Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Gab_FTNT
Staff
Staff

Created on ‎09-19-2023 09:47 PM Edited on ‎10-06-2024 10:26 PM By Community Manager

Article Id 274508

Technical Tip: How to configure a Site-to-Site IPsec tunnel between FortiGate and Sonicwall from GUI

Description This article describes how to configure a Site-to-Site IPsec tunnel between a FortiGate and a SonicWALL from the GUI.
Settings can changed based on firmware and hardware.
Scope FortiGate
Solution

Capture22.PNG

This IPsec tunnel is built using a FortiGate 81F running version 7.2.5 and a SonicWall TZ350 running SonicOS Enhanced 6.5.4.0-17n.

Configuration on the FortiGate side:

 

  1.  Go to VPN  -> IPsec Tunnels and select 'Create New IPsec Tunnel':


Picture2.png

 

Enter the chosen tunnel name and, then select Next.

 

  1. Enter the Remote IP address of the SonicWALL and the chosen Pre-Shared key:


Picture3.png

 

  1. Select the local interface to access, specify the LocalSubnet and the remote Subnet. Multiple Subnets can also be entered:


Picture4.png

 

  1. Review the configuration and select Next:


   Picture5.png

  1. FortiGate will create an Address Object, Required Policies, and Static Route automatically.

Go to VPN  -> IPsec Tunnels and edit the tunnel and Convert it to Custom.


Picture6.png

 

This is required in order to adjust the settings.

 

  1. In this example, the following Settings will be used:
  •  IKEv1 with Main Mode (ID Protection):


Picture7.png

 

  • Encryption AES128 and SHA1 with DH Group 2 and 86400 Key Lifetime.

 

Picture8.png

 

XAUTH Disabled.Picture9.png

 

  • Phase 2 Encryption AES128 and SHA1 with DH group 2 and a key lifetime of 86400.

 

Picture10.png
Configuration of the Sonicwall side.

In this example, the older GUI will be used to create the VPN tunnel.
In order to change from the new to the old GUI, it is possible to select on Picture11.png at the left bottom of the page.

 

  1.  Go to VPN  -> Settings and select Add a new VPN Policies.


Picture12.png

 

  1. Enter the chosen Tunnel name, the IPSEC primary Gateway (FortiGate IP), and the pre-shared key.


 Picture13.png

 

  1.  Navigate to Network to configure the Phase 2 Selectors.

Under Choose Local Network (SonicWALL), Create a new address object. (Do not use the preexisting ones.)


 Picture14.png
Under Choose Destination Network (FortiGate), Create a new address object.


 Picture15.png
The Network TAB should now look like the following.


 Picture16.png

 

  1. Navigate to Proposals and enter the encryption to match the one selected on FortiGate.

To match the FortiGate we had to change the IKE version to Main Mode, keylife time to 86400, and Enable PFS with DH group 2.


Picture17.png

  1. Create the Required Firewall Policies to allow the traffic.

Go to Firewall -> Access Rule -> Add.


From VPN to X0:


Picture18.png

From X0 to VPN:


Picture19.png

 

  1. The tunnel should now be up and running. If not, go to FortiGate, under Dashboard -> Network, select IPsec, select the tunnel, and Bring up Phase 2.


Picture20.png

Verification

 

  • Make sure the tunnel is up by looking at the status on both side.


FortiGate:

   Picture21.png
SonicWALL:

 

Picture22.png

 

  • Try to ping a host on the other side subnet from the FortiGate and from the Sonicwall.

On the FortiGate side, Open the CLI and ping the other side Gateway.
Since Phase 2 only allows local Subnet 192.168.1.0/24, I had to specify the source using:


exec ping-options source 192.168.1.1


Picture23.png

On the Sonicwall side, Go to System -> Diagnostic and select the Ping Diagnostic tool.


Picture24.png

 

Note:

When a Sonicwall unit has multiple subnets configured, multiple phase 2's must be created on the FortiGate, and not just multiple subnets in a single Phase 2 selector. This is because the FortiGate uses the same SPI value to bring up phase 2 for all of the subnets, while the Sonicwall expects different SPI values for each of its configured subnets. Using multiple phase 2's on the FortiGate creates different SPI values for each subnet.

 

If any problem occurs, feel free to contact Fortinet Support.
8347
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.