Skip to main content
KWigle
KWigle
New Member
July 10, 2015
Solved

Newbie trying basic stuff

  • July 10, 2015
  • 6 replies
  • 10020 views

I am a relative newbie to Fortinet that has a small amount of Fortinet experience but now I need to learn more.  I am fairly conversant with Cisco stuff.

Object - to eventually have two tunnels using certificates going to different networks.

Plan:

1. To set up a direct connection without anything, just wire to wire

2. Demonstrate one ipsec tunnel using passwords/passphrase

3. Demonstrate two tunnels using passwords/passphrase Tear down the above

4. Demonstrate one tunnel using a certificate

5. Demonstrate second tunnel using passwords/passphrase

Tear down password tunnel above

6.Demonstrate a 2nd tunnel using a certificate

 

Endstate possibilities: 2 tunnels using one each certificate/password

and 2 tunnels using only certificates

 

So what I'm playing with: laptop(192) -> Fortinet(.1) -> Fortinet(.2) -> laptop(172)

 

Direct connection: laptop -> Fortinet -> Fortinet -> laptop

from either laptop I can ping the local and remote Fortinet but not the remote laptop

 

Probably a firewall rule but I'm not getting this basic thing to work.

 

Any hints would be appreciated....

 

Kevin

    Best answer by ede_pfau

    hi,

     

    and welcome to the forums.

     

    What have you done so far? Can you post the policies (preferably from the CLI/console window)?

     

    For a basic connection from one LAN to another you need:

    - a route which tells the (leftmost) FGT where to send the traffic for the remote network

    - a policy allowing such traffic

     

    In your case you need this on both sides.

    Of course, the subnets which you want to connect should not use the same address range.

     

    For further analysis we need the output of

    - get router info routing-table all

    - get firewall policy

     

    and info on the subnets involved.

    6 replies

    ede_pfau
    SuperUser
    ede_pfauAnswer
    SuperUser
    July 10, 2015

    hi,

     

    and welcome to the forums.

     

    What have you done so far? Can you post the policies (preferably from the CLI/console window)?

     

    For a basic connection from one LAN to another you need:

    - a route which tells the (leftmost) FGT where to send the traffic for the remote network

    - a policy allowing such traffic

     

    In your case you need this on both sides.

    Of course, the subnets which you want to connect should not use the same address range.

     

    For further analysis we need the output of

    - get router info routing-table all

    - get firewall policy

     

    and info on the subnets involved.

    KWigle
    KWigleAuthor
    New Member
    July 10, 2015

    So I can now ping between the laptops.

     

    Now for the first ipsec tunnel.

     

    Kevin

    Dr_Pepper
    Dr_Pepper
    New Member
    December 12, 2015

    KWigle wrote:

    So I can now ping between the laptops. [...]

     

    How did you solve the problem?

    It sounds like I'm facing the same issue right now..

    KWigle
    KWigleAuthor
    New Member
    December 18, 2015

    at that point several months ago, I set up static routing on both Fortis.......

    Then Firewall objects defined.

    Then Policies defined to allow connection.

    At that point I don't think I had any tunnel up yet.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 10, 2015

    Please supply the info I've asked for if you want help, our crystal balls are foggy today.

    For the VPN, use the Wizard. At first, use a very simple PSK and no fancy encryption algorithm: AES128 + SHA1 would be a standard.

    KWigle
    KWigleAuthor
    New Member
    July 10, 2015

    Please be a bit patient.  My corporate firewalls are murder.

    I made my last entry before I even saw your first reply.

    I will get the info and I appreciate your help.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 10, 2015

    Alright, sorry, didn't mean to press you. We (the forums) are here all day and night.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 10, 2015

    OK, subnet definitions and static route are OK, traffic is flowing.

     

    Do you need pointers setting up the s2s VPN?

    The VPN wizard is new to v5.2. Which version of FortiOS are you using?

    KWigle
    KWigleAuthor
    New Member
    July 10, 2015

    looks like v5.0, build 0208 (GA Patch 3)

     

    These are 2 80 cm, new out of the box but they were purchased over a year ago ........

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    July 10, 2015

    One good advice: upgrade firmware to the latest v5.0, which is 5.0.12 before continuing. You really don't want to suffer from the early firmware bugs.

    With that little configuration you can upload the target firmware version in one step. Worstcase you'd lose the config, retyping will be much quicker than going all the immediate upgrade steps that usually are mandatory (see Release Notes).

    Allwyn_Mascarenhas
    Allwyn_Mascarenhas
    New Member
    September 22, 2015

    ede_pfau wrote:

    One good advice: upgrade firmware to the latest v5.0, which is 5.0.12 before continuing. You really don't want to suffer from the early firmware bugs.

    With that little configuration you can upload the target firmware version in one step. Worstcase you'd lose the config, retyping will be much quicker than going all the immediate upgrade steps that usually are mandatory (see Release Notes).

    a small doubt i have. Flash formatting the device and jumping straight to the latest FW on a new device is perfectly alright right? Or could there be any issues?

    Terms & ConditionsAccessibility statement