Professional Documents
Culture Documents
Technical Note
Site-to-site IPSec VPN by using dynamic IP example Technical Note Document Version: Publication Date: Description: Version 2 24 August 2012 This technical note features a detailed configuration example that demonstrates how to set up a basic site-to-site IPSec VPN that uses preshared keys to authenticate the two VPN peers. FortiGate v4.00 MR3
Product:
Fortinet Inc.
09-28006-0119-20100605
Page 1 of 15
Copyright 2012 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. Site-to-site IPSec VPN by using dynamic IP example Technical Note FortiGate v4.00 MR3 24 August 2012 09-28006-0119-20100605
Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Fortinet Inc.
09-28006-0119-20100605
Page 2 of 15
Contents
Table of Contents
Network topology ... .................................................................................................................... 4 Infrastructure requirements .................................................................................................4 Setup Firewall-Address on FortiGate_1... .................................................................................. 5 Define the IP/Netmask or FQDN... ......................................................................................... 5 Setup Firewall-Address on FortiGate_2... .................................................................................. 6 Define the IP/Netmask or FQDN... ......................................................................................... 6 Configuring IPSEC VPN on FortiGate_1... ................................................................................ 7 Define the phase 1 parameters... ........................................................................................... 7 Define the phase 2 parameters... ........................................................................................... 8 Configuring IPSEC VPN on FortiGate_2... ................................................................................ 9 Define the phase 1 parameters... ........................................................................................... 9 Define the phase 2 parameters... ........................................................................................... 10 Define Policy and Router on FortiGate_1... ............................................................................... 11 Define Policy and Router on FortiGate_2... ............................................................................... 13 Finalize Policy and VPN... .......................................................................................................... 15
Fortinet Inc.
09-28006-0119-20100605
Page 3 of 15
Network topology
In a site-to-site configuration, two FortiGate units create an IPSec tunnel between two separate private networks. All traffic between the two networks is encrypted and protected by FortiGate firewall policies. See Figure 1.
Figure 1: Example Site-to-site configuration
Site_1 FortiGate_1 Internet 111.111.111.111 us.dyndns.org (WAN1) US Network 192.168.11.0/24 (Internal) 222.222.222.222 tw.dyndns.org (WAN1) TW Network 192.168.22.0/24 (Internal) FortiGate_2 Site_2
In the examples throughout this technical bulletin, the network devices are assigned IP addresses as shown in Figure 1.
Infrastructure requirements
The FortiGate units at both ends of the tunnel must be operating in NAT mode and have public IP addresses by static or dynamic with www.dyndns.org as service.
Fortinet Inc.
09-28006-0119-20100605
Page 4 of 15
2-1 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., US_Network) Subnet / IP Range 192.168.11.0/255.255.255.0 Internal
2-2 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., TW_Network) Subnet / IP Range 192.168.22.0/255.255.255.0 WAN1(ADSL)
To define the FQDN 1 2 Go to Firewall > Address > Address. Select (Create New), enter the following information, and select OK:
Address Name Type FQDN Interface Type a name for the local network (e.g., TW_Network) FQDN tw.dyndns.org WAN1(ADSL)
Fortinet Inc.
09-28006-0119-20100605
Page 5 of 15
2-1 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., TW_Network) Subnet / IP Range 192.168.22.0/255.255.255.0 Internal
2-2 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., US_Network) Subnet / IP Range 192.168.11.0/255.255.255.0 WAN1(ADSL)
To define the FQDN 1 2 Go to Firewall > Address > Address. Select (Create New), enter the following information, and select OK:
Address Name Type FQDN Interface Type a name for the local network (e.g., US_Network) FQDN us.dyndns.org WAN1(ADSL)
Fortinet Inc.
09-28006-0119-20100605
Page 6 of 15
Configuring FortiGate_1
Define the phase 1 parameters
Before you define the phase 1 parameters, you need to: Reserve a name for the remote gateway. Obtain the IP address of the public interface to the remote peer. Reserve a unique value for the preshared key (e.g. passkey1$). The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. To define the phase 1 parameters 1 Go to VPN > IPsec > Auto Key (IKE).
2-1 Select (Create Phase 1), enter the following information, and select OK:
Gateway Name Remote Gateway Dynamic DNS Local Interface Mode Authentication Method Pre-shared Key Peer Options Type a name for the remote gateway (e.g., ToFortiGate2). Dynamic DNS tw.dyndns.org WAN1(ADSL) Main (ID protection) Preshared Key Enter the preshared key (e.g., passkey$). Accept any peer ID
2-2 Select (Advanced), enter the following information, and select OK:
Local Gateway IP P1 Proposal DH Group Keylife XAUTH NAT Traversal Keepalive Frequency Dead Peer Detection Main Interface IP 1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5 5 28800 Disable Enable 10 Enable
Fortinet Inc.
09-28006-0119-20100605
Page 7 of 15
2-1 Select (Create Phase 2), enter the following information and select OK:
Name Phase 1 Enter a name for the tunnel (e.g., ToFortigate2-ph2). Select the gateway that you defined previously (e.g., ToFortigate2).
2-2 Select (Advanced), enter the following information and select OK:
P2 Proposal 1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5 Seconds 1800 Enable Source address: (*)select: 192.168.11.0/24 or US_NETWORK Source port:0 Destination port: (*)select: 192.168.22.0/24 or TW_NETWORK Destination port: 0 Protocol: 0
Fortinet Inc.
09-28006-0119-20100605
Page 8 of 15
Configuring FortiGate_2
Define the phase 1 parameters
Before you define the phase 1 parameters, you need to: Reserve a name for the remote gateway. Obtain the IP address of the public interface to the remote peer. Reserve a unique value for the preshared key (e.g. passkey1$). The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. To define the phase 1 parameters 1 Go to VPN > IPSEC > Auto Key (IKE).
2-1 Select (Create Phase 1), enter the following information, and select OK:
Gateway Name Remote Gateway Dynamic DNS Local Interface Mode Authentication Method Pre-shared Key Peer Options Type a name for the remote gateway (e.g., ToFortiGate1). Dynamic DNS us.dyndns.org WAN1(ADSL) Main (ID protection) Preshared Key Enter the preshared key (e.g., passkey$). Accept any peer ID
2-2 Select (Advanced), enter the following information, and select OK:
Local Gateway IP P1 Proposal DH Group Keylife XAUTH NAT Traversal Keepalive Frequency Dead Peer Detection Main Interface IP 1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5 5 28800 Disable Enable 10 Enable
Fortinet Inc.
09-28006-0119-20100605
Page 9 of 15
2-1 Select (Create Phase 2), enter the following information and select OK:
Name Phase 1 Enter a name for the tunnel (e.g., ToFortigate1-ph2). Select the gateway that you defined previously (e.g., ToFortigate1).
2-2 Select (Advanced), enter the following information and select OK:
P2 Proposal 1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5 Seconds 1800 Enable Source address: (*)select: 192.168.22.0/24 or TW_NETWORK Source port:0 Destination port: (*)select: 192.168.11.0/24 or US_NETWORK Destination port: 0 Protocol: 0
Fortinet Inc.
09-28006-0119-20100605
Page 10 of 15
Place the policy in the policy list above any other policies having similar source and destination addresses.
Fortinet Inc.
09-28006-0119-20100605
Page 11 of 15
Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Inbound NAT 2Fortigate2 TW_Network or 192.168.22.0/24 Internal US_Network or 192.168.11.0/24 Always ANY ACCEPT Disable
4 5 6
Place the policy in the policy list above any other policies having similar source and destination addresses. Go to Router > Static. Select (Create New), enter the following information, and select OK:
Destination IP / Mask Service Gateway Distance 192.168.22.0/24 2Fortigate2 Leave as default: 0.0.0.0 Leave this as its default
Fortinet Inc.
09-28006-0119-20100605
Page 12 of 15
Place the policy in the policy list above any other policies having similar source and destination addresses.
Fortinet Inc.
09-28006-0119-20100605
Page 13 of 15
Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Inbound NAT 2Fortigate1 US_Network or 192.168.11.0/24 Internal TW_Network or 192.168.22.0/24 Always ANY ACCEPT Disable
4 5 6
Place the policy in the policy list above any other policies having similar source and destination addresses. Go to Router > Static. Select (Create New), enter the following information, and select OK:
Destination IP / Mask Service Gateway Distance 192.168.11.0/24 2Fortigate1 Leave as default: 0.0.0.0 Leave this as its default
Fortinet Inc.
09-28006-0119-20100605
Page 14 of 15
Finalize
Policy and VPN
To Move up the firewall encryption policy on top 1 2 Go to Firewall > Policy > select internal -> wan1 policy. Click the Move To and move the policy to the very top. (If you dont put it on top, you are unable to ping sites IP from the other sites client PC)
To Bring Up the site-to-site VPN 1 Go to VPN > IPSEC > Monitor Click on Bring Up under Status.
Fortinet Inc.
09-28006-0119-20100605
Page 15 of 15