Site-to-site IPSec VPN by using dynamic IP example

Technical Note

Site-to-site IPSec VPN by using dynamic IP example Technical Note Document Version: Publication Date: Description: Version 2 24 August 2012 This technical note features a detailed configuration example that demonstrates how to set up a basic site-to-site IPSec VPN that uses preshared keys to authenticate the two VPN peers. FortiGate v4.00 MR3

Product:

Document Number: 09-28006-0119-20100605

Fortinet Inc.

09-28006-0119-20100605

Page 1 of 15

 Copyright 2012 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. Site-to-site IPSec VPN by using dynamic IP example Technical Note FortiGate v4.00 MR3 24 August 2012 09-28006-0119-20100605

Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders.

Fortinet Inc.

09-28006-0119-20100605

Page 2 of 15

Contents

Table of Contents
Network topology ... .................................................................................................................... 4 Infrastructure requirements .................................................................................................4 Setup Firewall-Address on FortiGate_1... .................................................................................. 5 Define the IP/Netmask or FQDN... ......................................................................................... 5 Setup Firewall-Address on FortiGate_2... .................................................................................. 6 Define the IP/Netmask or FQDN... ......................................................................................... 6 Configuring IPSEC VPN on FortiGate_1... ................................................................................ 7 Define the phase 1 parameters... ........................................................................................... 7 Define the phase 2 parameters... ........................................................................................... 8 Configuring IPSEC VPN on FortiGate_2... ................................................................................ 9 Define the phase 1 parameters... ........................................................................................... 9 Define the phase 2 parameters... ........................................................................................... 10 Define Policy and Router on FortiGate_1... ............................................................................... 11 Define Policy and Router on FortiGate_2... ............................................................................... 13 Finalize Policy and VPN... .......................................................................................................... 15

Fortinet Inc.

09-28006-0119-20100605

Page 3 of 15

Site-to-site IPSec VPN by using dynamic IP example

This technical note features a detailed configuration example that demonstrates how to set up a basic site-to-site IPSec VPN that uses preshared keys to authenticate the two VPN peers. The following sections are included: Network topology Setup Firewall-Address on FortiGate_1 Setup Firewall-Address on FortiGate_2 Configuring FortiGate_1 Configuring FortiGate_2 Define Policy and Router on FortiGate_1 Define Policy and Router on FortiGate_2 Finalize

Network topology
In a site-to-site configuration, two FortiGate units create an IPSec tunnel between two separate private networks. All traffic between the two networks is encrypted and protected by FortiGate firewall policies. See Figure 1.
Figure 1: Example Site-to-site configuration
Site_1 FortiGate_1 Internet 111.111.111.111 us.dyndns.org (WAN1) US Network 192.168.11.0/24 (Internal) 222.222.222.222 tw.dyndns.org (WAN1) TW Network 192.168.22.0/24 (Internal) FortiGate_2 Site_2

In the examples throughout this technical bulletin, the network devices are assigned IP addresses as shown in Figure 1.

Infrastructure requirements
The FortiGate units at both ends of the tunnel must be operating in NAT mode and have public IP addresses by static or dynamic with www.dyndns.org as service.

Fortinet Inc.

09-28006-0119-20100605

Page 4 of 15

Site-to-site IPSec VPN by using dynamic IP Example

Setup Firewall-Address on FortiGate_1

Define the IP/netmask or FQDN
To define the IP/netmask 1 Go to Firewall > Address > Address.

2-1 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., US_Network) Subnet / IP Range 192.168.11.0/255.255.255.0 Internal

2-2 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., TW_Network) Subnet / IP Range 192.168.22.0/255.255.255.0 WAN1(ADSL)

To define the FQDN 1 2 Go to Firewall > Address > Address. Select (Create New), enter the following information, and select OK:
Address Name Type FQDN Interface Type a name for the local network (e.g., TW_Network) FQDN tw.dyndns.org WAN1(ADSL)

Fortinet Inc.

09-28006-0119-20100605

Page 5 of 15

Site-to-site IPSec VPN by using dynamic IP Example

Setup Firewall-Address on FortiGate_2

Define the IP/netmask or FQDN
To define the IP/netmask 1 Go to Firewall > Address > Address.

2-1 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., TW_Network) Subnet / IP Range 192.168.22.0/255.255.255.0 Internal

2-2 Select (Create New), enter the following information, and select OK:
Address Name Type Subnet / IP Range Interface Type a name for the local network (e.g., US_Network) Subnet / IP Range 192.168.11.0/255.255.255.0 WAN1(ADSL)

To define the FQDN 1 2 Go to Firewall > Address > Address. Select (Create New), enter the following information, and select OK:
Address Name Type FQDN Interface Type a name for the local network (e.g., US_Network) FQDN us.dyndns.org WAN1(ADSL)

Fortinet Inc.

09-28006-0119-20100605

Page 6 of 15

Site-to-site IPSec VPN by using dynamic IP Example

Configuring FortiGate_1
Define the phase 1 parameters
Before you define the phase 1 parameters, you need to: Reserve a name for the remote gateway. Obtain the IP address of the public interface to the remote peer. Reserve a unique value for the preshared key (e.g. passkey1$). The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. To define the phase 1 parameters 1 Go to VPN > IPsec > Auto Key (IKE).

2-1 Select (Create Phase 1), enter the following information, and select OK:
Gateway Name Remote Gateway Dynamic DNS Local Interface Mode Authentication Method Pre-shared Key Peer Options Type a name for the remote gateway (e.g., ToFortiGate2). Dynamic DNS tw.dyndns.org WAN1(ADSL) Main (ID protection) Preshared Key Enter the preshared key (e.g., passkey$). Accept any peer ID

2-2 Select (Advanced), enter the following information, and select OK:
Local Gateway IP P1 Proposal DH Group Keylife XAUTH NAT Traversal Keepalive Frequency Dead Peer Detection Main Interface IP 1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5 5 28800 Disable Enable 10 Enable

Fortinet Inc.

09-28006-0119-20100605

Page 7 of 15

Site-to-site IPSec VPN by using dynamic IP example

Configuring FortiGate_1 (continue)

Define the phase 2 parameters
The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. To define the phase 2 parameters 1 Go to VPN > IPSEC > Auto Key (IKE).

2-1 Select (Create Phase 2), enter the following information and select OK:
Name Phase 1 Enter a name for the tunnel (e.g., ToFortigate2-ph2). Select the gateway that you defined previously (e.g., ToFortigate2).

2-2 Select (Advanced), enter the following information and select OK:
P2 Proposal 1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5 Seconds 1800 Enable Source address: (*)select: 192.168.11.0/24 or US_NETWORK Source port:0 Destination port: (*)select: 192.168.22.0/24 or TW_NETWORK Destination port: 0 Protocol: 0

Keylife Autokey Keep Alive Quick Mode Selector

Fortinet Inc.

09-28006-0119-20100605

Page 8 of 15

Site-to-site IPSec VPN by using dynamic IP example

Configuring FortiGate_2
Define the phase 1 parameters
Before you define the phase 1 parameters, you need to: Reserve a name for the remote gateway. Obtain the IP address of the public interface to the remote peer. Reserve a unique value for the preshared key (e.g. passkey1$). The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. To define the phase 1 parameters 1 Go to VPN > IPSEC > Auto Key (IKE).

2-1 Select (Create Phase 1), enter the following information, and select OK:
Gateway Name Remote Gateway Dynamic DNS Local Interface Mode Authentication Method Pre-shared Key Peer Options Type a name for the remote gateway (e.g., ToFortiGate1). Dynamic DNS us.dyndns.org WAN1(ADSL) Main (ID protection) Preshared Key Enter the preshared key (e.g., passkey$). Accept any peer ID

2-2 Select (Advanced), enter the following information, and select OK:
Local Gateway IP P1 Proposal DH Group Keylife XAUTH NAT Traversal Keepalive Frequency Dead Peer Detection Main Interface IP 1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5 5 28800 Disable Enable 10 Enable

Fortinet Inc.

09-28006-0119-20100605

Page 9 of 15

Site-to-site IPSec VPN by using dynamic IP example

Configuring FortiGate_2 (continue)

Define the phase 2 parameters
The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. To define the phase 2 parameters 1 Go to VPN > IPSEC > Auto Key (IKE).

2-1 Select (Create Phase 2), enter the following information and select OK:
Name Phase 1 Enter a name for the tunnel (e.g., ToFortigate1-ph2). Select the gateway that you defined previously (e.g., ToFortigate1).

2-2 Select (Advanced), enter the following information and select OK:
P2 Proposal 1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5 Seconds 1800 Enable Source address: (*)select: 192.168.22.0/24 or TW_NETWORK Source port:0 Destination port: (*)select: 192.168.11.0/24 or US_NETWORK Destination port: 0 Protocol: 0

Keylife: Autokey Keep Alive Quick Mode Selector

Fortinet Inc.

09-28006-0119-20100605

Page 10 of 15

Site-to-site IPSec VPN by using dynamic IP example

Define Policy and Router on FortiGate_1

Define the firewall encryption policy
Firewall policies control all IP traffic passing between a source address and a destination address. A firewall encryption policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single encryption policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Before you define the policy, you must first specify the IP source and destination addresses. In a Site-to-site configuration: The source IP address corresponds to the private network behind the local FortiGate unit. The destination IP address refers to the private network behind the remote VPN peer. To define the firewall encryption policy for a policy-based VPN 1 2 Go to Firewall > Policy > Policy. Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action VPN Tunnel Allow inbound Allow outbound Inbound NAT Outbound NAT Internal US_Network or 192.168.11.0/24 WAN1 (ADSL) TW_Network or 192.168.22.0/24 Always ANY IPSEC 2Fortigate2 [v] [v] Disable Disable

Place the policy in the policy list above any other policies having similar source and destination addresses.

Fortinet Inc.

09-28006-0119-20100605

Page 11 of 15

Site-to-site IPSec VPN by using dynamic IP example

Define Policy and Router on FortiGate_1 (continue)

To define the firewall encryption policy for a route-based VPN 1 2 Go to Firewall > Policy > Policy. Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Inbound NAT Internal US_Network or 192.168.11.0/24 2Fortigate2 TW_Network or 192.168.22.0/24 Always ANY ACCEPT Disable

Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Inbound NAT 2Fortigate2 TW_Network or 192.168.22.0/24 Internal US_Network or 192.168.11.0/24 Always ANY ACCEPT Disable

4 5 6

Place the policy in the policy list above any other policies having similar source and destination addresses. Go to Router > Static. Select (Create New), enter the following information, and select OK:
Destination IP / Mask Service Gateway Distance 192.168.22.0/24 2Fortigate2 Leave as default: 0.0.0.0 Leave this as its default

Fortinet Inc.

09-28006-0119-20100605

Page 12 of 15

Site-to-site IPSec VPN by using dynamic IP example

Define Policy and Router on FortiGate_2

Define the firewall encryption policy
Firewall policies control all IP traffic passing between a source address and a destination address. A firewall encryption policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single encryption policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Before you define the policy, you must first specify the IP source and destination addresses. In a Site-to-site configuration: The source IP address corresponds to the private network behind the local FortiGate unit. The destination IP address refers to the private network behind the remote VPN peer. To define the firewall encryption policy 1 2 Go to Firewall > Policy > Policy. Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action VPN Tunnel Allow inbound Allow outbound Inbound NAT Outbound NAT Internal TW_Network or 192.168.22.0/24 WAN1 (ADSL) US_Network or 192.168.11.0/24 Always ANY IPSEC 2Fortigate1 [v] [v] Disable Disable

Place the policy in the policy list above any other policies having similar source and destination addresses.

Fortinet Inc.

09-28006-0119-20100605

Page 13 of 15

Site-to-site IPSec VPN by using dynamic IP example

Define Policy and Router on FortiGate_2 (continue)

To define the firewall encryption policy for a route-based VPN 1 2 Go to Firewall > Policy > Policy. Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Inbound NAT Internal TW_Network or 192.168.22.0/24 2Fortigate1 US_Network or 192.168.11.0/24 Always ANY ACCEPT Disable

Select (Create New), enter the following information, and select OK:
Source Interface/Zone Source Address Destination Interface/Zone Destination Address Schedule Service Action Inbound NAT 2Fortigate1 US_Network or 192.168.11.0/24 Internal TW_Network or 192.168.22.0/24 Always ANY ACCEPT Disable

4 5 6

Place the policy in the policy list above any other policies having similar source and destination addresses. Go to Router > Static. Select (Create New), enter the following information, and select OK:
Destination IP / Mask Service Gateway Distance 192.168.11.0/24 2Fortigate1 Leave as default: 0.0.0.0 Leave this as its default

Fortinet Inc.

09-28006-0119-20100605

Page 14 of 15

Site-to-site IPSec VPN by using dynamic IP example

Finalize
Policy and VPN
To Move up the firewall encryption policy on top 1 2 Go to Firewall > Policy > select internal -> wan1 policy. Click the Move To and move the policy to the very top. (If you dont put it on top, you are unable to ping sites IP from the other sites client PC)

To Bring Up the site-to-site VPN 1 Go to VPN > IPSEC > Monitor Click on Bring Up under Status.

SOURCE: http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf http://docs.fortinet.com/cookbook.html

Fortinet Inc.

09-28006-0119-20100605

Page 15 of 15