Article
Description |
This article describes the basic settings to set up a VPN connection between a FortiGate unit and a SonicWall device. Depending on the hardware and firmware used, some settings may vary. |
Components |
- FortiGate unit running FortiOS 3.0 or higher.
- SonicWall device running SonicOS Enhanced 3.1.0.11
|
Steps or Commands |
Configure the FortiGate unit
Configure the Phase1 and Phase 2 VPN settings
Configure the Phase1 settings
- Go to VPN > IPSec > Phase 1.
- Select Create New and enter the following:
(default values shown can be changed by admin) Gateway Name: SonicWall Remote Gateway: Static IP IP Address: ip address Mode: Main Authentication Method: Preshared Key Pre-shared Key: preshared key - Select Advanced and enter the following:
Encryption: 3DES Authentication: SHA1 DH Group: 2 Keylife: 28800 Leave all other settings as their default.
- Select OK.
To configure the Phase 2 settings
- Go to VPN > IPSec > Phase 2.
- Select Create New and enter the following:
Tunnel Name: SonicWall Remote Gateway: Select SonicWall
- Select Advanced and enter the following:
(default values shown can be changed by admin) Encryption: 3DES Authentication: SHA1 DH group: 2 Keylife: 28800 **Quick Mode Identities: add source and destination networks as SonicWall will require this in building the Security Associations
- Select OK.
Add a firewall policy
Add an the source and destination addresses and add an internal to external policy that includes these source and destination addresses to permit the traffic flow.
To add the addresses
- Go to Firewall > Address.
- Select Create New.
- Enter a name for the address, for example FortiGate_network.
- Enter the FortiGate IP address and subnet.
- Select OK.
- Select Create New.
- Enter the name for the address, for example SonicWall_network.
- Enter the SonicWall IP address and subnet.
- Select OK.
To create a firewall policy for the VPN traffic going from the FortiGate unit to the SonicWall device
- Go to Firewall > Policy.
- Select Create New and set the following:
Source Interface: Internal Source Address: FortiGate_network Destination Interface: SonicWall_network Destination Address: WAN1 (or External) Schedule: always Service: ANY Action: Encrypt VPN Tunnel: SonicWall Select Allow inbound Select Allow outbound
- Select OK.
To create a firewall policy for the VNP traffic going from the SonicWall device to the FortiGate unit.
- Go to Firewall > Policy.
- Select Create New and set the following:
Source Interface: WAN1 (or external) Source IP address: SonicWall_network Destination Interface: Internal Destination Address Name: FortiGate_network Schedule: always Service: ANY Action: Encrypt VPN Tunnel: SonicWall Select Allow inbound Select Allow outbound
- Select OK.
Configure the SonicWall Device
Create the address object for the FortiGate unit to identify the FortiGate unit's IP address for the VPN Security Association (SA).
To create an address entry
- Go to Network > Address Objects.
- Select Add and enter the following:
Name: FortiGate_network Zone Assignment: VPN Type: Network Network: FortiGate IP address Netmask: FortiGate netmask
- Select OK.
Configure the VPN settings for the VPN tunnel connection.
- To configure the VPN, go to VPN.
- Ensure Enable VPN is selected in the VPN Global Settings section.
- Select Add in the VPN Policies area.
- Select the General tab and configure the following:
IPSec Keying Mode: IKE using Preshared Secret. Name: FortiGate_network IPSec primary Gateway Name or Address: IPSec gateway IP address Shared Secret: Preshared Local IKE ID: IP Address (address left empty) Peer IKE ID: IP Address (address left empty)
- Select the Network tab and configure the following:
- For the Local Networks, select Choose local network from list and select LAN Primary Subnet.
- For the Destination Networks, select Choose destination network from list and select FortiGate_network.
- Select the Proposals tab and configure the following:
IKE (Phase1) Proposal
Exchange: Main Mode DH Group: Group 2 Encryption: 3DES Authentication: SHA1 Life Time: 28800 IKE (Phase2) Proposal
Protocol: ESP Encryption: 3DES Authentication: SHA1 DH Group: Group 2 Life Time: 28800
- Select the Advanced tab and select Enable Keep Alive.
- Select OK.
|
Related Articles
List of articles about Fortigate IPSec VPN interoperability