<

Creating a Fortigate VPN

Hello,

 

In this post i will show you how to create a policy based Fortigate VPN. I will be using FortiOS version 4.0 MR3.

For the VPN tunnel we used the following topology:

Creating Fortigate VPN Steps:

I. Go to VPN > IPsec ->Auto Key (IKE) and select “Create Phase 1

 

 

 

II.  Enter the following information in Phase1

Name:  Fortigate_VPN 1-  This is a name to identify the VPN tunnel, you must remember this name as it will appear when configuration the Phase2.

Remote Gateway  – Enter the static IP of the VPN remote peer. In our example it is “2.2.2.2”

Local Interface – Select the interface that has outside Internet access. In our case we picked “WAN1”. Note: This interface cannot be a loopback interface.

Mode: Main Mode

Authentication: Pre Shared Key -> pick a share key with more than 6 letters.

Click Advanced:

Select the P1 Proposals (we picked):
Encryption: 3DES
Authentication: MD5
DH Group: 2
Keylive: 28800
Local ID: <none>
XAUTH: Disabled
NAT Traversal: Disabled
Dead Peer Detection: Disable  – Note:please keep in mind to set this to disabled in case you are peering with another VPN vendor. I have found out that this can break the VPN tunnel
Click “OK”

The VPN Phase1 one was now created successful.

 

III. Now we need to create VPN Phase2, below are the steps:

 

Name: Select a name that suits you, we picked “Phase2_Fortigate_VPN1

Phase1: Select the  name of the Phase1 you created earlier. We picked” Fortigate_VPN1

Encryption: 3DES

Authentication: MD5

Quick Mode Selector: This describes the IP ranges that you want passing through the VPN.

As in the picture, we picked:

The Source Address: 10.10.10.0/24 , that is behind our Fortigate_1 VPN appliance.

The Destination Address: 10.20.20.0/24. that is behind our Fortigate_2 VPN appliance.\

 

IV. Define VPN Source Selectors

1. Create a firewall address, go to Firewall Objects > Addresses > Address  and select “Create New“.

Enter the following information and press “OK“:

Address Name: Sales_Network

Subnet/IP Range: 10.10.10.0/24

2. Create another firewall address( that is behind Fortigate 2) and go to Firewall Objects > Addresses > Address  and select “Create New“.

Enter the following information and press “OK“:

Address Name: Remote_Sales_Network

Subnet/IP Range: 10.20.20.0/24

 

V.  Create a Firewall Policy on the Fortigate:

a. Go to Policy > Policy

b. Select Create New

c. Enter the following information and press “OK”

Source Interface/Zone – Select Internal

Source Address Name – Select “Sales_Network”

Destination Interface/Zone – Select WAN1

Destination Address Name –  “Remote_Sales_Network”

Action – IPSEC

VPN tunnel: Fortigate_VPN1

Select ONLY the following option:  Allow Inbound and Allow Outbound

 

Everything should be up and running now.

Please let me know if you have any questions.

You can skip to the end and leave a response. Pinging is currently not allowed.

27 Responses to “Creating a Fortigate VPN”

  1. Can you please help me in Blocking Google+ in Fortinet Firewall? I have already blocked Social Networking but it doesn’t get blocked by Firewall.

    • Daniel says:

      Santhosh,

      You can create a new URL filter, or add to an existing one the “plus.google.com” URL and mark it as blocked. Also please be carefull that when applying the Web Filter, you also mark the inspection for HTTPS (as google plus could be using SSL).

      Hope it helps.

      • Hi!!!!

        I tried that also, it didn’t work. It works only if I set https(Deep Scan). But in this case all my websites are asking for certificates even in outlook also. Is there any other way.

        • Daniel says:

          So you added plus.google.com as a blocked URL and it didn’t work ?

          Please try something like this in the url filter:
          url: .*dropbox\.com.*
          type: regex
          action: blocked
          enable: yes (ticked)

          I did not try this, but it should work. Please let me know the outcome

          • Hi!

            It works for other sites. But for Google Plus it doesn’t block.
            If I give deep scanning then it blocks as Social Networking category. But for most of the sites it is getting Certificate issues.
            Is there any other solutions?

  2. Daniel says:

    Hi!
    Very nice description. You described the settings for one Fortigate. Is it right that I have to set up the remote sales network Fortigate the same way as the sales network Fortigateunit?

    Thank you in advance!

  3. Manuel Guzman says:

    Good morning, i have an ipsec site to site betweeen a Fortigate 100d and a cisco SA520, i can access from the network that is behind the cisco to the one that is behind the fortigate but i can’t access from the one behind of fortigate to the one behind the cisco, any ideas or recommendation?
    Thank you

  4. Shabeer says:

    I want to connect between two offices, using dyndns.

    In head office we already have 5 VPNs. I am new in office.

    Can you kindly show me what kind of configuration i can have to connect between 10.0.0.0/24 and 10.0.6.0/24 using dyndns.

  5. James Greene says:

    I am trying to setup a vpn tunnel to a cisco asa 5520. I get the following error:

    NO-PROPOSAL-CHOSEN from your side.

    Any help would be greatly appreciated

    • admin says:

      Hello,

      That means that the Fortigate or the ASA side do not have the same encryption or source selector configured.
      The PHASE2 is not matching between the ASA and the Fortigate.

  6. Rene Bosshard says:

    Very good and short post.

    I made it from a Fortigate 60b to a Zywall. I have a VPN-tunnel, but i can not ping nor access the servers behind.

    What is Wrong?

  7. oliver says:

    hi, where to put the address of dyndns name? suppose i have registered sales.dyndns.info?

  8. Brett says:

    Any chance of getting one of these setup tutorials for redundant vpn connections using interface mode for multiple internet connections. I have the jist of it down I understand that i need to create it and then policies both ways as well as policy routing but somewhere along the line it just isn’t setup right and never works out when i try to cut over to it.

    Would be much appreciated if there was a guide to it that worked, following along with Fortinets tutorial is not exactly reader friendly like yours are.

  9. Anas says:

    Hello,

    I’m trying to setun a ipsec tunnel between a fortigate and a cisco ios router, my ike phase 1 netgotiation is succesful, but i’m stuck at the phase to even if all the SA are the same in the two appliances. do you have any idea about that, have you try before to make the same scenario ?

    Regards

  10. benz says:

    Client to site IPsec VPN is working and i can access the remote site via public/free wifi or buy using my internet at home, my problem is I lose internet connection & unable to surf the internet, while connected to the remote site which is the office I’m working.

  11. Katrice says:

    It’s hard to find your posts in google. I found it on 21 spot, you should build quality backlinks , it will help you to get
    more visitors. I know how to help you, just search in google
    – k2 seo tricks

  12. Remarkable! Its genuinely amazing paragraph, I have got much clear idea about from this article.

  13. What i don’t understood is in fact how you are not really a lot more
    smartly-appreciated than you might be now. You are so intelligent.
    You already know thus considerably in relation to this matter, produced me for my part believe it from numerous numerous angles.
    Its like men and women are not fascinated except it’s one thing to do with Lady gaga!

    Your personal stuffs great. All the time care for it up!

  14. Rich Rabah says:

    Excellent tutorial!!!!

  15. Hi my loved one! I want to say that this article is awesome, great written and come with approximately all important infos. I’d like to peer more posts like

  16. Great items altogether, you only acquired the latest readers. What would you actually suggest relating to your organize that you made a 1 week in the past? Virtually any positive?

  17. 83Lisa says:

    Hello blogger, i must say you have hi quality content here.
    Your page should go viral. You need initial traffic boost
    only. How to get it? Search for: Mertiso’s tips go viral

Leave a Reply