Staff

Technical Tip: How to setup IPsec VPN between FortiGate and Cisco Meraki

Forum|Forum|1 year ago
November 11, 2024
0 replies
12964 views

Description

This article describes how to set up an IPsec VPN between a FortiGate and a Cisco Meraki.

Scope

FortiGate.

Solution

Prerequisites:

FortiGate (with basic configuration).
Cisco Meraki (with basic configuration).
Internet connection on both ends.
209.10.10.1 is FortiGate side WANIP and 209.10.10.2 is Meraki side WAN IP.

Configuration on HO side (FortiGate):

config vpn ipsec phase1-interface
edit "HO_GW"
set interface "wan"
set ike-version 2
set peertype any
set net-device disable
set proposal aes256-sha256
set dhgrp 2
set remote-gw 209.10.10.2
set psksecret "admin123"
set keylife 1800
next
end

config vpn ipsec phase2-interface
edit "HO_Phase2"
set phase1name "HO_GW"
set pfs enable
set dhgrp 2
set keylife-type seconds
set keylifeseconds 3600
set proposal aes256-sha256
next

end

Note:

The required firewall policy and route need to be configured on the FortiGate Side.
For more than one subnet under Phase 2 (both local and remote), it is recommended to configure each of them on a separate Phase 2: Technical Tip: IPsec VPN between FortiGate and other Vendor with multiple subnets

BranchOffice Router (Meraki):

Go to Security & SD-WAN -> Site-to-site VPN.

Select Automatic for the NAT-T.

Since the remote peer is FortiGate, under Non-Meraki Peers, select Add a peer.

Setup the VPN config as below:

Note: If the FortiGate device is behind NAT, the Cisco Meraki device may require the "Remote ID" section to point to the private IP set on the FortiGate WAN interface. For more details refer to: IPsec VPN Peers

Phase 1 encryption/authentication part: