| Description | This article describes how to set up Ipsec VPN between two FortiGates using VPN Setup wizard and custom profile. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Scope | FortiGate VM. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Solution |
FortiGateVM to FortiGateVM – with the default profile.
This is going to be a brief introduction to setting up an IPsec-VPN connection between two FortiGates using the default profile. This profile differs from the custom profile by providing a guided setup with limited customization as well as subnet groups, static routes, and firewall policies are created automatically, thus providing a quick and easy setup of VPN connections.
Create your VPN-Tunnel.
Configuring VPN between two FortiGates using the default Remote device type for Site to Site VPN. Select Name and NAT configuration.
Enter the Remote IP address and the outgoing Interface as well as a Pre-shared key.
Select the local interface and subnets wanted to be connected as well as the remote subnet. 
Press Create and the VPN should be set up automatically.
Static routes, remote address groups as well as Firewall rules are created automatically. 
Policy & Objects -> Addresses. 
Policy & Objects -> Firewall Policy.
Monitor the VPN-Tunnel.
To check the VPN tunnel health, it is necessary to add a new Dashboard-Widget called IPsec.
Now, it is possible to check Phase 1 and Phase 2 status. 
Then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.
FortiGateVM to FortiGateVM – with a custom profile.
This profile provides an extensive set of customization options for phase 1 and phase 2 encryption, NAT traversal, and others. Especially, it will be necessary to create subnet groups, static routes, and firewall policies manually.
Create the VPN-Tunnel.
Configuring VPN between two FortiGates using the custom VPN. Select a Name.
VPN -> IPsec Wizard.
Enter the Remote Gateways IP Address and the outgoing interface.
Enter the agreed Pre-shared Key as well as IKE-Version.
For Phase 1 select the agreed Encryption and Authentication as well as the Diffie-Hellman Group and the Key Lifetime.
For Phase 2 enter the Local and Remote Address space.
In the Advanced options, select again the agreed Encryption and Authentication method as well as the Diffie-Hellman Group and the Key Lifetime.
In the next step, add new Address Objects under Policy & Objects -> Addresses -> Create New -> Address.
For the local subnet:
and for the remote subnet:
It is also possible to add Address Groups if it is wanted to add them to the Firewall Policies instead of the direct Subnets.
Add a static route for the remote subnet pointing to the VPN-Tunnel Interface.
Add another static Route this time pointing to the Blackhole interface.
The last step is to add Firewall Policies to allow the VPN traffic to pass through.
First for the traffic going to the VPN Tunnel from the Port of your Subnet. No NAT is required.
Then for the traffic coming from the VPN Tunnel going to the Port of your destination Subnet. No NAT is required.
Monitor the VPN-Tunnel.
To check the VPN tunnel health, it is necessary to add a new Dashboard-Widget called IPsec.
Now, it is possible to check Phase 1 and Phase 2 status.
Then test the connection with a simple ping. Phase 2 should be brought up automatically, provided Phase 1 has been brought up properly.
 |
