FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable
Article Id 196811
Article
Description This article describes the basic settings to set up a VPN connection between a FortiGate unit and a SonicWall device. Depending on the hardware and firmware used, some settings may vary.
Components
  • FortiGate unit running FortiOS 3.0 or higher.
  • SonicWall device running SonicOS Enhanced 3.1.0.11
Steps or Commands

Configure the FortiGate unit

Configure the Phase1 and Phase 2 VPN settings

Configure the Phase1 settings

  1. Go to VPN > IPSec > Phase 1.
  2. Select Create New and enter the following:
    (default values shown can be changed by admin)
    Gateway Name: SonicWall
    Remote Gateway: Static IP
    IP Address: ip address
    Mode: Main
    Authentication Method: Preshared Key
    Pre-shared Key: preshared key
  3. Select Advanced and enter the following:

    Encryption: 3DES
    Authentication: SHA1
    DH Group: 2
    Keylife: 28800
    Leave all other settings as their default.
  4. Select OK.

To configure the Phase 2 settings

  1. Go to VPN > IPSec > Phase 2.
  2. Select Create New and enter the following:

    Tunnel Name: SonicWall
    Remote Gateway: Select SonicWall
  3. Select Advanced and enter the following:
    (default values shown can be changed by admin)
    Encryption: 3DES
    Authentication: SHA1
    DH group: 2
    Keylife: 28800
    **Quick Mode Identities: add source and destination networks as SonicWall will require this in building the Security Associations
  4. Select OK.

Add a firewall policy

Add an the source and destination addresses and add an internal to external policy that includes these source and destination addresses to permit the traffic flow.

To add the addresses

  1. Go to Firewall > Address.
  2. Select Create New.
  3. Enter a name for the address, for example FortiGate_network.
  4. Enter the FortiGate IP address and subnet.
  5. Select OK.
  6. Select Create New.
  7. Enter the name for the address, for example SonicWall_network.
  8. Enter the SonicWall IP address and subnet.
  9. Select OK.

To create a firewall policy for the VPN traffic going from the FortiGate unit to the SonicWall device

  1. Go to Firewall > Policy.
  2. Select Create New and set the following:

    Source Interface: Internal
    Source Address: FortiGate_network
    Destination Interface: SonicWall_network
    Destination Address: WAN1 (or External)
    Schedule: always
    Service: ANY
    Action: Encrypt
    VPN Tunnel: SonicWall
    Select Allow inbound
    Select Allow outbound
  3. Select OK.

To create a firewall policy for the VNP traffic going from the SonicWall device to the FortiGate unit.

  1. Go to Firewall > Policy.
  2. Select Create New and set the following:

    Source Interface: WAN1 (or external)
    Source IP address: SonicWall_network
    Destination Interface: Internal
    Destination Address Name: FortiGate_network
    Schedule: always
    Service: ANY
    Action: Encrypt
    VPN Tunnel: SonicWall
    Select Allow inbound
    Select Allow outbound
  3. Select OK.

Configure the SonicWall Device

Create the address object for the FortiGate unit to identify the FortiGate unit's IP address for the VPN Security Association (SA).

To create an address entry

  1. Go to Network > Address Objects.
  2. Select Add and enter the following:

    Name: FortiGate_network
    Zone Assignment: VPN
    Type: Network
    Network: FortiGate IP address
    Netmask: FortiGate netmask
  3. Select OK.

Configure the VPN settings for the VPN tunnel connection.

  1. To configure the VPN, go to VPN.
  2. Ensure Enable VPN is selected in the VPN Global Settings section.
  3. Select Add in the VPN Policies area.
  4. Select the General tab and configure the following:
    IPSec Keying Mode: IKE using Preshared Secret.
    Name: FortiGate_network
    IPSec primary Gateway Name or Address: IPSec gateway IP address
    Shared Secret: Preshared
    Local IKE ID: IP Address (address left empty)
    Peer IKE ID: IP Address (address left empty)

  5. Select the Network tab and configure the following:
    • For the Local Networks, select Choose local network from list and select LAN Primary Subnet.
    • For the Destination Networks, select Choose destination network from list and select FortiGate_network.

  6. Select the Proposals tab and configure the following:

    IKE (Phase1) Proposal
      Exchange: Main Mode
      DH Group: Group 2
      Encryption: 3DES
      Authentication: SHA1
      Life Time: 28800

    IKE (Phase2) Proposal
      Protocol: ESP
      Encryption: 3DES
      Authentication: SHA1
      DH Group: Group 2
      Life Time: 28800

  7. Select the Advanced tab and select Enable Keep Alive.
  8. Select OK.

Related Articles

List of articles about Fortigate IPSec VPN interoperability