FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
wcruvinel
Staff
Staff
Article Id 278756

Description

This article discusses a Site-to-Site VPN Between FortiGate and SonicWall using DDNS as a Peer.

Setting up a Site-to-Site VPN between different firewall brands can pose some challenges.

 

This article provides a procedure to establish a connection between a FortiGate and a SonicWall firewall using DDNS.

By using a Site-to-Site VPN between FortiGate and SonicWall with DDNS, organizations can ensure a dynamic, secure, and stable connection regardless of IP address changes, thus providing uninterrupted and secure communication.

Scope

FortiGate.

Solution

 Prerequisites:

  • Administrative access to FortiGate and SonicWall firewall interfaces.

  • FortiOS version 6.x or later.
  • SonicWall version 6.x or later.
  • Basic knowledge of networking and firewall configuration.

  • Active DDNS accounts for both devices.

 

Configuration Steps.

 

  1. FortiGate Configuration:

DDNS Setup:

Make sure the DNS is functioning as expected. Then, set up the DDNS by using FortiDDNS.

When doing so, select a 'Unique Location' name that corresponds to the WAN interface, which will act as the peer for the SonicWall.

For reference,  consult the following link: How to configure Dynamic DNS on Fortigate.

 

Go to Navigate to VPN -> IPSec tunnels. Create a new tunnel. For the remote gateway choose 'Dynamic DNS' and input the SonicWall's remote DDNS name and select the external interface (WAN) that will be used to communicate with the SonicWall:

 

forti4.png

 

For this section, select 'Aggressive Mode' and under 'Peer Options', for 'Accept Types', opt for 'Specific peer ID'.

Then, in the 'Peer ID' field, enter the SonicWall's remote DDNS name:

 

forti5.png

 

Select the Phase 1 (P1) proposals, ensuring that all selections correspond to the proposals on the SonicWall.

In the 'Local ID' field, enter the FortiGate's DDNS name.

 

By default, the localid-type is set to 'auto'. In some cases, there may be a need to specifically set the localid-type to 'fqdn' in order to successfully establish the tunnel. To change the localid-type, set up the following configuration in the CLI:

 

config vpn ipsec phase1-interface

edit <IPsec name>

set localid-type fqdn

next

end

 

forti10.png

 

Configure the 'Local Address' and 'Remote Address' to specify the traffic of interest between the local and remote sites and ensure the selected networks match those defined on the SonicWall:

 

forti7.png

 

 

Select the Phase 2 (P2) proposals and ensure that all selections match the corresponding proposals on the SonicWall.

Enabling Auto-Negotiate is mandatory for proper functioning:

 

forti8.png

 

  1. SonicWall Configuration:

DDNS Setup:

Make sure the DNS is functioning as expected. Then, set up the DDNS to assign a domain name to SonicWall's external interface (WAN) which will act as the peer for the FortiGate.

For further information, please refer to the following SonicWall article: How to configure dynamic DNS for a particular interface


VPN Setup Using Wizard:

It is recommended to use the setup wizard for this configuration.

 

Navigate to the 'Wizards' section:

 

sonic2.png

 

Select 'VPN Guide':

 

sonic3.png

 

Select the 'Site-to-Site' option:

 

sonic5.png

 

Fill out the form by selecting a name for the 'Policy Name'. Activate the 'I know my Remote Peer IP Address (or FQDN)' option and input the FortiGate's DDNS name into the 'Remote Peer IP Address (or FQDN)' field. Afterward, select 'Next':

 

sonic6.png

 

In the 'Network Selection' tab, choose the appropriate 'Local' and 'Destination Networks'.

If the 'Destination Networks' have not been set up yet, it is possible to create them by selecting the 'Create New Address Object' option from the dropdown menu.

 

sonic21.PNG

 

Enter a name, choose the appropriate 'Zone Assignment' and 'Type', then input the destination network and netmask, and select 'Save':

 

sonic8.png

 

In the next step, after selecting the desired Local and Destination Networks, select 'Next':

 

sonic9.png

 

At this stage, select the appropriate proposals. Ensure they match the configurations previously set on the FortiGate:

 

sonic10.png

 

Once configured, select 'Apply':

 

sonic11.png

 

Under the IPSec VPN section, select 'Rules and Settings' and then edit the tunnel:

 

sonic12.png

 

At this point, modify both the Local and Peer IKE IDs from 'IPv4 Address' to 'Domain Name'.

Then, enter the SonicWall's DDNS name for the 'Local IKE ID' and the FortiGate's DDNS name for the 'Peer IKE ID':

 

sonic15.png

 

Once completed, thoroughly review all configurations by navigating through each tab and verifying the information provided.

Ensure that all settings align with what has been previously configured:

 

sonic16.png

 

Select the appropriate 'Local Network' and 'Destination Network' to specify the traffic of interest between the local and remote sites.

Ensure the selected networks match those defined on the FortiGate:

 

sonic17.png

 

With everything set up correctly, the remaining step is to test the configuration by initiating the tunnel and transmitting data between the FortiGate and SonicWall networks.

 

 

Verification and Testing:

  • FortiGate: Go to Monitor -> IPSec Monitor. The VPN should appear and show as active.

  • Traffic from one end and confirm data is traversing and received on the other end.