| Solution |
- Go to: VPN -> IPSec Tunnels, and select 'Create New '-> IPSec Tunnel.
Note:
The wizard shows all available options so that it is possible to speed up the process, but the Custom option will be used for a better understanding of each step for the IPSec tunnel creation:
- Set the tunnel name (After creation, the tunnel name cannot be modified).
The process is straightforward. Using only one screen, it will be possible to configure Phase 1 and Phase 2.
Note:
This is just a sample and it is necessary to adjust the tunnel configuration according to the requirements of the network.
 
- Create the static route pointing to the Palo Alto LAN:
- Create the firewall policy allowing outbound and inbound traffic:
Note:
All parameters are configured on FortiGate, it is also necessary to configure on the Palo Alto firewall for Phase 1 and Phase 2.
On Palo Alto, it is necessary to access more options on different screens to create the IPSec tunnel.
- For Phase 1 Proposal, access the 'IKE Crypto Profile' :
Make sure the key life matches the FortiGate Phase1 key life: 43200
- Then, configure the IKE gateway:
- On 'Advanced Options', set the Phase 1 Proposal on 'Ike Crypto Profile':
- For Phase 2 Proposal, access 'IPSec Crypto Profile':
Make sure the key life matches the FortiGate phase 2 key life
- Create a tunnel interface on the following path: Network -> Interfaces -> Tunnel.
It is necessary to set an ID for the tunnel.
- Then create the IPSec tunnel on the following path: Network -> IPSec tunnel.
It is necessary to select the tunnel interface with the ID just created, in this case, 'tunnel.1'. Also, select the Phase 2 Proposal on 'IPSec Crypto Profile':
- Set the phase 2 selectors on 'Proxy IDs':
- Create the static route pointing to the FortiGate LAN on Network -> Virtual Router -> Default -> Static Route.
- Create the Security Policy allowing outbound and inbound traffic on Policies -> Security.
- Validating the IPSec tunnel on FortiGate:
- Validating the IPSec tunnel on Palo Alto:
- On the FortiGate, to check the 'IPSec Monitor', go to Dashboard -> Network -> IPSec.
Special notes within the IKE Gateway General Configuration:
- In certain scenarios, when establishing an IPsec tunnel between FortiGate and Palo Alto, even if using non-cloud firewalls, it may be necessary to configure the Local Identification with a Palo Alto IP and Peer Identification with a FortiGate IP.
Example Scenario I: FortiGate wan1 (Public IP x.x.x.x) ===== [Internet] ===== (Public IP y.y.y.y) Palo Alto.
- Sometimes, FortiGate can happen to be behind an ISP with a Local IP (for example wan1 192.168.100.10) (often when Bridge Mode cannot be set on the ISP Router). In this scenario, the Peer Identification that Palo Alto will observe on its IPsec logs will be FortiGate Local IP 192.168.100.10, meaning this IP must be configured as Peer Identification. This applies even if the Tunnel has an IP assigned to it.
Example Scenario II: FortiGate wan1 (192.168.100.10) ===== ISP Router (Public IP x.x.x.x) ===== [Internet] ===== (Public IP y.y.y.y) Palo Alto.
- In Palo Alto Virtual Machine deployments, for instance, in an Azure cloud environment: it is often mandatory for the Local identification and Peer identification, within the IKE Gateway, to be configured with an IP address. Otherwise, the IPsec phase 1 negotiation will fail.
- In some cases, it has been observed that it is necessary to change the localid type as well:
config vpn ipsec phase1-interface
edit <phase1_name>
set localid-type address
set localid <IP address>
end
Note:
- On FortiGate Phase 2 settings, if the named subnet is a Group Subnet, the tunnel will not go up.
- For FortiGate to another third-party device, the standard config used is 'Subnet'.
- Configure Phase 2 of FortiGate remote and local IP as 'Subnet'.
- If there are multiple subnets, add and specify each subnet in Phase 2.
|
