Created on 04-13-2007 12:00 AM
Introduction |
This article describes how to configure an IPSec VPN on a FortiGate unit to work with a Checkpoint NGX firewall VPN. The configuration uses an interface-based VPN, a new feature in FortiOS v3.0. Users on the network behind the FortiGate unit can communicate with any host on the Checkpoint-protected network. Users on the Checkpoint network can have access to a server on the private network behind the FortiGate unit. | ||||||||||||||||||||||||
Components |
| ||||||||||||||||||||||||
Prerequisites |
| ||||||||||||||||||||||||
Configure VPN Phase 1 |
First configure the IPSec VPN phase 1. The virtual IPSec interface is created on the physical interface that connects to the Internet. To configure using the Web-based Manager:
To configure using the CLI: config vpn ipsec phase1-interface edit "toSite2" set interface "port2" set dpd enable set nattraversal enable set dhgrp 2 set proposal des-md5 set keylife 86400 set remote-gw nnn.nnn.nnn.nnn set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX end | ||||||||||||||||||||||||
Configure VPN Phase 2 |
Next configure the IPSec VPN phase 2. The Checkpoint VPN accepts VPN connections from only one address: 192.168.197.168. Set the source selector to that address. The destination is the private network behind the Checkpoint appliance. To configure using the Web-based Manager:
To configure using the CLI: config vpn ipsec phase2-interface edit "toSite2_p2" set dhgrp 1 set keepalive enable set phase1name "toSite2" set proposal 3des-md5 set replay enable set src-addr-type ip set dst-subnet 10.185.111.0 255.255.255.0 set src-start-ip 192.168.197.168 end | ||||||||||||||||||||||||
Configure Firewall Addresses |
Create firewall addresses for the private networks at either end of the VPN. "LocalLAN" is the network at the FortiGate unit end and "Site2_net" is the network behind the Checkpoint appliance. To configure using the Web-based Manager:
To configure using the CLI: config firewall address edit "LocalLAN" set subnet 192.168.100.0 255.255.255.0 next edit "Site2_net" set subnet 10.185.111.0 255.255.255.0 end | ||||||||||||||||||||||||
Configure a Firewall Virtual IP Pool |
The Checkpoint appliance allows remote VPN peers to connect only from IP address 192.168.197.168. Using the FortiGate unit IP Pool feature, you can replace the user's source IP address with the address 192.168.197.168 that is acceptable to the Checkpoint appliance. To configure using the Web-based Manager:
To configure using the CLI: config firewall ippool edit "Site2-Out" set endip 192.168.197.168 set interface "toSite2" set startip 192.168.197.168 end | ||||||||||||||||||||||||
Configure a Firewall Virtual IP address |
The Checkpoint appliance permits hosts on its network to connect through the VPN only to IP address 192.168.197.168. Using the FortiGate Virtual IP (VIP) feature, you can translate this address to the address of a server on the network behind the FortiGate unit. To configure using the Web-based Manager:
To configure using the CLI: config firewall vip edit "Static_for_Site2peer" set extip 192.168.197.168 set extintf "toSite2" set mappedip 192.168.100.173 end | ||||||||||||||||||||||||
Configure Outgoing Firewall Policy |
The outgoing policy allows hosts on the network behind the FortiGate unit to communicate with hosts behind the Checkpoint appliance. The policy uses the IP Pool you created to substitute the source address for one that is acceptable to the Checkpoint appliance. To configure using the Web-based Manager:
To configure using the CLI: config firewall policy edit 3 set srcintf "port1" set dstintf "toSite2" set srcaddr "LocalLAN" set dstaddr "Site2_net" set action accept set schedule "always" set service "ANY" set logtraffic enable set nat enable set ippool enable set poolname "Site2-Out" end | ||||||||||||||||||||||||
Configure Incoming Firewall Policy |
The incoming policy allows communications from the network behind the Checkpoint appliance to the network behind the FortiGate unit. However, the Checkpoint appliance permits its hosts to communicate only to one address: 192.168.197.168. The VIP you defined earlier translates this address to the address of a server on the network behind the FortiGate unit. To configure using the Web-based Manager:
To configure using the CLI: config firewall policy edit 4 set srcintf "toSite2" set dstintf "port1" set srcaddr "Site2_net" set dstaddr "Static_for_Site2peer" set action accept set schedule "always" set service "ANY" set logtraffic enable end | ||||||||||||||||||||||||
Configure Routing |
You need to specify that the virtual IPSec interface toSite2 is the interface that connects to the network behind the Checkpoint appliance. To configure using the Web-based Manager:
To configure using the CLI: config router static edit 2 set device"toSite2" set dst 10.185.111.0 255.255.255.0 end |
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.