Establish IPSec VPN with FortiGate
FortiWAN supports the IPSec VPN established with a FortiGate unit. However, the deployment of IPSec VPN established between FortiWAN and FortiGate is limited by the Spec. of FortiWAN’s IPSec (See “About FortiWAN IPSec VPN”). For example, IPSec Transport mode, IKE v2, authentication with certificates, IKE phase 1 aggressive mode, NAT traversal, dynamic IP address, and some algorithms are not supported for this deployment. An example for explaining how to set up a simple IPSec VPN (Tunnel mode) between a FortiWAN and a FortiGate is introduced below:
In this example, the common parameters for establishing IPSec SAs between the two units are as follows:
l Authentication Method: Pre-shared Key l Phase 1 Mode: Main (ID protection) l Dead Peer Detection: disable l Phase 1 Encryption: DES l Phase 1 Authentication: MD5 l Phase 1 DH Group: 5 l Phase 1 Keylife: 1200 Secs l Phase 2 Encryption: DES l Phase 2 Authentication: MD5 l Perfect Forward Secrecy (PFS): enable l Phase 2 DH Group: 5 l Phase 2 Keylife: 120 Secs
Configurations on FortiWAN
To set up the IPSec VPN, configurations of Network Setting, Auto Routing, NAT and IPSec are required on FortiWAN (See “Define routing policies for an IPSec VPN”).
Network Setting
WAN settings
Go to System > Network Setting > WAN Setting, and create a WAN link configuration:
| WAN Link | 1 |
| WAN Type | Routing Mode |
| WAN Port | Port1 |
| IPv4 Localhost IP | 10.12.102.42 |
| IPv4 Netmask | 255.255.255.0 |
| IPv4 Default Gateway | 10.12.102.254 |
For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.
LAN private subnets
Go to System > Network Setting > LAN Private Subnet, and create a LAN subnet configuration:
| IP(s) on Localhost | 2.2.2.254 |
| Netmask | 255.255.255.0 |
| LAN Port | Port3 |
For the details of LAN private subnet setting, see “LAN Private Subnet”.
Auto Routing
Go to Service > Auto Routing, and create a policy and two IPv4 filters for IKE negotiations and IPSec communication.
Policy
| Label | IPSec_WAN1 (Any name you desire) |
| T | Enable Threshold or not |
| Algorithm | Fixed |
| Parameter | Only 1 is checked |
IPv4 Filter
Two IPv4 filters: one for IKE negotiations, and another for general IPSec communication.
| When | All-Time | All-Time | |||
| Input Port | Any Port | Any Port (or the LAN port, PortX) | |||
| Source | Localhost | 2.2.2.0/255.255.255.0 | |||
| Destination | 10.12.136.180 | 1.1.1.0/255.255.255.0 | |||
| Service | Any or IKE(500) | Any | |||
| Routing Policy | IPSec_WAN1 | IPSec_WAN1 | |||
| Fail-Over Policy | NO-ACTION | NO-ACTION | |||
For the details of Auto Routing, see “Auto Routing”.
NAT
Go to Service > NAT, and create a NAT rule:
| When | All-Time |
| Source | 2.2.2.0/255.255.255.0 |
| Destination | 1.1.1.0/255.255.255.0 |
| Service | Any |
| Translated | No NAT |
For the details of NAT, see “NAT”.
IPSec
Go to Service > IPSec, and create a Tunnel Mode:
Phase 1
| Name | IPSec_FGT_P1 | |
| Local IP | 10.12.102.42 | |
| Remote IP | 10.12.136.180 | |
| Authentication Method | Pre-shared Key: 12345 | |
| Internet Key Exchange | v1 | |
| Mode | Main (ID protection) | |
| Dead Peer Detection | Disable | |
| Proposal | ||
| Encryption | DES | |
| Authentication | MD5 | |
| DH Group | 5 | |
| Keylife | 1200 Secs | |
Phase 2
| Name | IPSec_FGT_P2 |
| Proposal | |
| Encryption | DES |
| Authentication | MD5 |
| PFS Group | 5 |
| Keylife | 120 Secs |
| Quick Mode | |
| Source | 2.2.2.0/255.255.255.0 |
| Port | Any |
| Destination | 1.1.1.0/255.255.255.0 |
| Port | Any |
| Protocol | Any |
So far, it is complete to set up the IPSec VPN on the FortiWAN side, configurations on the FortiGate side are introduced next. For the details of IPSec parameters, see “IPSec VPN in the Web UI”.
Configurations on FortiGate
To set up the IPSec VPN, configurations of Network, Router and VPN are required on FortiGate. For further information of FortiGate configurations, see FortiOS Handbook on Fortinet document site.
Network
Go to System > Network > Interface. Configure the setting for WAN 1 with IP address 10.12.136.180 on a physical interface.
| Interface Name | wan1 |
| Type | Physical Interface |
| Addressing mode | Manual |
| IP/Network Mask | 10.12.136.180/255.255.255.0 |
VPN
Go to VPN > IPsec > Tunnels and click Create New.
| Name | IPSec_to_FWN_P1 |
Select “Custom VPN Tunnel (No Template)” and click Next to configure the settings as follows: Network
| IP Version | IPv4 |
| Remote Gateway | Static IP Address |
| IP Address | 10.12.102.42 |
| Interface | WAN1 |
| Mode Config | Disable |
| NAT Traversal | Disable |
| Dead Peer Detection | Disable |
Authentication
| Method | Pre-shared key |
| Pre-shared key | 12345 |
| IKE | |
| Version | V1 |
| Mode | Main (ID protection) |
Phase 1 Proposal
| Encryption | DES |
| Authentication | MD5 |
| Diffie-Hellman Group | 5 |
| Key Lifetime (seconds) | 1200 |
| Local ID | Keep it blank |
XAUTH
| Type | Disable |
Phase 2 Selectors
| Name | IPSec_to_FWN_P2 |
| Local Address | Subnet: 1.1.1.0/255.255.255.0 |
| Remote Address | Subnet: 2.2.2.0/255.255.255.0 |
Phase 2 Proposal
| Encryption | DES |
| Authentication | MD5 |
| Enable Replay Detection | disable |
| Enable Perfect Forward Secrecy (PFS) | enable |
| Diffie-Hellman Group | 5 |
| Local Port | All check |
| Remote Port | All check |
| Protocol All | All check |
| Autokey keep Alive | disable |
| Auto-negotiate | disable |
| Key Lifetime | Seconds |
| Seconds | 120 |
Router
Go to Router > Static > Static Routes, and click Create New to create two rules for WAN1 and the IPSec tunnel – IPSec_to_FWN_P1:
| Destination IP/Mask | 0.0.0.0/0.0.0.0 | 2.2.2.0/255.255.255.0 |
| Device | wan1 | IPSec_to_FWN_P1 |
| Gateway | 10.12.136.254 | N/A |
Firewall