Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Goran
New Contributor

For the first time I'm trying to create Site to Site VPN between Fortinet and Watchguard

Hi everyone, first time posting here, as I just started with my Firewall journey and bought Fortinet 40F Fortiguard.

Basically I'm a noob, didn't work too much with Firewalls but I'm learning and trying.

 

I have two sites.
1st site: Fortinet
2nd site: Watchguard

 

I need to connect those two sites.

 

NO Public Static IPs:

1st site: Fortinet is using its build in DDNS

2nd site: I created DDNS with free public DDNS provider

 

What I did:

1. Went to "IPsec Tunnels" and created new "Custom" tunnel

2. Remote Gateway was set to be a Dynamic DNS. I figured out, after reading documentation, that this is DDNS for the other site so I typed it in

3. Interface that I'm using is wan1. wan1 is basically, as the name says, my go out to the internet port

4. The rest for "Network" in Edit VPN tunnel is left on default

 

Regarding authentication I just set Pre-Shared key with and typed simple password.

On IKE Version I choose 2.

 

Phase 1 Proposal:

- I left only AES256 for Encryption and SHA256 for Authentication. I removed any other encryption and authentication choices. Diffie-Helman group is 14

 

Phase 2 Selectors:

- I basically just typed in my local IP for Fortinet on "Local Address" and I typed in local Watchguard IP on "Remote address" with their subnets which are /24.

 

 

So basically, after I was done with this, I went to Policy & Objects > Firewall Policy

 

I added two Policies - first one:

name: VPN remote site

Incoming interface: internal - this is my lan 

Outgoing interface:  I choose the tunnel interface that I created on IPSec tunnel option.

Source:  4 all

Destination:  I created an address. I went to Network/Addresses and addes an address or a subnet with IP and its Netmask and I named it accordingly.

Service: ALL

Action: Accept

NAT: I switched it off

Everything else is left on default and I clicked OK.

 

Then, on the same menu - Firewall Policy I just clicked on newly created policy and "Created reverse policy".

 

After that I went to "Network > Static Routes>Create New"

Destination: Subnet, I just typed in subnet of the remote Watchguard 

Interface: I choose that Tunnel Interface that was created on "IP Sec Tunnel" in the first steps.

 

So this should be it for Fortiguard, right? Hopefully I didn't make any mistakes. Or maybe I did, or maybe there is some practice that I am not aware of.

 

After that I logged in to Watchguard Firebox, and I may have some noobish problems but:

 

VPN > Branch Office VPN and on "Gateways" I clicked "Add". Added a name to my Gateway and on

Credential Method I selected "Use Pre-Shared Key" and typed in the same key as I did on Fortiguard.

 

On "Phase 1 Settings" I selected IKEv2 version and left everything else on default.

 

I went back and clicked "add" on "Gateway Endpoint" > Local Gateway

External interface: External

Interface IP Address: Primary interface IPv4 Address

 

Specify the gateway ID for tunnel authentication > By Domain Name and I typed in domain name or DDNS of the local gateway aka Watchguard. I don't know if this is correct, but to me, its logical that Local Gateway ID is local gateway for Watchguard.

 

On "Remote Gateway" I selected Dynamic IP address for "Specify the remote gateway IP address for a tunnel"

and I selected "By Domain Name" on "Specify the remote gateway ID for tunnel authentication" and I typed in Fortiguard DDNS that I created when I bought Fortiguard. Everything else was left on default.

 

After that I went on creating Tunnel in "Branch Office VPN"

 

Added, named it, and on "Addresses" I added Local IP (Watchguard) and Remote IP (Fortiguard) and for the type I choose Network IPv4. 

Direction: bidirectional

 

For Phase 2 Settings:

I enabled perfect Forward Secrecy and Choose Diffie-Hellman Group 14

On IPSec Proposals I choose ESP-AES256-SHA256, as I did on my fortiguard AES256 and SHA256.

Clicked save, and the rest of the settings are on default.

 

What now? What are my next steps? Do I have to add some policy in Watchguard or what, because I think that some policies are already added after creating BoVPN? I tried to be as much as detailed as possible.

 

Any answer is highly appreciated.

5 REPLIES 5
abarushka
Staff
Staff

Hello,

 

You may find useful the links below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-VPN-IPsec-Watchguard-to-FortiGate/ta-p/196...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-tunnel-between-FortiGate-and-WatchGu...

 

In case the tunnel cannot be brought up. I would recommend to collect ike debug traces while the issue is triggered:

 

diag deb app ike -1

diag deb en

FortiGate
Goran

Hi abarushka and thank you for your fast reply!

As far as I can see, I think I did all these steps.

 

This configuration is a little bit different then mine because I don't plan on using 3DES because as far as I know its not secure anymore.

 

Also, I am pretty sure that there are more steps, for example adding Firewall Policies in Fortinet...in Watchguard aswell.

 

Thanks for your answer anyway, it is highly appreciated!

abarushka

Hello Goran,

 

You may choose any cipher as long as both units support it.

 

I would like to confirm that firewall policy is also required. Unfortunately I cannot find Fortinet KB which will describe the process step by step (FortiGate and WatchGuard sides).

 

However if you face an issue, I would recommend to collect ike debug traces while the issue is triggered:

 

diag deb app ike -1

diag deb en

 

FortiGate
rickydunn
New Contributor

Creating a site-to-site VPN between a Fortinet device (e.g. FortiGate) and a WatchGuard device can be a straightforward process if you follow the correct configuration settings on both devices. Site-to-site VPNs allow two different networks in different locations to communicate securely over the internet. Here is how you can establish a site-to-site VPN between Fortinet and WatchGuard:

Prerequisites

  • Devices: A Fortinet device (e.g. FortiGate) and a WatchGuard device (e.g. Firebox).
  • Public IP Addresses: Both devices must have public IP addresses for VPN connection.
  • Access Rights: Administrative access to both devices for configuration.
  • Firewall Rules: Ensure necessary firewall rules are in place to allow VPN traffic.

Configuration Steps

Fortinet (FortiGate) Configuration:

  1. Create a VPN Tunnel: Log in to the FortiGate and navigate to VPN > IPsec Wizard.

    • Select Site to Site.
    • Provide a name for the VPN tunnel.
    • Select the Custom or Manual option.
  2. Configure the Remote Gateway:

    • Enter the public IP address of the WatchGuard device.
    • Configure the local and remote network IP ranges that will be communicating.
  3. Configure Phase 1:

    • Select the IKE Version (e.g. IKEv1 or IKEv2).
    • Set Encryption and Authentication algorithms.
    • Set Diffie-Hellman group and Key Lifetime.
  4. Configure Phase 2:

    • Select Encapsulation method (e.g. Tunnel).
    • Configure the Encryption and Authentication algorithms.
    • Set PFS Group and Key Lifetime.
  5. Establish Security Policy:

    • Create an IPv4 Policy to allow traffic from the local network to the remote network.
    • Specify the Incoming Interface and Outgoing Interface.
  6. Save Configuration: Save the settings and apply the configuration.

sw2090
SuperUser
SuperUser

There is two caveats:

 

if a S2S VPN on Fortigate Side has a ddns fqdn as remote gateway and you disable the automatic establishing of the vpn on this side (phase1 auto negotiation) the FGT's IPSec will no longer update the remote gw causing the VPN to go down and stay down once the other side changes its ip. 

That is a known bug I already reported to Fortinet but still is not fixed.

 

If you have a router between FGT and Internet or between Watchguard and Internet which is NOT in bridge mode (i.e. acts a simple modem and you have a wan ip on your FGT/Watchguard wan interface) you have to configure that router to forward 500/UDP (for IPSec) and 4500/UDP (for NAT-Traversal) to the Fortigate or the Watchguard to be able to connect an IPSec VPN.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors