Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: For the first time I'm trying to create Site t...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For the first time I'm trying to create Site to Site VPN between Fortinet and Watchguard
Hi everyone, first time posting here, as I just started with my Firewall journey and bought Fortinet 40F Fortiguard.
Basically I'm a noob, didn't work too much with Firewalls but I'm learning and trying.
I have two sites.
1st site: Fortinet
2nd site: Watchguard
I need to connect those two sites.
NO Public Static IPs:
1st site: Fortinet is using its build in DDNS
2nd site: I created DDNS with free public DDNS provider
What I did:
1. Went to "IPsec Tunnels" and created new "Custom" tunnel
2. Remote Gateway was set to be a Dynamic DNS. I figured out, after reading documentation, that this is DDNS for the other site so I typed it in
3. Interface that I'm using is wan1. wan1 is basically, as the name says, my go out to the internet port
4. The rest for "Network" in Edit VPN tunnel is left on default
Regarding authentication I just set Pre-Shared key with and typed simple password.
On IKE Version I choose 2.
Phase 1 Proposal:
- I left only AES256 for Encryption and SHA256 for Authentication. I removed any other encryption and authentication choices. Diffie-Helman group is 14
Phase 2 Selectors:
- I basically just typed in my local IP for Fortinet on "Local Address" and I typed in local Watchguard IP on "Remote address" with their subnets which are /24.
So basically, after I was done with this, I went to Policy & Objects > Firewall Policy
I added two Policies - first one:
name: VPN remote site
Incoming interface: internal - this is my lan
Outgoing interface: I choose the tunnel interface that I created on IPSec tunnel option.
Source: 4 all
Destination: I created an address. I went to Network/Addresses and addes an address or a subnet with IP and its Netmask and I named it accordingly.
Service: ALL
Action: Accept
NAT: I switched it off
Everything else is left on default and I clicked OK.
Then, on the same menu - Firewall Policy I just clicked on newly created policy and "Created reverse policy".
After that I went to "Network > Static Routes>Create New"
Destination: Subnet, I just typed in subnet of the remote Watchguard
Interface: I choose that Tunnel Interface that was created on "IP Sec Tunnel" in the first steps.
So this should be it for Fortiguard, right? Hopefully I didn't make any mistakes. Or maybe I did, or maybe there is some practice that I am not aware of.
After that I logged in to Watchguard Firebox, and I may have some noobish problems but:
VPN > Branch Office VPN and on "Gateways" I clicked "Add". Added a name to my Gateway and on
Credential Method I selected "Use Pre-Shared Key" and typed in the same key as I did on Fortiguard.
On "Phase 1 Settings" I selected IKEv2 version and left everything else on default.
I went back and clicked "add" on "Gateway Endpoint" > Local Gateway
External interface: External
Interface IP Address: Primary interface IPv4 Address
Specify the gateway ID for tunnel authentication > By Domain Name and I typed in domain name or DDNS of the local gateway aka Watchguard. I don't know if this is correct, but to me, its logical that Local Gateway ID is local gateway for Watchguard.
On "Remote Gateway" I selected Dynamic IP address for "Specify the remote gateway IP address for a tunnel"
and I selected "By Domain Name" on "Specify the remote gateway ID for tunnel authentication" and I typed in Fortiguard DDNS that I created when I bought Fortiguard. Everything else was left on default.
After that I went on creating Tunnel in "Branch Office VPN"
Added, named it, and on "Addresses" I added Local IP (Watchguard) and Remote IP (Fortiguard) and for the type I choose Network IPv4.
Direction: bidirectional
For Phase 2 Settings:
I enabled perfect Forward Secrecy and Choose Diffie-Hellman Group 14
On IPSec Proposals I choose ESP-AES256-SHA256, as I did on my fortiguard AES256 and SHA256.
Clicked save, and the rest of the settings are on default.
What now? What are my next steps? Do I have to add some policy in Watchguard or what, because I think that some policies are already added after creating BoVPN? I tried to be as much as detailed as possible.
Any answer is highly appreciated.
Labels:
- Labels:
-
FortiDNS
-
FortiGate
-
FortiGuard
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You may find useful the links below:
In case the tunnel cannot be brought up. I would recommend to collect ike debug traces while the issue is triggered:
diag deb app ike -1
diag deb en
FortiGate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi abarushka and thank you for your fast reply!
As far as I can see, I think I did all these steps.
This configuration is a little bit different then mine because I don't plan on using 3DES because as far as I know its not secure anymore.
Also, I am pretty sure that there are more steps, for example adding Firewall Policies in Fortinet...in Watchguard aswell.
Thanks for your answer anyway, it is highly appreciated!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Goran,
You may choose any cipher as long as both units support it.
I would like to confirm that firewall policy is also required. Unfortunately I cannot find Fortinet KB which will describe the process step by step (FortiGate and WatchGuard sides).
However if you face an issue, I would recommend to collect ike debug traces while the issue is triggered:
diag deb app ike -1
diag deb en
FortiGate
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating a site-to-site VPN between a Fortinet device (e.g. FortiGate) and a WatchGuard device can be a straightforward process if you follow the correct configuration settings on both devices. Site-to-site VPNs allow two different networks in different locations to communicate securely over the internet. Here is how you can establish a site-to-site VPN between Fortinet and WatchGuard:
Prerequisites
- Devices: A Fortinet device (e.g. FortiGate) and a WatchGuard device (e.g. Firebox).
- Public IP Addresses: Both devices must have public IP addresses for VPN connection.
- Access Rights: Administrative access to both devices for configuration.
- Firewall Rules: Ensure necessary firewall rules are in place to allow VPN traffic.
Configuration Steps
Fortinet (FortiGate) Configuration:
Create a VPN Tunnel: Log in to the FortiGate and navigate to VPN > IPsec Wizard.
- Select Site to Site.
- Provide a name for the VPN tunnel.
- Select the Custom or Manual option.
Configure the Remote Gateway:
- Enter the public IP address of the WatchGuard device.
- Configure the local and remote network IP ranges that will be communicating.
Configure Phase 1:
- Select the IKE Version (e.g. IKEv1 or IKEv2).
- Set Encryption and Authentication algorithms.
- Set Diffie-Hellman group and Key Lifetime.
Configure Phase 2:
- Select Encapsulation method (e.g. Tunnel).
- Configure the Encryption and Authentication algorithms.
- Set PFS Group and Key Lifetime.
Establish Security Policy:
- Create an IPv4 Policy to allow traffic from the local network to the remote network.
- Specify the Incoming Interface and Outgoing Interface.
Save Configuration: Save the settings and apply the configuration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is two caveats:
if a S2S VPN on Fortigate Side has a ddns fqdn as remote gateway and you disable the automatic establishing of the vpn on this side (phase1 auto negotiation) the FGT's IPSec will no longer update the remote gw causing the VPN to go down and stay down once the other side changes its ip.
That is a known bug I already reported to Fortinet but still is not fixed.
If you have a router between FGT and Internet or between Watchguard and Internet which is NOT in bridge mode (i.e. acts a simple modem and you have a wan ip on your FGT/Watchguard wan interface) you have to configure that router to forward 500/UDP (for IPSec) and 4500/UDP (for NAT-Traversal) to the Fortigate or the Watchguard to be able to connect an IPSec VPN.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,738 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
562 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
97 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
FortiEDR
52 -
vlan
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
FortiCASB
12 -
Admin
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1732 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.