Description

This article describes how to set up an IPsec VPN between a FortiGate and a Cisco Meraki.

Scope

FortiGate.

Solution

Prerequisites:

• FortiGate (with basic configuration).
• Cisco Meraki (with basic configuration).
• Internet connection on both ends.
• 209.10.10.1 is FortiGate side WANIP and 209.10.10.2 is Meraki side WAN IP

Configuration on HO side (FortiGate):

config vpn ipsec phase1-interface
    edit "HO_GW"
           set interface "wan"
           set ike-version 2
           set peertype any
           set net-device disable
           set proposal aes256-sha256
           set dhgrp 2
           set remote-gw 209.10.10.2
           set psksecret "admin123"
           set keylife 1800
      next
end

config vpn ipsec phase2-interface
    edit "HO_Phase2"
        set phase1name "HO_GW"
        set pfs enable
        set dhgrp 2
        set keylife-type seconds
        set keylifeseconds 3600
        set proposal aes256-sha256
    next

end

Note:

• The required firewall policy and route need to be configured on the FortiGate Side.
• For more than one subnet under Phase 2 (both local and remote), it is recommended to configure each of them on a separate Phase 2: Technical Tip: IPsec VPN between FortiGate and other Vendor with multiple subnets

BranchOffice Router (Meraki):

Go to Security & SD-WAN -> Site-to-site VPN.

Select Automatic for the NAT-T.

Since the remote peer is FortiGate, under Non-Meraki Peers, select Add a peer.

Setup the VPN config as below:

Phase 1 encryption/authentication part:

Phase 2 encryption/authentication part:

Define the remote peer subnet: