FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article
Description This article describes how to configure an IPSec VPN on a FortiGate unit to work with the VPN feature of a YAMAHA RTX1200 router.
A Japanese translation is included as a PDF attachment at the end of this article.
Components
  • All FortiGate units running FortiOS 3.0 MR7
  • YAMAHA RTX1200 revision 10.01.07
Steps or Commands

Configure FortiGate VPN Phase 1

To configure using the Web-based Manager

  1. Go to VPN>IPSec>Auto-Key and select Phase1.
  2. Enter the following:
    NameToRTX1200
    Remote GatewayStatic IP address
    IP addressRemote RTX1200 IP address. For example 100.0.0.2
    Local InterfaceSelect the interface that connects to the Internet. For example, WAN1.
    ModeAggressive
    Authentication MethodPreshared Key
    Pre-shared KeyEnter the same preshared key as configured on the RTX1200.
    Peer OptionAccept any peer ID
  3. Select Advanced and enter the following:
    Enable IPSec Interface ModeEnable
    P1 Proposal3DES SHA1
    DH GroupDH 2
    Local IDFortiGate WAN1 IP Address
    Nat-traversalEnable
    Dead Peer DetectionEnable
  4. Select OK.

Configure FortiGate VPN Phase 2

To configure using the Web-based Manager

  1. Go to VPN>IPSec>Auto-Key and select Phase 2.
  2. Enter the following:

  3. NameA name for the VPN Phase 2 configuration: ToRTX1200_2.
    Phase 1Phase 1 configuration name: toRTX1200.
    Key Life (Seconds)1800
  4. Select Advanced and enter the following:
    P2 Proposal1 - 3DES SHA1
    Enable Replay DetectionEnable
    DH Group2
    Auto keep aliveEnable
    Quick Mode SelectorSource Address: 0.0.0.0/0.0.0.0
    Destination Address: 20.0.0.0/24
  5. Select OK.

Configure FortiGate Firewall Policy

The firewall policy allows hosts behind the RTX1200 to initiate communication with hosts on the network behind the FortiGate unit.

To configure using the Web-based Manager:

  1. Go to Firewall>Policy and select Create New.
  2. Enter the following:
    Source Interface/ZoneThe interface connected to the remote network: toRTX1200
    Source AddressThe firewall address of the remote network: ANY
    Destination Interface/ZoneThe interface that connects to the local network: WAN1
    Destination AddressThe firewall address of the local network: ANY
    ScheduleAlways
    ServiceANY
    ActionAccept
  3. Select OK.

Configure FortiGate Static route

Create static route addresses for the private networks of RTX1200.

To configure using the Web-based Manager:

  1. Go to Router>Static and select Create New.
  2. Enter the following:

  3. Destination IP/Mask20.0.0.0/255.255.255.0
    Device (tunnel name)toRTX1200
    Distance10
  4. Select OK.

Configure the RTX1200 router

To configure the RTX1200 router Phase 1, Phase2 and Option.

  1. Log on to the RTX1200 router web-based utility.
  2. Go to Administrator>Router>IPsec.
  3. Create New tunnel and enter the following:
    Tunnel NameToFGT
    Pre-Shared KeyEnter the same preshared key as configured on the FortiGate.
    Remote GatewayFortiGate WAN1 IP Address For example: 100.0.0.1
    My AddressRTX1200 WAN IP Address. For example: 100.0.0.2
    Phase 1
    NAT TraversalEnabled
    Authentication AlgorithmSHA1
    Encryption Algorithm3DES-CBC
    Key Life28800
    Key GroupModp1024
    Phase 2
    Authentication AlgorithmSHA1
    Encryption Algorithm3DES-CBC
    Key Life1800
    My ID20.0.0.0/24
    Key GroupModp1024
    Options
    IKE keep arriveOn
    DPDEnable
  4. Click Apply

Confirm with simple test (ping communication)

Ping from local PC (20.0.0.2) of the RTX1200 private network to the public IP address (For Example 4.2.2.2) through VPN tunnel.

  1. Log on to the FortiGate device and run diagnose command.
  2. Type diagnose sniffer packet any "icmp" 4
  3. Ping to public server.

toRTX1200 in 20.0.0.2 -> 4.2.2.2: icmp: echo request
wan1 out 100.0.0.1 -> 4.2.2.2: icmp: echo request
wan1 in 4.2.2.2 -> 100.0.0.1: icmp: echo reply
toRTX1200 out 4.2.2.2 -> 20.0.0.2: icmp: echo reply
#100.0.0.1 is default gateway IP address for the FGT WAN1 interface.


Related Articles

List of articles about Fortigate IPSec VPN interoperability