�ݺ�ߣ

Creating a Fortigate VPN | Network & Security Blog http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/

Home
About
Contact
Cisco »
Fortinet »
General Security
Linux
News
Windows

Home
About
Contact
Cisco »
Fortinet »
General Security
Linux
News
Windows

Home » Fortigate » Creating a Fortigate VPN

Creating a Fortigate VPN
Posted by Daniel on May 28, 2012 in Fortigate, Fortinet | 15 comments

Like Be the first of your friends to like this.

Hello,

In this post i will show you how to create a policy based Fortigate VPN. I will be using FortiOS
version 4.0 MR3.

For the VPN tunnel we used the following topology:

1 of 9 06/04/2013 13:43


Creating Fortigate VPN Steps:
I. Go to VPN > IPsec ->Auto Key (IKE) and select “Create Phase 1“

II. Enter the following information in Phase1

Name: Fortigate_VPN 1- This is a name to identify the VPN tunnel, you must remember this name
as it will appear when configuration the Phase2.

Remote Gateway – Enter the static IP of the VPN remote peer. In our example it is “2.2.2.2″

Local Interface – Select the interface that has outside Internet access. In our case we picked
“WAN1″. Note: This interface cannot be a loopback interface.

Mode: Main Mode

Authentication: Pre Shared Key -> pick a share key with more than 6 letters.

Click Advanced:

Select the P1 Proposals (we picked):
Encryption: 3DES
Authentication: MD5
DH Group: 2
Keylive: 28800
Local ID: <none>
XAUTH: Disabled
NAT Traversal: Disabled
Dead Peer Detection: Disable – Note:please keep in mind to set this to disabled in case you are

2 of 9 06/04/2013 13:43


peering with another VPN vendor. I have found out that this can break the VPN tunnel
Click “OK”

The VPN Phase1 one was now created successful.

III. Now we need to create VPN Phase2, below are the steps:

Name: Select a name that suits you, we picked “Phase2_Fortigate_VPN1”

Phase1: Select the name of the Phase1 you created earlier. We picked” Fortigate_VPN1”

Encryption: 3DES

Authentication: MD5

Quick Mode Selector: This describes the IP ranges that you want passing through the VPN.

As in the picture, we picked:

The Source Address: 10.10.10.0/24 , that is behind our Fortigate_1 VPN appliance.

The Destination Address: 10.20.20.0/24. that is behind our Fortigate_2 VPN appliance.

IV. Define VPN Source Selectors

1. Create a firewall address, go to Firewall Objects > Addresses > Address and select “Create
New“.

Enter the following information and press “OK“:

Address Name: Sales_Network

Subnet/IP Range: 10.10.10.0/24

2. Create another firewall address( that is behind Fortigate 2) and go to Firewall Objects >
Addresses > Address and select “Create New“.

3 of 9 06/04/2013 13:43


Enter the following information and press “OK“:

Address Name: Remote_Sales_Network

Subnet/IP Range: 10.20.20.0/24

V. Create a Firewall Policy on the Fortigate:

a. Go to Policy > Policy

b. Select Create New

c. Enter the following information and press “OK”

Source Interface/Zone – Select Internal

Source Address Name – Select “Sales_Network”

Destination Interface/Zone – Select WAN1

Destination Address Name – ”Remote_Sales_Network”

Action – IPSEC

VPN tunnel: Fortigate_VPN1

Select ONLY the following option: Allow Inbound and Allow Outbound

Everything should be up and running now.

Please let me know if you have any questions.

Related Posts

Fortigate Tips and Tricks
Fortigate Troubleshooting – VPN

Like Be the first of your friends to like this.

15 Comments

1.
Santosh Kumar Nayak / June 2, 2012

Can you please help me in Blocking Google+ in Fortinet Firewall? I have already blocked Social
Networking but it doesn’t get blocked by Firewall.

4 of 9 06/04/2013 13:43


Reply

Daniel / June 2, 2012

Santhosh,

You can create a new URL filter, or add to an existing one the “plus.google.com” URL and
mark it as blocked. Also please be carefull that when applying the Web Filter, you also
mark the inspection for HTTPS (as google plus could be using SSL).

Hope it helps.

Reply


Hi!!!!

I tried that also, it didn’t work. It works only if I set https(Deep Scan). But in this case
all my websites are asking for certificates even in outlook also. Is there any other
way.

Reply


So you added plus.google.com as a blocked URL and it didn’t work ?

Please try something like this in the url filter:
url: .*dropbox.com.*
type: regex
action: blocked
enable: yes (ticked)

I did not try this, but it should work. Please let me know the outcome

Reply


Hi!

It works for other sites. But for Google Plus it doesn’t block.
If I give deep scanning then it blocks as Social Networking category. But

5 of 9 06/04/2013 13:43


for most of the sites it is getting Certificate issues.
Is there any other solutions?

2.

Hi!
Very nice description. You described the settings for one Fortigate. Is it right that I have to set
up the remote sales network Fortigate the same way as the sales network Fortigateunit?

Thank you in advance!

Reply


Well, now I can answer my question myself: YES!

Reply

3.
Manuel Guzman / December 19, 2012

Good morning, i have an ipsec site to site betweeen a Fortigate 100d and a cisco SA520, i can
access from the network that is behind the cisco to the one that is behind the fortigate but i
can’t access from the one behind of fortigate to the one behind the cisco, any ideas or
recommendation?
Thank you

Reply

4.
Shabeer / February 10, 2013

I want to connect between two offices, using dyndns.

In head office we already have 5 VPNs. I am new in office.

Can you kindly show me what kind of configuration i can have to connect between 10.0.0.0/24
and 10.0.6.0/24 using dyndns.

Reply

6 of 9 06/04/2013 13:43


kaleem / March 2, 2013

dear shabeer,

i am also looking for same. if you got any material the. plz share with me at
kaleemullahbilal@gmail.com

Reply

5.
James Greene / February 20, 2013

I am trying to setup a vpn tunnel to a cisco asa 5520. I get the following error:

NO-PROPOSAL-CHOSEN from your side.

Any help would be greatly appreciated

Reply

admin / February 20, 2013

Hello,

That means that the Fortigate or the ASA side do not have the same encryption or source
selector configured.
The PHASE2 is not matching between the ASA and the Fortigate.

Reply

6.
Rene Bosshard / February 22, 2013

Very good and short post.

I made it from a Fortigate 60b to a Zywall. I have a VPN-tunnel, but i can not ping nor access
the servers behind.

What is Wrong?

Reply

admin / March 1, 2013

I need the configuration of both firewalls to see this..

7 of 9 06/04/2013 13:43


Reply

7.
Daniel / July 8, 2012

Which IE browser are you using ? IE9 works fine.

Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym
title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite="">
<strike> <strong>

Sign up to our newsletter!

Please subscribe to our
weekly newsletter!

Name:

Email:

8 of 9 06/04/2013 13:43


Please subscribe for our
weekly newsletter.
We are planning or releasing
PDFs and Videos that will help
you in your day-to-day
Engineering job!

Designed by Elegant WordPress Themes | Powered by WordPress

Home
About
Contact

9 of 9 06/04/2013 13:43

�ݺ�ߣ

Creating a fortigate vpn network & security blog

More Related Content

Creating a fortigate vpn network & security blog