Example Fortigate IPSec VPN Gateway-to-Gateway Configuration
The following example demonstrates how to set up a basic gateway-to-gateway IPSec VPN that uses preshared keys to authenticate the two VPN peers.
Example gateway-to-gateway configuration
To define the phase 1 parameters
1 Go to VPN > IPSEC > Auto Key.
2 Select Create Phase 1, enter the following information, and select OK:
|
Name |
Type a name to identify the VPN tunnel (for example,FG1toFG2_Tunnel). |
|
Remote Gateway |
Static IP Address |
|
IP Address |
172.16.30.1 |
|
Local Interface |
Port 2 |
|
Mode |
Main |
|
Authentication Method |
Preshared Key |
|
Pre-shared Key |
Enter the preshared key. |
|
Peer Options |
Accept any peer ID |
|
Advanced |
|
|
Enable IPSec |
Enable to create a route-based VPN. |
|
Interface Mode |
Disable to create a policy-based VPN. |
|
|
This example shows both policy and route-based VPNs. |
To define the phase 2 parameters
1 Go to VPN > IPSEC > Auto Key.
2 Select Create Phase 2, enter the following information and select OK:
|
Name |
Enter a name for the phase 2 configuration (for example, FG1toFG2_phase2). |
|
Phase 1 |
Select the Phase 1 configuration that you defined previously (for example, FG1toFG2_Tunnel). |
To define the IP address of the network behind FortiGate_1
1 Go to Firewall > Address.
2 Select Create New, enter the following information, and select OK:
|
Address Name |
Enter an address name (for example, Finance_Network). |
|
Subnet/IP Range |
Enter the IP address of the private network behind FortiGate_1 (for example, 192.168.12.0/24). |
To specify the address of the network behind FortiGate_2
1 Go to Firewall > Address.
2 Select Create New, enter the following information, and select OK:
|
Address Name |
Enter an address name (for example, HR_Network). |
|
Subnet/IP Range |
Enter the IP address of the private network behind FortiGate_2 (for example, 192.168.22.0/24). |
To define the firewall policy for a policy-based VPN
1 Go to Firewall > Policy.
2 Select Create New, enter the following information, and select OK:
|
Source |
Interface/Zone Port 1 |
|
Source Address Name |
Finance_Network |
|
Destination Interface/Zone |
Port 2 |
|
Destination Address Name |
HR_Network |
|
Schedule |
As required. |
|
Service |
As required. |
|
Action |
IPSEC |
|
VPN Tunnel |
FG1toFG2_Tunnel |
|
Allow Inbound |
Enable |
|
Allow Outbound |
Enable |
|
Inbound NAT |
Disable |
3 Place the policy in the policy list above any other policies having similar source and destination addresses.
To define firewall policies for a route-based VPN
1 Go to Firewall > Policy.
2 Select Create New, enter the following information, and select OK:
|
Source Interface/Zone |
Port 1 |
|
Source Address Name |
Finance_Network |
|
Destination Interface/Zone |
FG1toFG2_Tunnel |
|
Destination Address Name |
HR_Network |
|
Schedule |
As required. |
|
Service |
As required. |
|
Action |
ACCEPT |
|
NAT |
Disable |
3 Select Create New, enter the following information, and select OK:
|
Source Interface/Zone |
FG1toFG2_Tunnel |
|
Source Address Name |
HR_Network |
|
Destination Interface/Zone |
Port 1 |
|
Destination Address Name |
Finance_Network |
|
Schedule |
As required. |
|
Service |
As required. |
|
Action |
ACCEPT |
|
NAT |
Disable |
4 Place the policies in the policy list above any other policies having similar sourceand destination addresses.
To configure the route for a route-based VPN
1 Go to Router > Static.
2 Select Create New, enter the following information, and then select OK:
|
Destination IP / Mask |
192.168.22.0/24 |
|
Device |
FG1toFG2_Tunnel |
|
Gateway |
Leave as default: 0.0.0.0. |
|
Distance |
Leave this at its default. |
