Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
example
Technical Note
Trademarks
Products mentioned in this document are trademarks or registered trademarks of their respective
holders.
Table of Contents
Network topology ... .................................................................................................................... 4
Infrastructure requirements .................................................................................................4
Setup Firewall-Address on FortiGate_1... .................................................................................. 5
Define the IP/Netmask or FQDN... ......................................................................................... 5
Setup Firewall-Address on FortiGate_2... .................................................................................. 6
Define the IP/Netmask or FQDN... ......................................................................................... 6
Configuring IPSEC VPN on FortiGate_1... ................................................................................ 7
Define the phase 1 parameters... ........................................................................................... 7
Define the phase 2 parameters... ........................................................................................... 8
Configuring IPSEC VPN on FortiGate_2... ................................................................................ 9
Define the phase 1 parameters... ........................................................................................... 9
Define the phase 2 parameters... ........................................................................................... 10
Define Policy and Router on FortiGate_1... ............................................................................... 11
Define Policy and Router on FortiGate_2... ............................................................................... 13
Finalize Policy and VPN... .......................................................................................................... 15
This technical note features a detailed configuration example that demonstrates how to set up a basic
site-to-site IPSec VPN that uses preshared keys to
authenticate the two VPN peers. The following sections are included:
• Network topology
• Setup Firewall-Address on FortiGate_1
• Setup Firewall-Address on FortiGate_2
• Configuring FortiGate_1
• Configuring FortiGate_2
• Define Policy and Router on FortiGate_1
• Define Policy and Router on FortiGate_2
• Finalize
Network topology
In a site-to-site configuration, two FortiGate units create an IPSec tunnel between two separate
private networks. All traffic between the two networks is encrypted and protected by FortiGate
firewall policies. See Figure 1.
Site_1 Site_2
FortiGate_1 FortiGate_2
Internet
111.111.111.111 222.222.222.222
us.dyndns.org tw.dyndns.org
(WAN1) (WAN1)
US Network TW Network
192.168.11.0/24 192.168.22.0/24
(Internal) (Internal)
In the examples throughout this technical bulletin, the network devices are assigned IP
addresses as shown in Figure 1.
Infrastructure requirements
• The FortiGate units at both ends of the tunnel must be operating in NAT mode and have public
IP addresses by static or dynamic with www.dyndns.org as service.
Address Name Type a name for the local network (e.g., US_Network)
Interface Internal
2-2 Select (Create New), enter the following information, and select OK:
Address Name Type a name for the local network (e.g., TW_Network)
Interface WAN1(ADSL)
Address Name Type a name for the local network (e.g., TW_Network)
Type FQDN
FQDN tw.dyndns.org
Interface WAN1(ADSL)
Address Name Type a name for the local network (e.g., TW_Network)
Interface Internal
2-2 Select (Create New), enter the following information, and select OK:
Address Name Type a name for the local network (e.g., US_Network)
Interface WAN1(ADSL)
Address Name Type a name for the local network (e.g., US_Network)
Type FQDN
FQDN us.dyndns.org
Interface WAN1(ADSL)
Configuring FortiGate_1
Define the phase 1 parameters
Before you define the phase 1 parameters, you need to:
• Reserve a name for the remote gateway.
• Obtain the IP address of the public interface to the remote peer.
• Reserve a unique value for the preshared key (e.g. passkey1$).
The key must contain at least 6 printable characters and should only be known by
network administrators. For optimum protection against currently known attacks, the
key should consist of a minimum of 16 randomly chosen alphanumeric characters.
Gateway Name Type a name for the remote gateway (e.g., ToFortiGate2).
2-2 Select (Advanced…), enter the following information, and select OK:
DH Group 5
Keylife 28800
XAUTH Disable
Keepalive Frequency 10
Phase 1 Select the gateway that you defined previously (e.g., ToFortigate2).
2-2 Select (Advanced…), enter the following information and select OK:
Configuring FortiGate_2
Define the phase 1 parameters
Before you define the phase 1 parameters, you need to:
• Reserve a name for the remote gateway.
• Obtain the IP address of the public interface to the remote peer.
• Reserve a unique value for the preshared key (e.g. passkey1$).
The key must contain at least 6 printable characters and should only be known by
network administrators. For optimum protection against currently known
attacks, the key should consist of a minimum of 16 randomly chosen
alphanumeric characters.
Gateway Name Type a name for the remote gateway (e.g., ToFortiGate1).
2-2 Select (Advanced…), enter the following information, and select OK:
DH Group 5
Keylife 28800
XAUTH Disable
Keepalive Frequency 10
Phase 1 Select the gateway that you defined previously (e.g., ToFortigate1).
2-2 Select (Advanced…), enter the following information and select OK:
Schedule Always
Service ANY
Action IPSEC
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Schedule Always
Service ANY
Action ACCEPT
3 Select (Create New), enter the following information, and select OK:
Schedule Always
Service ANY
Action ACCEPT
4 Place the policy in the policy list above any other policies having similar source and
destination addresses.
5 Go to Router > Static.
6 Select (Create New), enter the following information, and select OK:
Service 2Fortigate2
Schedule Always
Service ANY
Action IPSEC
3 Place the policy in the policy list above any other policies having similar source and
destination addresses.
Schedule Always
Service ANY
Action ACCEPT
3 Select (Create New), enter the following information, and select OK:
Schedule Always
Service ANY
Action ACCEPT
4 Place the policy in the policy list above any other policies having similar source and
destination addresses.
5 Go to Router > Static.
6 Select (Create New), enter the following information, and select OK:
Service 2Fortigate1
Finalize
Policy and VPN
SOURCE:
http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf
http://docs.fortinet.com/cookbook.html