ArticleIntroduction | This article describes how to configure an IPSec VPN on a FortiGate unit
to work with the VPN feature of a Linksys BEFVP41 Router. |
Components | - FortiGate unit with FortiOS v3.0 firmware
- Linksys BEFVP41 Router
|
Network Diagram | |
Configure FortiGate VPN Phase 1 | To configure using the Web-based Manager: - Go to VPN > IPSec > Auto-Key and select Phase1.
- Enter the following:
Name | VPN name: 4Linksys | Remote Gateway | Dialup User | Local Interface | Select the interface that connects to the Internet. For example, WAN1. | Mode | Aggressive | Authentication Method | Preshared Key | Pre-shared Key | Enter the same preshared key as configured on the Linksys router. |
- Select Advanced and enter the following:
Enable IPSec Interface Mode | Clear this check box | P1 Proposal | 1 - 3DES SHA1 2 - 3DES MD5 | DH Group | 2 | Nat-traversal | Enable | Dead Peer Detection | Enable |
- Select OK.
To configure using the CLI:
config vpn ipsec phase1
edit "4Linksys"
set type dynamic
set interface "wan1"
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set mode aggressive
set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
end |
Configure FortiGate VPN Phase 2 | To configure using the Web-based Manager: - Go to VPN > IPSec > Auto-Key and select Phase 2.
- Enter the following:
Name | A name for the VPN Phase 2 configuration: 4Linksys_p2 | Phase 1 | Phase 1 configuration name: 4Linksys |
- Select Advanced and enter the following:
P2 Proposal | 1 - 3DES SHA1 2 - 3DES MD5 | Enable Replay Detection | Enable | DH Group | 2 |
- Select OK.
To configure using the CLI:
config vpn ipsec phase2
edit "4Linksys_p2"
set dhgrp 2
set pfs enable
set phase1name "4Linksys"
set proposal 3des-sha1 3des-md5
set replay enable
end |
Configure FortiGate Firewall Addresses | Create firewall addresses for the private networks at either end of the VPN. "LocalLAN" is the network behind the FortiGate unit and "Linksys_net" is the network
behind the Linksys router. To configure using the Web-based Manager: - Go to Firewall > Address and select Create New.
- Enter the following:
Address Name | LocalLAN | Type | Subnet/IP Range | Subnet/IP Range | 10.166.0.0 255.255.255.0 |
- Select OK.
Repeat the preceding steps for the address "Linkys_net": "192.168.1.0 255.255.255.0". To configure using the CLI:
config firewall address
edit "LocalLAN"
set subnet 10.166.0.0 255.255.255.0
next
edit "Linkys_net"
set subnet 192.168.1.0 255.255.255.0
end |
Configure FortiGate Firewall Policy | The firewall policy allows hosts behind the Linksys router to initiate
communication with hosts on the network behind the FortiGate unit. To configure using the Web-based Manager: - Go to Firewall > Policy and select Create New.
- Enter the following:
Source Interface/Zone | The interface that connects to the local network: internal | Source Address | The firewall address of the local network: LocalLAN | Destination Interface/Zone | The interface connected to the remote network: WAN1 | Destination Address | The firewall address of the remote network: Linksys_net | Schedule | Always | Service | ANY | Action | IPSEC | VPN Tunnel | 4Linksys |
- Select OK.
To configure using the CLI:
config firewall policy
edit 3
set srcintf internal
set dstintf wan1
set srcaddr LocalLAN
set dstaddr Linksys_net
set action ipsec
set vpntunnel 4Linksys
set inbound enable
set schedule "always"
set service "ANY"
end |
Configure Linksys Router | To configure the Linksys router - Log on to the the Linksys router's web-based utility.
- Select the VPN tab and enter the following information:
Select Tunnel Entry: | Select an unused tunnel entry | VPN Tunnel: | Enabled | Tunnel Name: | Enter a name | Local Secure Group | Select Subnet | IP | 192.168.1.0 | Mask | 255.255.255.0 | Remote Security Gateway | Select IP Address | IP Address | The public IP address of the FortiGate unit.
In this example, the address of the WAN1 network interface. | Encryption | 3DES | Authentication | SHA | Key Management | Select Auto (IKE) | PFS | Enabled | Pre-shared Key | Enter the same preshared key
as you entered in the FortiGate unit VPN phase 1 configuration. | Key Lifetime | 3600 seconds |
- Select Save Settings.
- Select Advanced Setting and enter the following information:
Phase 1 Operation Mode | Select Aggressive mode | Phase 1 Proposal | Encryption: 3DES Authentication: SHA Group: 1024-bit Key Lifetime: 3600 seconds | Phase 2 Proposal | Encryption: 3DES Authentication: SHA PFS: ON Group: 1024-bit Key Lifetime: 3600 seconds |
- Select Save Settings.
|
Related Articles
List of articles about Fortigate IPSec VPN interoperability