Site2Site IPSec VPN With Dynamic IP PDF

Site-to-site IPSec VPN by using dynamic IP
example
Technical Note
Site-to-site IPSec VPN by using dynamic IP example Technical Note

Document Version: Version 2
Publication Date: 24 August 2012
Description: This technical note features a detailed configuration example that demonstrates
how to set up a basic site-to-site IPSec VPN that uses preshared keys to
authenticate the two VPN peers.
Product: FortiGate v4.00 MR3
Document Number: 09-28006-0119-20100605
Fortinet Inc. 09-28006-0119-20100605 Page 1 of 15

© Copyright 2012 Fortinet Inc. All rights reserved.
No part of this publication including text, examples, diagrams or illustrations

may be reproduced, transmitted, or translated in any form or by any means,
electronic, mechanical, manual, optical or otherwise, for any purpose, without
prior written permission of Fortinet Inc.
Site-to-site IPSec VPN by using dynamic IP example Technical Note

FortiGate v4.00 MR3
24 August 2012
09-28006-0119-20100605
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.

Contents
Table of Contents
Network topology ... .................................................................................................................... 4
Infrastructure requirements .................................................................................................4
Setup Firewall-Address on FortiGate_1... .................................................................................. 5
Define the IP/Netmask or FQDN... ......................................................................................... 5
Setup Firewall-Address on FortiGate_2... .................................................................................. 6
Define the IP/Netmask or FQDN... ......................................................................................... 6
Configuring IPSEC VPN on FortiGate_1... ................................................................................ 7
Define the phase 1 parameters... ........................................................................................... 7
Configuring IPSEC VPN on FortiGate_2... ................................................................................ 9
Define Policy and Router on FortiGate_1... ............................................................................... 11
Define Policy and Router on FortiGate_2... ............................................................................... 13
Finalize Policy and VPN... .......................................................................................................... 15

Site-to-site IPSec VPN by using dynamic IP example
This technical note features a detailed configuration example that demonstrates how to set up a basic
site-to-site IPSec VPN that uses preshared keys to
authenticate the two VPN peers. The following sections are included:
• Network topology
• Setup Firewall-Address on FortiGate_1
• Setup Firewall-Address on FortiGate_2
• Configuring FortiGate_1
• Configuring FortiGate_2
• Define Policy and Router on FortiGate_1
• Define Policy and Router on FortiGate_2
• Finalize
Network topology
In a site-to-site configuration, two FortiGate units create an IPSec tunnel between two separate
private networks. All traffic between the two networks is encrypted and protected by FortiGate
firewall policies. See Figure 1.
Figure 1: Example Site-to-site configuration
Site_1 Site_2
FortiGate_1 FortiGate_2
Internet
111.111.111.111 222.222.222.222
us.dyndns.org tw.dyndns.org
(WAN1) (WAN1)
US Network TW Network
192.168.11.0/24 192.168.22.0/24
(Internal) (Internal)
In the examples throughout this technical bulletin, the network devices are assigned IP
addresses as shown in Figure 1.
Infrastructure requirements
• The FortiGate units at both ends of the tunnel must be operating in NAT mode and have public
IP addresses by static or dynamic with www.dyndns.org as service.

Site-to-site IPSec VPN by using dynamic IP Example
Setup Firewall-Address on FortiGate_1

Define the IP/netmask or FQDN
To define the IP/netmask
1 Go to Firewall > Address > Address.
2-1 Select (Create New), enter the following information, and select OK:
Address Name Type a name for the local network (e.g., US_Network)
Type Subnet / IP Range
Subnet / IP Range 192.168.11.0/255.255.255.0
Interface Internal
Address Name Type a name for the local network (e.g., TW_Network)
Subnet / IP Range 192.168.22.0/255.255.255.0
Interface WAN1(ADSL)
To define the FQDN

2 Select (Create New), enter the following information, and select OK:
Type FQDN
FQDN tw.dyndns.org

Setup Firewall-Address on FortiGate_2

Define the IP/netmask or FQDN
To define the IP/netmask
Subnet / IP Range 192.168.22.0/255.255.255.0
Interface Internal
Subnet / IP Range 192.168.11.0/255.255.255.0
To define the FQDN

Type FQDN
FQDN us.dyndns.org

Configuring FortiGate_1
Define the phase 1 parameters
Before you define the phase 1 parameters, you need to:
• Reserve a name for the remote gateway.
• Obtain the IP address of the public interface to the remote peer.
• Reserve a unique value for the preshared key (e.g. passkey1$).
The key must contain at least 6 printable characters and should only be known by
network administrators. For optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen alphanumeric characters.
To define the phase 1 parameters

1 Go to VPN > IPsec > Auto Key (IKE).
2-1 Select (Create Phase 1), enter the following information, and select OK:
Gateway Name Type a name for the remote gateway (e.g., ToFortiGate2).
Remote Gateway Dynamic DNS
Dynamic DNS tw.dyndns.org
Local Interface WAN1(ADSL)
Mode Main (ID protection)
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key (e.g., passkey$).
Peer Options Accept any peer ID
2-2 Select (Advanced…), enter the following information, and select OK:
Local Gateway IP Main Interface IP
P1 Proposal 1- Encryption: 3DES Authentication: SHA1

2- Encryption: 3DES Authentication: MD5
DH Group 5
Keylife 28800
XAUTH Disable
NAT Traversal Enable
Keepalive Frequency 10
Dead Peer Detection Enable

Configuring FortiGate_1 (continue…)

The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1
configuration and specify the remote end point of the VPN tunnel. Before you define the
phase 2 parameters, you need to reserve a name for the tunnel.
1 Go to VPN > IPSEC > Auto Key (IKE).

2-1 Select (Create Phase 2), enter the following information and select OK:
Name Enter a name for the tunnel (e.g., ToFortigate2-ph2).
Phase 1 Select the gateway that you defined previously (e.g., ToFortigate2).
2-2 Select (Advanced…), enter the following information and select OK:
P2 Proposal 1-Encryption: 3DES Authentication: SHA1

1-Encryption: 3DES Authentication: MD5
[v] Enable replay detection
[v] Enable perfect forward secrecy (PFS)
DH Group: 5
Keylife Seconds 1800
Autokey Keep Alive Enable
Quick Mode Selector Source address: (*)select: 192.168.11.0/24 or US_NETWORK

Source port:0
Destination port: (*)select: 192.168.22.0/24 or TW_NETWORK
Destination port: 0
Protocol: 0

Configuring FortiGate_2
Before you define the phase 1 parameters, you need to:
• Reserve a name for the remote gateway.
• Obtain the IP address of the public interface to the remote peer.
• Reserve a unique value for the preshared key (e.g. passkey1$).
The key must contain at least 6 printable characters and should only be known by
network administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.

2-1 Select (Create Phase 1), enter the following information, and select OK:
Gateway Name Type a name for the remote gateway (e.g., ToFortiGate1).
Remote Gateway Dynamic DNS
Dynamic DNS us.dyndns.org
Local Interface WAN1(ADSL)
Mode Main (ID protection)
Authentication Method Preshared Key
Pre-shared Key Enter the preshared key (e.g., passkey$).
Peer Options Accept any peer ID
2-2 Select (Advanced…), enter the following information, and select OK:
Local Gateway IP Main Interface IP
P1 Proposal 1- Encryption: 3DES Authentication: SHA1

2- Encryption: 3DES Authentication: MD5
DH Group 5
Keylife 28800
XAUTH Disable
NAT Traversal Enable
Keepalive Frequency 10
Dead Peer Detection Enable

Configuring FortiGate_2 (continue…)

The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1
configuration and specify the remote end point of the VPN tunnel. Before you define the
phase 2 parameters, you need to reserve a name for the tunnel.

2-1 Select (Create Phase 2), enter the following information and select OK:
Name Enter a name for the tunnel (e.g., ToFortigate1-ph2).
Phase 1 Select the gateway that you defined previously (e.g., ToFortigate1).
2-2 Select (Advanced…), enter the following information and select OK:
P2 Proposal 1-Encryption: 3DES Authentication: SHA1

1-Encryption: 3DES Authentication: MD5
[v] Enable replay detection
[v] Enable perfect forward secrecy (PFS)
DH Group: 5
Keylife: Seconds 1800
Autokey Keep Alive Enable
Quick Mode Selector Source address: (*)select: 192.168.22.0/24 or TW_NETWORK

Source port:0
Destination port: (*)select: 192.168.11.0/24 or US_NETWORK
Destination port: 0
Protocol: 0

Define Policy and Router on FortiGate_1

Define the firewall encryption policy
Firewall policies control all IP traffic passing between a source address and a
destination address. A firewall encryption policy is needed to allow the
transmission of encrypted packets, specify the permitted direction of VPN
traffic, and select the VPN tunnel that will be subject to the policy. A single
encryption policy is needed to control both inbound and outbound IP traffic
through a VPN tunnel.
Before you define the policy, you must first specify the IP source and
destination addresses. In a Site-to-site configuration:
• The source IP address corresponds to the private network behind the local FortiGate
unit.
• The destination IP address refers to the private network behind the remote VPN peer.
To define the firewall encryption policy for a policy-based VPN

1 Go to Firewall > Policy > Policy.
Source Interface/Zone Internal
Source Address US_Network or 192.168.11.0/24
Destination Interface/Zone WAN1 (ADSL)
Destination Address TW_Network or 192.168.22.0/24
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel 2Fortigate2
Allow inbound [v]
Allow outbound [v]
Inbound NAT Disable
Outbound NAT Disable
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.

Define Policy and Router on FortiGate_1 (continue…)

To define the firewall encryption policy for a route-based VPN
Destination Interface/Zone 2Fortigate2
Schedule Always
Service ANY
Action ACCEPT
Inbound NAT Disable
Source Interface/Zone 2Fortigate2
Source Address TW_Network or 192.168.22.0/24
Destination Interface/Zone Internal
Destination Address US_Network or 192.168.11.0/24
Schedule Always
Service ANY
Action ACCEPT
Inbound NAT Disable
5 Go to Router > Static.
Destination IP / Mask 192.168.22.0/24
Service 2Fortigate2
Gateway Leave as default: 0.0.0.0
Distance Leave this as its default

Define Policy and Router on FortiGate_2

Define the firewall encryption policy
Firewall policies control all IP traffic passing between a source address and a
destination address. A firewall encryption policy is needed to allow the
transmission of encrypted packets, specify the permitted direction of VPN
traffic, and select the VPN tunnel that will be subject to the policy. A single
encryption policy is needed to control both inbound and outbound IP traffic
through a VPN tunnel.
Before you define the policy, you must first specify the IP source and
destination addresses. In a Site-to-site configuration:
• The source IP address corresponds to the private network behind the local FortiGate
unit.
• The destination IP address refers to the private network behind the remote VPN peer.
To define the firewall encryption policy

Destination Interface/Zone WAN1 (ADSL)
Schedule Always
Service ANY
Action IPSEC
VPN Tunnel 2Fortigate1
Allow inbound [v]
Allow outbound [v]
Inbound NAT Disable
Outbound NAT Disable

Define Policy and Router on FortiGate_2 (continue…)

To define the firewall encryption policy for a route-based VPN
Destination Interface/Zone 2Fortigate1
Schedule Always
Service ANY
Action ACCEPT
Inbound NAT Disable
Source Interface/Zone 2Fortigate1
Destination Interface/Zone Internal
Schedule Always
Service ANY
Action ACCEPT
Inbound NAT Disable
5 Go to Router > Static.
Destination IP / Mask 192.168.11.0/24
Service 2Fortigate1
Gateway Leave as default: 0.0.0.0
Distance Leave this as its default

Finalize
Policy and VPN
To Move up the firewall encryption policy on top

1 Go to Firewall > Policy > select internal -> wan1 policy.
2 Click the Move To and move the policy to the very top.
(If you don’t put it on top, you are unable to ping site’s IP from the other site’s client PC)
To Bring Up the site-to-site VPN
1 Go to VPN > IPSEC > Monitor

Click on Bring Up under Status.
SOURCE:
http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf
http://docs.fortinet.com/cookbook.html

Site2Site IPSec VPN With Dynamic IP PDF

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Site2Site IPSec VPN With Dynamic IP PDF

Caricato da

Copyright:

Formati disponibili

Site-to-site IPSec VPN by using dynamic IP

Site-to-site IPSec VPN by using dynamic IP example Technical Note

Fortinet Inc. 09-28006-0119-20100605 Page 1 of 15

No part of this publication including text, examples, diagrams or illustrations

Site-to-site IPSec VPN by using dynamic IP example Technical Note

Fortinet Inc. 09-28006-0119-20100605 Page 2 of 15

Fortinet Inc. 09-28006-0119-20100605 Page 3 of 15

Figure 1: Example Site-to-site configuration

Fortinet Inc. 09-28006-0119-20100605 Page 4 of 15

Setup Firewall-Address on FortiGate_1

Type Subnet / IP Range

Subnet / IP Range 192.168.11.0/255.255.255.0

Type Subnet / IP Range

Subnet / IP Range 192.168.22.0/255.255.255.0

To define the FQDN

Fortinet Inc. 09-28006-0119-20100605 Page 5 of 15

Setup Firewall-Address on FortiGate_2

Type Subnet / IP Range

Subnet / IP Range 192.168.22.0/255.255.255.0

Type Subnet / IP Range

Subnet / IP Range 192.168.11.0/255.255.255.0

To define the FQDN

Fortinet Inc. 09-28006-0119-20100605 Page 6 of 15

To define the phase 1 parameters

Remote Gateway Dynamic DNS

Dynamic DNS tw.dyndns.org

Local Interface WAN1(ADSL)

Mode Main (ID protection)

Authentication Method Preshared Key

Pre-shared Key Enter the preshared key (e.g., passkey$).

Peer Options Accept any peer ID

Local Gateway IP Main Interface IP

P1 Proposal 1- Encryption: 3DES Authentication: SHA1

NAT Traversal Enable

Dead Peer Detection Enable

Fortinet Inc. 09-28006-0119-20100605 Page 7 of 15

Configuring FortiGate_1 (continue…)

To define the phase 2 parameters

1 Go to VPN > IPSEC > Auto Key (IKE).

Name Enter a name for the tunnel (e.g., ToFortigate2-ph2).

P2 Proposal 1-Encryption: 3DES Authentication: SHA1

Keylife Seconds 1800

Autokey Keep Alive Enable

Quick Mode Selector Source address: (*)select: 192.168.11.0/24 or US_NETWORK

Fortinet Inc. 09-28006-0119-20100605 Page 8 of 15

To define the phase 1 parameters

Remote Gateway Dynamic DNS

Dynamic DNS us.dyndns.org

Local Interface WAN1(ADSL)

Mode Main (ID protection)

Authentication Method Preshared Key

Pre-shared Key Enter the preshared key (e.g., passkey$).

Peer Options Accept any peer ID

Local Gateway IP Main Interface IP

P1 Proposal 1- Encryption: 3DES Authentication: SHA1

NAT Traversal Enable

Dead Peer Detection Enable

Fortinet Inc. 09-28006-0119-20100605 Page 9 of 15

Configuring FortiGate_2 (continue…)

Define the phase 2 parameters

To define the phase 2 parameters

1 Go to VPN > IPSEC > Auto Key (IKE).

Name Enter a name for the tunnel (e.g., ToFortigate1-ph2).