPN tunnel.


Once the debugs are collected, stop the debug with the command:

 

diagnose debug disable
diagnose debug reset

 

Attach the complete output to the ticket along with the config files of both the FortiGates.

 

 

Related documents:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/281288/site-to-site-ipsec-vpn-with-two-fortigate-devices

Technical Tip: Set the FortiGate unit to bring up IPSec VPN tunnels automatically (Enable Auto-negotitation)

Technical Note: Use of Black hole route in site to site IPsec VPN scenarios

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip: Setting multiple DNS server for IPSec dial-up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Technical Tip: IPSec dial-up full tunnel with FortiClient

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Technical Note: Dynamic routing (BGP) over IPsec tunnel

Technical Tip: OSPF with IPSec VPN for network redundancy

Technical Tip: Dynamic dial-up VPN with OSPF

Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

Technical Tip: 'set net-device' new route-based IPsec logic

Technical Tip: Simple OCVPN deployment

Technical Tip: SD-WAN integration with OCVPN

Technical Tip: Configure IPsec VPN with SD-WAN

Technical Tip: SD-WAN with DDNS type IPsec

Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario

Troubleshooting Tip: IPsec VPN Phase 1 Process - Aggressive Mode

Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a Fortigate

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel

 

Note:

V5.0 up to V6.4 are out of engineering support. These commands might be different on higher versions.

Consider upgrading the firmware level on the device to a supported version (v7.0 up to v7.6). The firmware path and compatibility, depending on the hardware, can be checked here: Upgrade tool 

    Terms & ConditionsAccessibility statement