FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 197922

Purpose

This article explains the configuration of site to site VPN  where both sites have a static public IP on the WAN interface. 
 
It covers both wizard and manual configuration.


Expectations, Requirements
For versions 5.6 to 6.4.

Configuration
The following are the IP address information of both FortiGates.


Device
FortiGate - I
FortiGate - II
Wan IP 172.25.176.62 172.25.177.46
LAN IP 192.168.65.0/24 192.168.13.0/24

 

 
FortiGate – I Configuration.

In order to create an IPsec VPN tunnel on the FortiGate device, select VPN -> IPSec Wizard and input the tunnel name.

Select the Template Type as Site to Site, the 'Remote Device Type' as FortiGate, and select NAT Configuration as No NAT between sites.
 
 
 
 
Select 'Next' to move to the Authentication part.
In the Authentication step, set IP Address to the WAN IP address of the remote FortiGate (in the example, 172.25.177.46).
 
After the WAN IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
If a different interface should be used, this needs to be selected from the drop-down menu.
Set a secure Pre-shared Key (PSK). The remote peer can also be authenticated via a certificate, as explained here.
 
 

 
 
In the Policy & Routing step, set Local Interface to LAN.
The wizard adds the local subnet automatically.
Set Remote Subnets to the Branch network’s subnet (in the example, 192.168.13.0/24).
Set Internet Access to None.
 
 
 
 
A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes, and policies.
The wizard automatically configures the phase2 selectors, firewall address groups, firewall addresses, static routes, blackhole routes and firewall policies.
 
 

 
 
To view the VPN interface created by the wizard, go to Network -> Interfaces.
 
 
 
 
To view the firewall addresses created by the wizard, go to Policy & Objects - > Addresses.
 
 

 
 
 
To view the routes created by the wizard, go to Network -> Static Routes.
 
 
 
 
To view the policies created by the wizard, go to Policy & Objects -> IPv4 Policy.
 
 

 
 
FortiGate – II Configuration.

To create a new IPsec VPN tunnel, connect to FGT-II, go to VPN > IPsec Wizard, and create a new tunnel.
In the VPN Setup step, set Template Type to Site to Site, set Remote Device Type to FortiGate, and set NAT Configuration to No NAT between sites.
 
 

 
 
In the Authentication step, set IP Address to the WAN IP address of FGT-I (in the example, 172.25.176.62).
After the IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.
If a different interface needs to be used, select it from the drop-down menu.
 
Set the same secure Pre-shared Key (PSK) that was used for the VPN on FortiGate-I.
 
 
 
 
In the Policy & Routing step, set Local Interface to LAN.
The wizard adds the local subnet automatically.
Set Remote Subnets to the HQ network’s subnet (in the example, 192.168.65.0/24).
 
Set Internet Access to 'None'.
 
 

 
 
A summary page shows the configuration created by the wizard, including interfaces, firewall addresses, routes, and policies.
 
 
 
 
To bring the VPN tunnel up, go to Monitor -> IPsec Monitor. Select 'Status' and select Bring Up.
 
 

 
 
There is an option to enable auto-negotiation so that phase2 selectors will always stay up which is explained in attached article.
 
 
 


Verification
To verify if the LAN subnets are able to reach each other over the VPN tunnel, initiate an ICMP echo from either side.



Troubleshooting
If the tunnel UP is not visible, raise a support ticket. It will be helpful to collect the following debug output:

Debug commands:

# diag vpn tunnel list
# diag vpn ike filter clear
# diag vpn ike log-filter dst-addr4  x.x.x.x   
<----- Where x.x.x.x is the WAN IP of the remote site.
# diag debug application ike -1
# diag debug console timestamp enable
# diag debug enable

Once the commands are executed, try to bring the tunnel UP from the GUI (VPN -> IPsec Monitor -> Bring UP or with the command):

# diagnose vpn tunnel up “vpn_tunnel_name”         <----- Where 'vpn_tunnel_name' is the phase1 name of the respective VPN tunnel.


Once the debugs are collected, stop the debug with command:

# diag debug disable
# diag debug reset

Attach the complete output to the ticket along with the config files of both the FortiGates.

Related document:

 

Related Articles

Technical Tip: Set the FortiGate unit to bring up IPSec VPN tunnels automatically (Enable Auto-negot...

Technical Note: Use of Black hole route in site to site IPsec VPN scenarios

Contributors