This IPsec tunnel is built using a FortiGate 81F running version 7.2.5 and a SonicWall TZ350 running SonicOS Enhanced 6.5.4.0-17n.
Configuration on the FortiGate side:
- Go to VPN -> IPsec Tunnels and select 'Create New IPsec Tunnel':
Enter the chosen tunnel name and, then select Next.
- Enter the Remote IP address of the SonicWALL and the chosen Pre-Shared key:
- Select the local interface to access, specify the LocalSubnet and the remote Subnet. Multiple Subnets can also be entered:
- Review the configuration and select Next:
- FortiGate will create an Address Object, Required Policies, and Static Route automatically.
Go to VPN -> IPsec Tunnels and edit the tunnel and Convert it to Custom.
This is required in order to adjust the settings.
- In this example, the following Settings will be used:
- IKEv1 with Main Mode (ID Protection):
- Encryption AES128 and SHA1 with DH Group 2 and 86400 Key Lifetime.
XAUTH Disabled.
- Phase 2 Encryption AES128 and SHA1 with DH group 2 and a key lifetime of 86400.
Configuration of the Sonicwall side.
In this example, the older GUI will be used to create the VPN tunnel. In order to change from the new to the old GUI, it is possible to select on at the left bottom of the page.
- Go to VPN -> Settings and select Add a new VPN Policies.
- Enter the chosen Tunnel name, the IPSEC primary Gateway (FortiGate IP), and the pre-shared key.
- Navigate to Network to configure the Phase 2 Selectors.
Under Choose Local Network (SonicWALL), Create a new address object. (Do not use the preexisting ones.)
Under Choose Destination Network (FortiGate), Create a new address object.
The Network TAB should now look like the following.
- Navigate to Proposals and enter the encryption to match the one selected on FortiGate.
To match the FortiGate we had to change the IKE version to Main Mode, keylife time to 86400, and Enable PFS with DH group 2.
- Create the Required Firewall Policies to allow the traffic.
Go to Firewall -> Access Rule -> Add.
From VPN to X0:
From X0 to VPN:
- The tunnel should now be up and running. If not, go to FortiGate, under Dashboard -> Network, select IPsec, select the tunnel, and Bring up Phase 2.
Verification
- Make sure the tunnel is up by looking at the status on both side.
FortiGate:
SonicWALL:
- Try to ping a host on the other side subnet from the FortiGate and from the Sonicwall.
On the FortiGate side, Open the CLI and ping the other side Gateway. Since Phase 2 only allows local Subnet 192.168.1.0/24, I had to specify the source using:
exec ping-options source 192.168.1.1
On the Sonicwall side, Go to System -> Diagnostic and select the Ping Diagnostic tool.
If any problem occurs, feel free to contact Fortinet Support.
|