FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 191195
Article
Description This article describes how to configure an IPSec VPN on a FortiGate unit to work with the VPN feature of a ZyXEL ZyWALL 2 Firewall.
Components
  • All FortiGate units running FortiOS 3.0 & 4.0.
  • ZyXEL ZyWALL 2 Firewall with v4.01 firmware
Steps or Commands

Configure FortiGate VPN Phase 1

To configure using the Web-based Manager:

  1. Go to VPN>IPSec>Auto-Key and select Phase1.
  2. Enter the following:

    Name VPN name: VPN-to-ZyWALL
    Remote Gateway Dialup User
    Local Interface Select the interface that connects to the Internet. For example, WAN1.
    Mode Main
    Authentication Method Preshared Key
    Pre-shared Key Enter the same preshared key as configured on the ZyWALL

  3. Select Advanced and enter the following:

    Enable IPSec Interface Mode Clear this check box.
    P1 Proposal 1 - 3DES SHA1
    2 - 3DES MD5
    DH Group 2
    Local ID FortiGate WAN1 IP Address
    Nat-traversal Enable
    Dead Peer Detection Enable

  4. Select OK.

Configure FortiGate VPN Phase 2

To configure using the Web-based Manager:

  1. Go to VPN>IPSec>Auto-Key and select Phase 2.
  2. Enter the following:

    Name A name for the VPN Phase 2 configuration: VPN-to-ZyWALL_P2
    Phase 1 Phase 1 configuration name: VPN-to-ZyWALL

  3. Select Advanced and enter the following:

    P2 Proposal 1 - 3DES SHA1
    2 - 3DES MD5
    Enable Replay Detection Enable
    DH Group 2
    Quick Mode Selector Source Address: 10.20.3.0/24
    Destination Address: 10.20.10.0/24

  4. Select OK.

Configure FortiGate Firewall Addresses

Create firewall addresses for the private networks at either end of the VPN. "LocalLAN" is the network behind the FortiGate unit and "ZyWALL_net" is the network behind the ZyWALL firewall.

To configure using the Web-based Manager:

  1. Go to Firewall>Address and select Create New.
  2. Enter the following:

    Address Name LocalLAN
    Type Subnet/IP Range
    Subnet/IP Range 10.20.3.0 255.255.255.0

  3. Select OK.

Repeat the preceding steps for the address "ZyWALL_net", "10.20.10.0 255.255.255.0".

Configure FortiGate Firewall Policy

The firewall policy allows hosts behind the ZyWALL to initiate communication with hosts on the network behind the FortiGate unit.

Note: This policy must be located before of any current outbound policy.

To configure using the Web-based Manager:

  1. Go to Firewall>Policy and select Create New.
  2. Enter the following:

    Source Interface/Zone The interface connected to the remote network: Internal
    Source Address The firewall address of the remote network: ZyWALL_net
    Destination Interface/Zone The interface that connects to the local network: WAN1
    Destination Address The firewall address of the local network: LocalLAN
    Schedule Always
    Service ANY
    Action IPSEC
    VPN Tunnel VPN-to-ZyWALL

  3. Select OK.

Configure ZyWALL Firewall

To configure the ZyWALL Firewall Phase 1

  1. Log on to the the ZyWALL Firewall's web-based utility.
  2. Go to Security>VPN>VPN Rules (IKE).
  3. Select New Gateway and enter the following:

    Name VPN-to-FortiGate
    NAT Traversal Enabled
    My Address ZyWALL WAN IP Address
    Primary Remote Gateway FortiGate WAN1 IP Address
    Pre-Shared Key Enter the same preshared key as configured on the FortiGate.
    Negotiation Mode Main
    Encryption Algorithm 3DES
    Authentication Algorithm SHA1
    SA Life (Seconds) 28800
    Key Group DH2

  4. Click Apply

To configure the ZyWALL Firewall Phase 2

  1. Go to Security>VPN>VPN Rules (IKE).
  2. Select New Network beside the Phase 1 you had created, and enter the following:

    Name VPN-to-FortiGate_P2
    Active Enabled
    Local Network Address Type: Subnet Address
    Starting IP Address: 10.20.10.0
    Ending IP address / Subnet Mask: 255.255.255.0
    Remote Network: Address Type: Subnet Address
    Starting IP Address: 10.20.3.0
    Ending IP address / Subnet Mask: 255.255.255.0
    Encapsulation Mode Tunnel
    Active Protocol ESP
    Encryption Algorithm 3DES
    Authentication Algorithm SHA1
    SA Life (Seconds) 1800
    Perfect Forward Secrecy (PFS) DH2
    Enable replay detection Enabled

  3. Click Apply.

Related Articles

List of articles about Fortigate IPSec VPN interoperability