IPSec LAN to LAN tunnel

Forum|Forum|12 years ago
August 6, 2013
4 replies
11687 views

Hi there, Hi there, We have got a Fortigate 111C running v5.0, build0179 (GA Patch 2) I have to setup a LAN to LAN tunnel between this Fortigate unit and a Cisco ASA. I have done this in past on version 4.3. This is my first time for version 5.0 What I have done so far is: 1) Defined Phase1 (name TunPh1)-- Correct 2) Defined Phase2 (name TunPh2)-- Correct I am trying to setup a policy based tunnel so when I go to Policy --> Create New and select Policy Type as " VPN" and then select Policy Sub Type as " IPSec" I select all other options correctly until I reach " VPn Tunnel" option. I select " Use Existing" . When I click on the drop down button next to VPN Tunnel, I cannot see the tunnel I created. Nothing happens when I click on " Click to set" What am I doing wrong?? If I select policy type as " Firewall" and Policy SubType as " Address" and select Incoming Interface as " Internal" and select Outgoing Interface as " wan1" , under Action, I do not see option for " IPSec" . So how does teh Firewall know that this traffic is the vpn traffic. Why is it getting so complicated. It was so easy to set this up in version 4.3 Please help. Thanks Anne

Dipen

New Member

This is happening because you have configured IPSEC VPN in " Interface Mode" which is recommended in case of Fortigate to Fortigate VPNs. In this case the Fortigate will create a Virtual Subinterface under WAN Interface. Choose to create a Firewall Policy --> Select source interface as " Virtual Subinterface" for outgoing traffic and vice versa----> Choose action simply as Accept. Other mode is Tunnel Mode ...where you have to choose Policy Type as VPN and action as " IPSEC" . In Tunnel Mode only can you select the " Tunnel" Requesting expert members to suggest in case of Cisco <--> Fortigate VPNs should we select " Interface Mode" or " Tunnel Mode"

ede_pfau

SuperUser

I would definitively stay with IPsec ' Interface Mode' . I guess it' s per default now in FOS 5 though I' ve seen that as a default in 4.3 also. Like Dipen posted, you will get a new virtual tunnel interface which you can use like any other interface (port) on your FGT. For traffic to pass through the tunnel, you need at least a regular policy ' internal' ->' tunnel' , action ACCEPT. And additionally a static route, specifying the remote subnet being behind the ' tunnel' interface (no gateway spec needed). There have been successful VPN tunnels (even) to Cisco ASAs in the past, on the forums. I hope you' ll find a thread with 1:1 instructions. But I wouldn' t expect any difficulties if you leave out DH groups initially etc.

Dipen

New Member

http://kb.fortinet.com/kb/microsites/microsite.do?cmd=displayKC&externalId=13574 Above article might help...but it is again in " Tunnel Mode" and not " Interface Mode" Now Interface mode is default and recommended...but above article can help with respect to DPD ; PFS etc settings

AnneAuthor

New Member

Thank you Dipen and ede_pfau It was very useful. It was not that complicated in version 4.3 Thanks again Anne

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded