ArticleDescription | This article describes how to configure an IPSec VPN on a FortiGate unit to work with the VPN feature of a YAMAHA RTX1200 router.
A Japanese translation is included as a PDF attachment at the end of this article. |
Components | - All FortiGate units running FortiOS 3.0 MR7
- YAMAHA RTX1200 revision 10.01.07
|
Steps or Commands | Configure FortiGate VPN Phase 1To configure using the Web-based Manager - Go to VPN>IPSec>Auto-Key and select Phase1.
- Enter the following:
Name | ToRTX1200 | Remote Gateway | Static IP address | IP address | Remote RTX1200 IP address. For example 100.0.0.2 | Local Interface | Select the interface that connects to the Internet. For example, WAN1. | Mode | Aggressive | Authentication Method | Preshared Key | Pre-shared Key | Enter the same preshared key as configured on the RTX1200. | Peer Option | Accept any peer ID |
- Select Advanced and enter the following:
Enable IPSec Interface Mode | Enable | P1 Proposal | 3DES SHA1 | DH Group | DH 2 | Local ID | FortiGate WAN1 IP Address | Nat-traversal | Enable | Dead Peer Detection | Enable |
- Select OK.
Configure FortiGate VPN Phase 2To configure using the Web-based Manager - Go to VPN>IPSec>Auto-Key and select Phase 2.
- Enter the following:
Name | A name for the VPN Phase 2 configuration: ToRTX1200_2. | Phase 1 | Phase 1 configuration name: toRTX1200. | Key Life (Seconds) | 1800 |
- Select Advanced and enter the following:
P2 Proposal | 1 - 3DES SHA1 | Enable Replay Detection | Enable | DH Group | 2 | Auto keep alive | Enable | Quick Mode Selector | Source Address: 0.0.0.0/0.0.0.0
Destination Address: 20.0.0.0/24 |
- Select OK.
Configure FortiGate Firewall PolicyThe firewall policy allows hosts behind the RTX1200 to initiate communication with hosts on the network behind the FortiGate unit. To configure using the Web-based Manager: - Go to Firewall>Policy and select Create New.
- Enter the following:
Source Interface/Zone | The interface connected to the remote network: toRTX1200 | Source Address | The firewall address of the remote network: ANY | Destination Interface/Zone | The interface that connects to the local network: WAN1 | Destination Address | The firewall address of the local network: ANY | Schedule | Always | Service | ANY | Action | Accept |
- Select OK.
Configure FortiGate Static routeCreate static route addresses for the private networks of RTX1200. To configure using the Web-based Manager: - Go to Router>Static and select Create New.
- Enter the following:
Destination IP/Mask | 20.0.0.0/255.255.255.0 | Device (tunnel name) | toRTX1200 | Distance | 10 |
- Select OK.
Configure the RTX1200 routerTo configure the RTX1200 router Phase 1, Phase2 and Option. - Log on to the RTX1200 router web-based utility.
- Go to Administrator>Router>IPsec.
- Create New tunnel and enter the following:
Tunnel Name | ToFGT | Pre-Shared Key | Enter the same preshared key as configured on the FortiGate. | Remote Gateway | FortiGate WAN1 IP Address For example: 100.0.0.1 | My Address | RTX1200 WAN IP Address. For example: 100.0.0.2 | Phase 1 | NAT Traversal | Enabled | Authentication Algorithm | SHA1 | Encryption Algorithm | 3DES-CBC | Key Life | 28800 | Key Group | Modp1024 | Phase 2 | Authentication Algorithm | SHA1 | Encryption Algorithm | 3DES-CBC | Key Life | 1800 | My ID | 20.0.0.0/24 | Key Group | Modp1024 | Options | IKE keep arrive | On | DPD | Enable |
- Click Apply
Confirm with simple test (ping communication)Ping from local PC (20.0.0.2) of the RTX1200 private network to the public IP address (For Example 4.2.2.2) through VPN tunnel. - Log on to the FortiGate device and run diagnose command.
- Type
diagnose sniffer packet any "icmp" 4 - Ping to public server.
toRTX1200 in 20.0.0.2 -> 4.2.2.2: icmp: echo request
wan1 out 100.0.0.1 -> 4.2.2.2: icmp: echo request
wan1 in 4.2.2.2 -> 100.0.0.1: icmp: echo reply
toRTX1200 out 4.2.2.2 -> 20.0.0.2: icmp: echo reply
#100.0.0.1 is default gateway IP address for the FGT WAN1 interface. |
Related Articles
List of articles about Fortigate IPSec VPN interoperability