Article| Introduction | This article describes how to configure an IPSec VPN on a FortiGate unit
to work with the VPN feature of a Linksys BEFVP41 Router. |
| Components | - FortiGate unit with FortiOS v3.0 firmware
- Linksys BEFVP41 Router
|
| Network Diagram |  |
| Configure FortiGate VPN Phase 1 | To configure using the Web-based Manager: - Go to VPN > IPSec > Auto-Key and select Phase1.
- Enter the following:
| Name | VPN name: 4Linksys | | Remote Gateway | Dialup User | | Local Interface | Select the interface that connects to the Internet. For example, WAN1. | | Mode | Aggressive | | Authentication Method | Preshared Key | | Pre-shared Key | Enter the same preshared key as configured on the Linksys router. |
- Select Advanced and enter the following:
| Enable IPSec Interface Mode | Clear this check box | | P1 Proposal | 1 - 3DES SHA1
2 - 3DES MD5 | | DH Group | 2 | | Nat-traversal | Enable | | Dead Peer Detection | Enable |
- Select OK.
To configure using the CLI:
config vpn ipsec phase1
edit "4Linksys"
set type dynamic
set interface "wan1"
set dpd enable
set nattraversal enable
set dhgrp 2
set proposal 3des-sha1 3des-md5
set mode aggressive
set psksecret ENC XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
end |
| Configure FortiGate VPN Phase 2 | To configure using the Web-based Manager: - Go to VPN > IPSec > Auto-Key and select Phase 2.
- Enter the following:
| Name | A name for the VPN Phase 2 configuration: 4Linksys_p2 | | Phase 1 | Phase 1 configuration name: 4Linksys |
- Select Advanced and enter the following:
| P2 Proposal | 1 - 3DES SHA1
2 - 3DES MD5 | | Enable Replay Detection | Enable | | DH Group | 2 |
- Select OK.
To configure using the CLI:
config vpn ipsec phase2
edit "4Linksys_p2"
set dhgrp 2
set pfs enable
set phase1name "4Linksys"
set proposal 3des-sha1 3des-md5
set replay enable
end |
| Configure FortiGate Firewall Addresses | Create firewall addresses for the private networks at either end of the VPN. "LocalLAN" is the network behind the FortiGate unit and "Linksys_net" is the network
behind the Linksys router. To configure using the Web-based Manager: - Go to Firewall > Address and select Create New.
- Enter the following:
| Address Name | LocalLAN | | Type | Subnet/IP Range | | Subnet/IP Range | 10.166.0.0 255.255.255.0 |
- Select OK.
Repeat the preceding steps for the address "Linkys_net": "192.168.1.0 255.255.255.0". To configure using the CLI:
config firewall address
edit "LocalLAN"
set subnet 10.166.0.0 255.255.255.0
next
edit "Linkys_net"
set subnet 192.168.1.0 255.255.255.0
end |
| Configure FortiGate Firewall Policy | The firewall policy allows hosts behind the Linksys router to initiate
communication with hosts on the network behind the FortiGate unit. To configure using the Web-based Manager: - Go to Firewall > Policy and select Create New.
- Enter the following:
| Source Interface/Zone | The interface that connects to the local network: internal | | Source Address | The firewall address of the local network: LocalLAN | | Destination Interface/Zone | The interface connected to the remote network: WAN1 | | Destination Address | The firewall address of the remote network: Linksys_net | | Schedule | Always | | Service | ANY | | Action | IPSEC | | VPN Tunnel | 4Linksys |
- Select OK.
To configure using the CLI:
config firewall policy
edit 3
set srcintf internal
set dstintf wan1
set srcaddr LocalLAN
set dstaddr Linksys_net
set action ipsec
set vpntunnel 4Linksys
set inbound enable
set schedule "always"
set service "ANY"
end |
| Configure Linksys Router | To configure the Linksys router - Log on to the the Linksys router's web-based utility.
- Select the VPN tab and enter the following information:
| Select Tunnel Entry: | Select an unused tunnel entry | | VPN Tunnel: | Enabled | | Tunnel Name: | Enter a name | | Local Secure Group | Select Subnet | | IP | 192.168.1.0 | | Mask | 255.255.255.0 | | Remote Security Gateway | Select IP Address | | IP Address | The public IP address of the FortiGate unit.
In this example, the address of the WAN1 network interface. | | Encryption | 3DES | | Authentication | SHA | | Key Management | Select Auto (IKE) | | PFS | Enabled | | Pre-shared Key | Enter the same preshared key
as you entered in the FortiGate unit VPN phase 1 configuration. | | Key Lifetime | 3600 seconds |
- Select Save Settings.
- Select Advanced Setting and enter the following information:
| Phase 1 Operation Mode | Select Aggressive mode | | Phase 1 Proposal | Encryption: 3DES
Authentication: SHA
Group: 1024-bit
Key Lifetime: 3600 seconds | | Phase 2 Proposal | Encryption: 3DES
Authentication: SHA
PFS: ON
Group: 1024-bit
Key Lifetime: 3600 seconds |
- Select Save Settings.
|
Related Articles
List of articles about Fortigate IPSec VPN interoperability
