The document provides instructions for configuring a dial-up IPsec VPN between two FortiGate devices. It describes configuring phase 1 and 2 negotiations, firewall policies, and static routes on the local and remote FortiGate devices. It also includes testing the established VPN connection.
The document provides instructions for configuring a dial-up IPsec VPN between two FortiGate devices. It describes configuring phase 1 and 2 negotiations, firewall policies, and static routes on the local and remote FortiGate devices. It also includes testing the established VPN connection.
The document provides instructions for configuring a dial-up IPsec VPN between two FortiGate devices. It describes configuring phase 1 and 2 negotiations, firewall policies, and static routes on the local and remote FortiGate devices. It also includes testing the established VPN connection.
The document provides instructions for configuring a dial-up IPsec VPN between two FortiGate devices. It describes configuring phase 1 and 2 negotiations, firewall policies, and static routes on the local and remote FortiGate devices. It also includes testing the established VPN connection.
Download as DOCX, PDF, TXT or read online from Scribd
Download as docx, pdf, or txt
You are on page 1/ 21
Exercise 1: Configuring a Dial-Up
IPsec VPN Between Two FortiGate
Devices In this exercise, you will configure a dial-up VPN between Local-FortiGate and Remote- FortiGate. Local-FortiGate will act as the dial-up server and Remote-FortiGate will act as the dial-up client.
Create Phase 1 and Phase 2 Negotiations
on Local-FortiGate (Dial-Up Server) You will configure the IPsec VPN by creating phase 1 and phase 2 negotiations.
To create phase 1 and phase 2 negotiations
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click VPN > IPsec Tunnels, and then click Create New > IPsec Tunnel.
3. Configure the following settings:
Field Value
Name ToRemote
Template type Custom
4. Click Next.
5. In the Network section, configure the following settings:
Field Value
Remote Gateway Dialup
User
Interface port1
Dead Peer On Idle
Detection 6. In the Authentication section, configure the following settings:
Field Value
Method Pre-shared Key
Pre-shared fortinet Key
Version 1
Mode Aggressive
Accept Types Specific peer ID
Peer ID Remote- FortiGate
Setting a peer ID is useful when the FortiGate acting as the dial-up server has multiple dial-up tunnels, and you want dial-up clients to connect to a specific tunnel.
7. In the Phase 2 Selectors section, configure the following setting:
Field Value
Local Address 10.0.1.0/24
8. Keep the default values for the remaining settings.
9. Click OK.
You do not need to add a static route because it is a dial-up VPN. FortiGate dynamically adds or removes appropriate routes to each dial-up peer, each time the peer VPN is trying to connect. Even though you could have configured 10.0 .2.0/24 as the Remote Address instea d of 0.0.0.0/0, it is more convenient to use the latter for scalability purposes. That is, when you have multiple remote peers, each with different remote subnets, using 0.0.0.0/ 0 as the remote subnet results in the dial-up server accepting any subnet during the tunnel negotiation. This allows multiple remote peers to use the same phase 2 selector configuration. This exercise has only one remote peer (Remote- FortiGate). Local-FortiGate then learns about the remote subnet 10.0.2. 0/24 when Remote- FortiGate connects to the tunnel. However, if there are more remote peers with different remote subnets, you do not need to change the existing dial-up server configuration for the additional remote peers to be able to connect.
Create Firewall Policies for VPN Traffic on
Local-FortiGate (Dial-Up Server) You will create two firewall policies between port3 and To Remote—one for each traffic direction.
To create firewall policies for VPN traffic
1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the following settings:
Field Value
Name Remote_out
Incoming port3 Interface
Outgoing ToRemote Interface
Source HQ_SUBNET
Destination BRANCH_SUBNET
Schedule always
Service ALL
Action ACCEPT
4. In the Firewall/Network Options section, disable NAT.
5. Click OK.
6. Click Create New again.
7. Configure the following settings:
Field Value
Name Remote_in
Incoming ToRemote Interface
Outgoing port3 Field Value
Interface
Source BRANCH_SUBNET
Destination HQ_SUBNET
Schedule always
Service ALL
Action ACCEPT
8. In the Firewall/Network Options section, disable NAT.
9. Click OK.
Create Phase 1 and Phase 2 on Remote-
FortiGate (Dial-Up Client) You will create phase 1 and phase 2 on Remote-FortiGate.
To create phase 1 and phase 2
1. Connect to the Remote-FortiGate GUI, and then log in with the username admin and password password.
2. Click VPN > IPsec Tunnels, and then click Create New > IPsec Tunnel.
3. Configure the following settings:
Field Value
Name ToLocal
Template type Custom
4. Click Next.
5. In the Network section, configure the following settings:
Field Value
Remote Static IP Gateway Address
IP Address 10.200.1.1
Interface port4
Dead Peer On Idle
Detection
6. In the Authentication section, configure the following settings:
Field Value
Method Pre-shared Key
Pre-shared Key fortinet
Version 1
Mode Aggressive
Accept Types Any peer ID
7. In the Phase 1 Proposal section, configure the following setting:
Field Value
Local ID Remote-FortiGate The local ID should be the same as the peer ID that you configured on Local-FortiGate, which is acting as the dial-up server.
Note that the Peer
ID and Local ID fields are case sensitive.
8. In the Phase 2 Selectors section, configure the following settings:
Field Value
Local Address 10.0.2.0/24
Remote Address 10.0.1.0/24
9. Keep the default values for the remaining settings.
10. Click OK.
Except for the Local
Address and Remo te Address settings, all phase 1 and phase 2 settings on both VPN peers mirror each other. For dial-up IPsec VPN, the local and remote addresses do not have to mirror each other for the tunnel to come up.
Create a Static Route for VPN Traffic on
Remote-FortiGate (Dial-Up Client) You will create one static route on Remote-FortiGate. This step was not necessary on Local-FortiGate because, as the dial-up server, it automatically adds the route for the remote network after the tunnel comes up.
To create a static route for VPN traffic on Remote-FortiGate
1. Continuing on the Remote-FortiGate GUI, click Network > Static Routes.
2. Click Create New.
3. Configure the following settings:
Field Value
Destination Subnet
10.0.1.0/24
Interface ToLocal
4. Click OK.
Create the Firewall Policies for VPN Traffic
on Remote-FortiGate (Dial-Up Client) You will create two firewall policies between port6 and ToLocal—one for each traffic direction.
To create firewall policies for VPN traffic
1. On the Remote-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the following settings:
Field Value
Name Local_out Field Value
Incoming port6 Interface
Outgoing ToLocal Interface
Source BRANCH_SUBNET
Destination HQ_SUBNET
Schedule always
Service ALL
Action ACCEPT
4. In the Firewall/Network Options section, disable NAT.
5. Click OK.
6. Click Create New again.
7. Configure the following settings:
Field Value
Name Local_in
Incoming ToLocal Interface
Outgoing port6 Interface
Source HQ_SUBNET
Destination BRANCH_SUBNET
Schedule always
Service ALL
Action ACCEPT 8. In the Firewall/Network Options section, disable NAT.
9. Click OK.
Test and Monitor the VPN
Now that you configured the VPN on both FortiGate devices, you will test the VPN.
To test the VPN
1. On the Remote-FortiGate GUI, click Dashboard > Network > IPsec.
2. Click + beside Custom to expand the custom VPN tunnel section.
Notice that the ToLocal VPN is currently down.
3. Right-click the VPN, and then click Bring Up > All Phase 2 Selectors to bring up the tunnel.
The Name column of the VPN now contains a green up arrow, which indicates that the tunnel is up. If required, click the refresh button in the upper-right corner to refresh the widget information.
Stop and think!
Do you always have to
manually bring up the tunnel after you create it? No. With the current configuration, the tunnel will stay down until you manually bring it up, or there is traffic that should be routed through the tunnel. Because you are not generating traffic between the 10.0.2.0/24 and 10.0.1.0 /24 subnets yet, the tunnel is still down. If you had generated the required traffic while the tunnel was down, it would have come up automatically.
You can initiate a tunnel only
from Remote-FortiGate because it is the dial-up client.
4. On the Remote-Client VM, open a terminal window, and then enter the following command to ping the Local-Client VM:
ping 10.0.1.10
The ping should work.
5. On the Remote-FortiGate GUI, click Dashboard > Network > IPsec.
6. In the upper-right corner, click the refresh button multiple times to refresh the widget information.
You will notice that the counters in the Incoming Data and Outgoing Data columns increase over time. This indicates that the traffic between 10.0.1.10 and 10.0.2.10 is being encrypted successfully and routed through the tunnel.
7. On the Local-FortiGate GUI, click Dashboard > Network > Static & Dynamic Routing.
8. Find the static route that was dynamically added to the FortiGate.
9. View the route details.
10. Notice the address listed in the Gateway IP column for that route. 11. On the Remote-Client VM, press Ctrl+C to stop the ping.
Exercise 2: Configuring a Static
IPsec VPN Between Two FortiGate Devices In this exercise, you will configure a static VPN between Local-FortiGate and Remote- FortiGate. You will also configure a static route on Local-FortiGate for VPN traffic.
Before you begin this lab, you must restore a configuration file on Local-FortiGate.
Make sure that you
restore the correct configuration on Local-FortiGate, using the following steps. Failure to restore the correct configuration on Local-FortiGate will prevent you from doing the lab exercise.
To restore the Local-FortiGate configuration file
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. In the upper-right corner, click admin, and then click Configuration > Revisions. 3. Click + to expand the list.
4. Select the configuration with the comment local-ipsec-vpn, and then click Revert. 5. Click OK to reboot.
Create Phase 1 and Phase 2 Negotiations
on Local-FortiGate You will configure the IPsec VPN by creating phase 1 and phase 2 negotiations.
To create phase 1 and phase 2 negotiations
1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.
2. Click VPN > IPsec Tunnels, and then click Create New > IPsec Tunnel.
3. Configure the following settings:
Field Value
Name ToRemote
Template type Custom
4. Click Next.
5. In the Network section, configure the following settings:
Field Value
Remote Static IP Gateway Address
IP Address 10.200.3.1
Interface port1
Dead Peer On Idle
Detection
6. In the Authentication section, configure the following settings:
Field Value
Method Pre-shared Key
Field Value
Pre-shared Key fortinet
Version 1
Mode Aggressive
Accept Types Any peer ID
7. In the Phase 2 Selectors section, configure the following settings:
Field Value
Local Address 10.0.1.0/24
Remote Address 10.0.2.0/24
8. Keep the default values for the remaining settings.
9. Click OK.
Create a Static Route for VPN Traffic on
Local-FortiGate You will create one static route on Local-FortiGate.
To create a static route for VPN traffic on Local-FortiGate
1. Continuing on the Local-FortiGate GUI, click Network > Static Routes.
2. Click Create New.
3. Configure the following settings:
Field Value
Destination Subnet
10.0.2.0/24
Interface ToRemote
4. Click OK.
Create Firewall Policies for VPN Traffic on
Local-FortiGate You will create two firewall policies between port3 and ToRemote—one for each traffic direction.
To create firewall policies for VPN traffic
1. On the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the following settings:
Field Value
Name Remote_out
Incoming port3 Interface
Outgoing ToRemote Interface
Source HQ_SUBNET
Destination BRANCH_SUBNET
Schedule always
Service ALL
Action ACCEPT
4. In the Firewall/Network Options section, disable NAT.
5. Click OK.
6. Right-click the Remote_out policy, and then click Create reverse policy.
You will see the new reverse policy. By default, the policy is disabled. 7. Select the new policy, and then click Edit.
8. In the Name field, type Remote_in.
9. Verify the following settings:
Field Value
Incoming ToRemote Interface
Outgoing port3 Interface
Source BRANCH_SUBNET
Destination HQ_SUBNET
Schedule always
Service ALL
Action ACCEPT
8. In the Firewall/Network Options section, disable NAT.
9. Click Enable this policy to enable the policy.
10. Click OK.
Test and Monitor the VPN
You will test the VPN and monitor its status.
To test the VPN
1. On the Local-FortiGate GUI, click Dashboard > Network > IPsec.
2. Click + beside Custom to expand the custom VPN tunnel section.
Notice that the ToRemote VPN is currently down.
3. Right-click the VPN, and then click Bring Up > All Phase 2 Selectors.
4. In the upper-right corner, click the refresh button to refresh the widget information.
The Name column of the VPN now contains a green up arrow, which indicates that the tunnel is up.
5. On the Remote-Client VM, open a terminal window, and then enter the following command to ping the Local-Client VM:
ping 10.0.1.10
The ping should work.
6. On the Local-FortiGate GUI, click Dashboard > Network > IPsec.
7. In the upper-right corner, click the refresh button multiple times to refresh the widget information.
You will notice that the counters in the Incoming Data and Outgoing Data columns increase over time. This indicates that the traffic between 10.0.1.10 and 10.0.2.10 is being encrypted successfully and routed through the tunnel.
8. On the Remote-Client VM, press Ctrl+C to stop the ping.
