Hi everyone, first time posting here, as I just started with my Firewall journey and bought Fortinet 40F Fortiguard.
Basically I'm a noob, didn't work too much with Firewalls but I'm learning and trying.
I have two sites.
1st site: Fortinet
2nd site: Watchguard
I need to connect those two sites.
NO Public Static IPs:
1st site: Fortinet is using its build in DDNS
2nd site: I created DDNS with free public DDNS provider
What I did:
1. Went to "IPsec Tunnels" and created new "Custom" tunnel
2. Remote Gateway was set to be a Dynamic DNS. I figured out, after reading documentation, that this is DDNS for the other site so I typed it in
3. Interface that I'm using is wan1. wan1 is basically, as the name says, my go out to the internet port
4. The rest for "Network" in Edit VPN tunnel is left on default
Regarding authentication I just set Pre-Shared key with and typed simple password.
On IKE Version I choose 2.
Phase 1 Proposal:
- I left only AES256 for Encryption and SHA256 for Authentication. I removed any other encryption and authentication choices. Diffie-Helman group is 14
Phase 2 Selectors:
- I basically just typed in my local IP for Fortinet on "Local Address" and I typed in local Watchguard IP on "Remote address" with their subnets which are /24.
So basically, after I was done with this, I went to Policy & Objects > Firewall Policy
I added two Policies - first one:
name: VPN remote site
Incoming interface: internal - this is my lan
Outgoing interface: I choose the tunnel interface that I created on IPSec tunnel option.
Source: 4 all
Destination: I created an address. I went to Network/Addresses and addes an address or a subnet with IP and its Netmask and I named it accordingly.
Service: ALL
Action: Accept
NAT: I switched it off
Everything else is left on default and I clicked OK.
Then, on the same menu - Firewall Policy I just clicked on newly created policy and "Created reverse policy".
After that I went to "Network > Static Routes>Create New"
Destination: Subnet, I just typed in subnet of the remote Watchguard
Interface: I choose that Tunnel Interface that was created on "IP Sec Tunnel" in the first steps.
So this should be it for Fortiguard, right? Hopefully I didn't make any mistakes. Or maybe I did, or maybe there is some practice that I am not aware of.
After that I logged in to Watchguard Firebox, and I may have some noobish problems but:
VPN > Branch Office VPN and on "Gateways" I clicked "Add". Added a name to my Gateway and on
Credential Method I selected "Use Pre-Shared Key" and typed in the same key as I did on Fortiguard.
On "Phase 1 Settings" I selected IKEv2 version and left everything else on default.
I went back and clicked "add" on "Gateway Endpoint" > Local Gateway
External interface: External
Interface IP Address: Primary interface IPv4 Address
Specify the gateway ID for tunnel authentication > By Domain Name and I typed in domain name or DDNS of the local gateway aka Watchguard. I don't know if this is correct, but to me, its logical that Local Gateway ID is local gateway for Watchguard.
On "Remote Gateway" I selected Dynamic IP address for "Specify the remote gateway IP address for a tunnel"
and I selected "By Domain Name" on "Specify the remote gateway ID for tunnel authentication" and I typed in Fortiguard DDNS that I created when I bought Fortiguard. Everything else was left on default.
After that I went on creating Tunnel in "Branch Office VPN"
Added, named it, and on "Addresses" I added Local IP (Watchguard) and Remote IP (Fortiguard) and for the type I choose Network IPv4.
Direction: bidirectional
For Phase 2 Settings:
I enabled perfect Forward Secrecy and Choose Diffie-Hellman Group 14
On IPSec Proposals I choose ESP-AES256-SHA256, as I did on my fortiguard AES256 and SHA256.
Clicked save, and the rest of the settings are on default.
What now? What are my next steps? Do I have to add some policy in Watchguard or what, because I think that some policies are already added after creating BoVPN? I tried to be as much as detailed as possible.
Any answer is highly appreciated.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
You may find useful the links below:
In case the tunnel cannot be brought up. I would recommend to collect ike debug traces while the issue is triggered:
diag deb app ike -1
diag deb en
Hi abarushka and thank you for your fast reply!
As far as I can see, I think I did all these steps.
This configuration is a little bit different then mine because I don't plan on using 3DES because as far as I know its not secure anymore.
Also, I am pretty sure that there are more steps, for example adding Firewall Policies in Fortinet...in Watchguard aswell.
Thanks for your answer anyway, it is highly appreciated!
Hello Goran,
You may choose any cipher as long as both units support it.
I would like to confirm that firewall policy is also required. Unfortunately I cannot find Fortinet KB which will describe the process step by step (FortiGate and WatchGuard sides).
However if you face an issue, I would recommend to collect ike debug traces while the issue is triggered:
diag deb app ike -1
diag deb en
Creating a site-to-site VPN between a Fortinet device (e.g. FortiGate) and a WatchGuard device can be a straightforward process if you follow the correct configuration settings on both devices. Site-to-site VPNs allow two different networks in different locations to communicate securely over the internet. Here is how you can establish a site-to-site VPN between Fortinet and WatchGuard:
Create a VPN Tunnel: Log in to the FortiGate and navigate to VPN > IPsec Wizard.
Configure the Remote Gateway:
Configure Phase 1:
Configure Phase 2:
Establish Security Policy:
Save Configuration: Save the settings and apply the configuration.
There is two caveats:
if a S2S VPN on Fortigate Side has a ddns fqdn as remote gateway and you disable the automatic establishing of the vpn on this side (phase1 auto negotiation) the FGT's IPSec will no longer update the remote gw causing the VPN to go down and stay down once the other side changes its ip.
That is a known bug I already reported to Fortinet but still is not fixed.
If you have a router between FGT and Internet or between Watchguard and Internet which is NOT in bridge mode (i.e. acts a simple modem and you have a wan ip on your FGT/Watchguard wan interface) you have to configure that router to forward 500/UDP (for IPSec) and 4500/UDP (for NAT-Traversal) to the Fortigate or the Watchguard to be able to connect an IPSec VPN.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1517 | |
1013 | |
749 | |
443 | |
209 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.