FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 198398

Article

Description This article describes how to configure IPSec VPN between a dialup FortiGate unit and a FortiGate dialup gateway. The configuration describes how to and access both the internal and DMZ networks.
Components FortiGate Antivirus Firewalls running FortiOS v2.50
Architecture
 ddouglas_10112_10112-diagram.JPG
CLI Commands

To configure the central site FortiGate unit

1. Add firewall addresses

# set address
set firewall address external remote_dialup_lan subnet 172.20.253.0 255.255.255.240
set firewall address internal corporate_lan subnet 172.20.248.0 255.255.255.0
set firewall address dmz/ha dmz_lan subnet 172.20.255.32 255.255.255.224 

2. Configure Phase 1

# set vpn ipsec phase1
set vpn ipsec phase1 fg300 type dynamic proposal 3des-sha1 3des-md5  keylife 28800
dhgrp 5  authmethod PSK 'EncwCwHb4XQAV9tiDJPLbpnOi36bdCc/yZAF2C3/djuEbWdRAm2NjefrCBByselNyBxJ8MO8sT9VW9qVC9FIPjj-ysuWZzitoFZw7dsp+r5lVybGqWJn' mode aggressive keepalive 5 dpd enable dpdidleworry 10 dpdretrycount 3 dpdretryinterval 5 dpdidlecleanup 300 peertype one peerid raph xauthtype disable

3. Configure Phase 2

# set vpn ipsec phase2
set vpn ipsec phase2 mytunnel phase1name fg300   proposal 3des-sha1 3des-md5  keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none

4. Configure internal firewall policy

# set firewall policy
set firewall policy srcintf internal dstintf external policyid 1 srcaddr corporate_lan dstaddr remote_dialup_lan schedule Always service ANY action encrypt vpntunnel mytunnel inbound allow outbound allow

4. Configure DMZ firewall policy

#set firewall policy srcintf dmz/ha dstintf external policyid 3 srcaddr dmz_lan dstaddr remote_dialup_lan schedule Always service ANY action encrypt vpntunnel mytunnel inbound allow outbound allow

To configure the dialup FortiGate unit

1. Add firewall addresses

# set address
set firewall address internal corporate_lan subnet 172.20.253.0 255.255.255.240
set firewall address external remote_internal_la subnet 172.20.248.0 255.255.255.0
set firewall address external remote_dmz_lan subnet 172.20.255.32 255.255.255.224

2. Configure Phase 1

# set vpn ipsec phase1
set vpn ipsec phase1 fg300 type static gw 195.143.97.61 proposal 3des-sha1 3des-md5  keylife 28800 dhgrp 5  authmethod PSK 'Enc SCUcftvuZOEb9htB5HxkYiR7W6AEAQajHlqUNwJPvJvGxz0zelqeupOxAWRejqffdQX7gok3RNrJHHCbFNtTODmd-7qrdahSCauDRALJeE1Zax1M+' mode aggressive keepalive 5 dpd enable dpdidleworry 10 dpdretrycount 3 dpdretryinterval 5 dpdidlecleanup 300 localid raph peertype any xauthtype disable

3. Configure Phase 2

# set vpn ipsec phase2
set vpn ipsec phase2 tunnelToRemoteCorpoLan phase1name fg300   proposal 3des-sha1 3des-md5  keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none

set vpn ipsec phase2 TunnelToDMZLan phase1name fg300   proposal 3des-sha1 3des-md5  keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none

3. Configure firewall policies

# set firewall policy
set firewall policy srcintf internal dstintf external policyid 2 srcaddr corporate_lan dstaddr remote_dmz_lan schedule Always service ANY action encrypt vpntunnel TunnelToDMZLan inbound allow outbound allow
set firewall policy srcintf internal dstintf external policyid 1 srcaddr corporate_lan dstaddr remote_internal_la schedule Always service ANY action encrypt avwebfilter Scan vpntunnel tunnelToRemoteCorpoLan inbound allow outbound allow

# set vpn ipsec phase1
set vpn ipsec phase1 fg300 type static gw 195.143.97.61 proposal 3des-sha1 3des-md5  keylife 28800 dhgrp 5  authmethod PSK 'Enc SCUcftvuZOEb9htB5HxkYiR7W6AEAQajHlqUNwJPvJvGxz0zelqeupOxAWRejqffdQX7gok3RNrJHHCbFNtTODmd7q-rdahSCauDRALJeE1Zax1M+' mode aggressive keepalive 5 dpd enable dpdidleworry 10 dpdretrycount 3 dpdretryinterval 5 dpdidlecleanup 300 localid raph peertype any xauthtype disable

# set vpn ipsec manualkey
# set vpn ipsec phase2
set vpn ipsec phase2 tunnelToRemoteCorpoLan phase1name fg300   proposal 3des-sha1 3des-md5  keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none

set vpn ipsec phase2 TunnelToDMZLan phase1name fg300   proposal 3des-sha1 3des-md5  keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none
# set firewall policy
set firewall policy srcintf internal dstintf external policyid 2 srcaddr corporate_lan dstaddr remote_dmz_lan schedule Always service ANY action encrypt vpntunnel TunnelToDMZLan inbound allow outbound allow

set firewall policy srcintf internal dstintf external policyid 1 srcaddr corporate_lan dstaddr remote_internal_la schedule Always service ANY action encrypt avwebfilter Scan vpntunnel tunnelToRemoteCorpoLan inbound allow outbound allow

 

Contributors