Article
Description |
This article describes how to configure an IPSec VPN on a FortiGate unit to work with the VPN feature of a ZyXEL ZyWALL 2 Firewall. |
Components |
- All FortiGate units running FortiOS 3.0 & 4.0.
- ZyXEL ZyWALL 2 Firewall with v4.01 firmware
|
Steps or Commands |
Configure FortiGate VPN Phase 1
To configure using the Web-based Manager:
- Go to VPN>IPSec>Auto-Key and select Phase1.
- Enter the following:
Name |
VPN name: VPN-to-ZyWALL |
Remote Gateway |
Dialup User |
Local Interface |
Select the interface that connects to the Internet. For example, WAN1. |
Mode |
Main |
Authentication Method |
Preshared Key |
Pre-shared Key |
Enter the same preshared key as configured on the ZyWALL |
- Select Advanced and enter the following:
Enable IPSec Interface Mode |
Clear this check box. |
P1 Proposal |
1 - 3DES SHA1 2 - 3DES MD5 |
DH Group |
2 |
Local ID |
FortiGate WAN1 IP Address |
Nat-traversal |
Enable |
Dead Peer Detection |
Enable |
- Select OK.
Configure FortiGate VPN Phase 2
To configure using the Web-based Manager:
- Go to VPN>IPSec>Auto-Key and select Phase 2.
- Enter the following:
Name |
A name for the VPN Phase 2 configuration: VPN-to-ZyWALL_P2 |
Phase 1 |
Phase 1 configuration name: VPN-to-ZyWALL |
- Select Advanced and enter the following:
P2 Proposal |
1 - 3DES SHA1 2 - 3DES MD5 |
Enable Replay Detection |
Enable |
DH Group |
2 |
Quick Mode Selector |
Source Address: 10.20.3.0/24 Destination Address: 10.20.10.0/24 |
- Select OK.
Configure FortiGate Firewall Addresses
Create firewall addresses for the private networks at either end of the VPN. "LocalLAN" is the network behind the FortiGate unit and "ZyWALL_net" is the network behind the ZyWALL firewall.
To configure using the Web-based Manager:
- Go to Firewall>Address and select Create New.
- Enter the following:
Address Name |
LocalLAN |
Type |
Subnet/IP Range |
Subnet/IP Range |
10.20.3.0 255.255.255.0 |
- Select OK.
Repeat the preceding steps for the address "ZyWALL_net", "10.20.10.0 255.255.255.0".
Configure FortiGate Firewall Policy
The firewall policy allows hosts behind the ZyWALL to initiate communication with hosts on the network behind the FortiGate unit.
Note: This policy must be located before of any current outbound policy.
To configure using the Web-based Manager:
- Go to Firewall>Policy and select Create New.
- Enter the following:
Source Interface/Zone |
The interface connected to the remote network: Internal |
Source Address |
The firewall address of the remote network: ZyWALL_net |
Destination Interface/Zone |
The interface that connects to the local network: WAN1 |
Destination Address |
The firewall address of the local network: LocalLAN |
Schedule |
Always |
Service |
ANY |
Action |
IPSEC |
VPN Tunnel |
VPN-to-ZyWALL |
- Select OK.
Configure ZyWALL Firewall
To configure the ZyWALL Firewall Phase 1
- Log on to the the ZyWALL Firewall's web-based utility.
- Go to Security>VPN>VPN Rules (IKE).
- Select New Gateway and enter the following:
Name |
VPN-to-FortiGate |
NAT Traversal |
Enabled |
My Address |
ZyWALL WAN IP Address |
Primary Remote Gateway |
FortiGate WAN1 IP Address |
Pre-Shared Key |
Enter the same preshared key as configured on the FortiGate. |
Negotiation Mode |
Main |
Encryption Algorithm |
3DES |
Authentication Algorithm |
SHA1 |
SA Life (Seconds) |
28800 |
Key Group |
DH2 |
- Click Apply
To configure the ZyWALL Firewall Phase 2
- Go to Security>VPN>VPN Rules (IKE).
- Select New Network beside the Phase 1 you had created, and enter the following:
Name |
VPN-to-FortiGate_P2 |
Active |
Enabled |
Local Network |
Address Type: Subnet Address Starting IP Address: 10.20.10.0 Ending IP address / Subnet Mask: 255.255.255.0 |
Remote Network: |
Address Type: Subnet Address Starting IP Address: 10.20.3.0 Ending IP address / Subnet Mask: 255.255.255.0 |
Encapsulation Mode |
Tunnel |
Active Protocol |
ESP |
Encryption Algorithm |
3DES |
Authentication Algorithm |
SHA1 |
SA Life (Seconds) |
1800 |
Perfect Forward Secrecy (PFS) |
DH2 |
Enable replay detection |
Enabled |
- Click Apply.
|
Related Articles
List of articles about Fortigate IPSec VPN interoperability