Technical Tip: Site to Site VPN - FortiGate to Sonic Wall
Description
This article describes how to set up a basic site-to-site VPN between a FortiGate running FortiOS 3.0 in NAT mode and a SonicWALL Firewall device.
Fortinet is not a service provider for SonicWALL equipment and is in no way responsible for any setup questions or deficiencies found within said devices. Fortinet support will only be responsible for the technical aspects of FortiGate device problem-solving and troubleshooting.
Scope
FortiGate is running in NAT mode. FortiOS 3.0, SonicWall device (not specific).
Solution
FortiGate Device Setting
To configure the Phase1 settings
Go to VPN -> IPSec -> Phase 1.
Select Create New and enter the following:
- Gateway Name: To SonicWall.
- Remote Gateway: SonicWall Static Public IP Address.
- IP Address: Public IP Address.
- Local Interface: Wan1 (if it is public interface).
- Mode: Main
- Authentication Method: Preshared Key
- Preshared Key: preshared key
Select Advanced and enter the following:
- Encryption: 3DES.
- Authentication: SHA1.
- DH Group: 2.
- Keylife: 28800.
- Dead Peer Detection: Disabled.
- Leave all other settingthe s as default.
Select OK.
To configure the Phase 2 settings
Go to VPN -> IPSec -> Phase 2.
Select Create New and enter the following:
- Tunnel Name: SonicWallP2
- Remote Gateway: Select ToSonicWall
Select Advanced and enter the following:
- Encryption: 3DES
- Authentication: SHA1
- Enable replay detection: Unchecked
- DH group: 2
- Keylife: 28800
- Autokey Keep Alive: Checked
- Quick Mode Selector
- Source address: Internal LAN Subnet
- Destination address: Remote LAN Subnet
Select OK.
To add the addresses
- Go to Firewall -> Address.
- Select Create New to create the FortiGate address.
- Enter a name for the address, for example, FortiGate_network.
- Enter the FortiGate IP address and subnet. "Internal LAN Subnet"
- Select OK.
- Select Create New again to create the SonicWALL address.
- Enter the name for the address, for example SonicWall_network.
- Enter the SonicWall IP address and subnet. "Remote LAN Subnet"
- Select OK.
To create a firewall policy for the VPN traffic going from the SonicWALL device to the FortiGate:
- Go to Firewall -> Policy.
- Select Create New and set the following:
- Source Interface: Internal
- Source IP address: Internal LAN Subnet
- Destination Interface: WAN1 (or external)
- Destination Address Name: Remote LAN Subnet
- Schedule: always
- Service: ANY
- Action: Encrypt
- VPN Tunnel: ToSonicWall
- Select Allow inbound
- Select Allow outbound
Select OK.
Configure the SonicWall Device
Go to the 'General' tab.
Under Security Policy
- Authentication Method: IKE using Preshared Secret
- Name: ToFortiGate
- IPSec Primary Gateway Name or Address: FortiGate Public IP Address
- IKE Authentication
- Shared Secret: preshared key
- Confirm Share Secret: preshared key
- Others leave to default.
Create 2 addresses: Internal LAN Subnet and Remote LAN Subnet.
Go to the 'Network' tab.
- Local Networks
- Choose local network from list: Internal LAN Subnet
- Choose local network from list: Remote LAN Subnet
Go to the 'Proposals' tab:
- IKE (Phase 1) Proposal
- Exchange: Main Mode
- DH Group: Group2
- Encryption: 3DES
- Authentication: SHA1
- Life Time(seconds): 28800
- IPSec (Phase 2) Proposal
- Protocol: ESP
- Encryption: 3DES
- Authentication: SHA.
- Enable Perfect Forward Secrecy: Checked
- DH Group: Group2
- Life Time (seconds): 28800
Go to the 'Advanced'tab.
- Enable: Keep Alive