Description |
This article discusses a Site-to-Site VPN Between FortiGate and SonicWall using DDNS as a Peer. Setting up a Site-to-Site VPN between different firewall brands can pose some challenges.
This article provides a procedure to establish a connection between a FortiGate and a SonicWall firewall using DDNS. By using a Site-to-Site VPN between FortiGate and SonicWall with DDNS, organizations can ensure a dynamic, secure, and stable connection regardless of IP address changes, thus providing uninterrupted and secure communication. |
Scope |
FortiGate. |
Solution |
Prerequisites:
Configuration Steps.
DDNS Setup: Make sure the DNS is functioning as expected. Then, set up the DDNS by using FortiDDNS. When doing so, select a 'Unique Location' name that corresponds to the WAN interface, which will act as the peer for the SonicWall. For reference, consult the following link: How to configure Dynamic DNS on Fortigate.
Go to Navigate to VPN -> IPSec tunnels. Create a new tunnel. For the remote gateway choose 'Dynamic DNS' and input the SonicWall's remote DDNS name and select the external interface (WAN) that will be used to communicate with the SonicWall:
For this section, select 'Aggressive Mode' and under 'Peer Options', for 'Accept Types', opt for 'Specific peer ID'. Then, in the 'Peer ID' field, enter the SonicWall's remote DDNS name:
Select the Phase 1 (P1) proposals, ensuring that all selections correspond to the proposals on the SonicWall. In the 'Local ID' field, enter the FortiGate's DDNS name.
By default, the localid-type is set to 'auto'. In some cases, there may be a need to specifically set the localid-type to 'fqdn' in order to successfully establish the tunnel. To change the localid-type, set up the following configuration in the CLI:
config vpn ipsec phase1-interface edit <IPsec name> set localid-type fqdn next end
Configure the 'Local Address' and 'Remote Address' to specify the traffic of interest between the local and remote sites and ensure the selected networks match those defined on the SonicWall:
Select the Phase 2 (P2) proposals and ensure that all selections match the corresponding proposals on the SonicWall. Enabling Auto-Negotiate is mandatory for proper functioning:
DDNS Setup: Make sure the DNS is functioning as expected. Then, set up the DDNS to assign a domain name to SonicWall's external interface (WAN) which will act as the peer for the FortiGate. For further information, please refer to the following SonicWall article: How to configure dynamic DNS for a particular interface
It is recommended to use the setup wizard for this configuration.
Navigate to the 'Wizards' section:
Select 'VPN Guide':
Select the 'Site-to-Site' option:
Fill out the form by selecting a name for the 'Policy Name'. Activate the 'I know my Remote Peer IP Address (or FQDN)' option and input the FortiGate's DDNS name into the 'Remote Peer IP Address (or FQDN)' field. Afterward, select 'Next':
In the 'Network Selection' tab, choose the appropriate 'Local' and 'Destination Networks'. If the 'Destination Networks' have not been set up yet, it is possible to create them by selecting the 'Create New Address Object' option from the dropdown menu.
Enter a name, choose the appropriate 'Zone Assignment' and 'Type', then input the destination network and netmask, and select 'Save':
In the next step, after selecting the desired Local and Destination Networks, select 'Next':
At this stage, select the appropriate proposals. Ensure they match the configurations previously set on the FortiGate:
Once configured, select 'Apply':
Under the IPSec VPN section, select 'Rules and Settings' and then edit the tunnel:
At this point, modify both the Local and Peer IKE IDs from 'IPv4 Address' to 'Domain Name'. Then, enter the SonicWall's DDNS name for the 'Local IKE ID' and the FortiGate's DDNS name for the 'Peer IKE ID':
Once completed, thoroughly review all configurations by navigating through each tab and verifying the information provided. Ensure that all settings align with what has been previously configured:
Select the appropriate 'Local Network' and 'Destination Network' to specify the traffic of interest between the local and remote sites. Ensure the selected networks match those defined on the FortiGate:
With everything set up correctly, the remaining step is to test the configuration by initiating the tunnel and transmitting data between the FortiGate and SonicWall networks.
Verification and Testing:
|
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.