How to configure IPSec VPN Site-to-Site between Palo Alto and Fortinet with WAN Static IP

1. The purpose of the article

This article will show you how to configure IPSec VPN Site-to-Site between Palo Alto and Fortinet FG firewall devices.

2. Diagram

Details.

Site A:

  • We have an internet connection that is connected to port 1 of the Palo Alto PA-220 device with a static WAN IP of 113.161.93.x using the media converter.
  • Next is the LAN layer 10.146.41.0/24 configured at port 2 of the Palo Alto PA-220 device.

Site B:

  • We have an internet connection connected to WAN port 1 of Fortinet FG 81E firewall with a static WAN IP of 203.205.26.x using the media converter.
  • Next is the 192.168.2.0/24 LAN layer configured at port 1 of the Fortinet FG 81E device.

3. Scenario

We will configure IPSec VPN Site-to-Site between Palo Alto PA-220 and Fortinet FG 81E so that the LAN layer of both sites is 10.146.41.0/24 and 192.168.2.0/24 can connect together.

4. What to do

Fortinet FG 81E:

  • Create VPN Tunnels
  • Create Static Route
  • Create Policy

Palo Alto PA-220:

  • Create Zone
  • Create Address Object
  • Create Interface Tunnel
  • Create Virtual Routers
  • Create IKE Crypto
  • Create IPSec Crypto
  • Create IKE Gateways
  • Create IPSec Tunnels
  • Create Policy

Result

5. Configuration

5.1. Fortinet FG 81E

5.1.1. Create VPN Tunnels

To create VPN Tunnels go to VPN> IPSec Tunnels> click Create New.

The VPN Create Wizard panel appears and enter the following configuration information:

  • Name: VPN_FG_2_PA
  • Template type: select Custom
  • Click Next to continue.

We will configure the Network table with the following parameters:

  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: Enter the WAN IP of the Palo Alto PA-220 device as 113.161.93.x
  • Interface: select the WAN port of the Fortinet device used to establish the VPN connection. According to the diagram choose WAN1 port
  • Local Gateway: turn off
  • Mode Config: uncheck
  • NAT Traversal: Select Disable
  • Dead Peer Detection: Select Disable

Authentication panel:

  • Method: Select Pre-sahred Key
  • Pre-shared Key: enter the password to establish the VPN connection (note that this password must be set the same on both Palo Alto and Fortinet devices).
  • IKE Version: 2

Phrase 1 Proposal panel:

  • Encryption: AES256
  • Authentication: SHA256
  • Diffe-Hellman Group: select 14
  • Key Liftime (second): 5400

Bảng XAUTH:

  • Type: select Disable

Phrase 2 Selectors panel:

  • Local Address: Select Subnet and fill in LAN network 192.168.2.0/24 of Fortinet.
  • Remote Address: Select Subnet and fill in LAN network 10.146.41.0/24 of Palo Alto.
  • Click Advanced… to show Phrase 2 Proposal.

Phrase 2 Proposal panel:

  • Encryption: AES128
  • Authentication: SHA256
  • Enable Perfect Forward Secrecy: uncheck
  • Key Lifetime: select Seconds
  • Second: 3600

Click OK to IPSec Tunnels.

5.1.2. Create Static Routes

We need to create a static route to route the outbound route to Palo Alto’s LAN layer through the VPN connection we just created for the Fortinet firewall device.

To create go to Network> Static Routes and click Create New.

Configure according to the following parameters:

  • Destination: Enter the LAN network of the Palo Alto PA-220 device as 10.146.41.0/24.
  • Interface: select IPSec tunnels VPN_FG_2_PA just created.
  • Status: select Enable.
  • Click OK to save.

5.1.3. Create Policy

We need to create a policy so that the VPN connection can access Fortinet’s LAN and vice versa.

To create the policy go to Policy & Objects> IPv4 Policy and click Create New.

Configure the policy to allow traffic from Fortinet’s LAN network to pass through Sophos’s LAN network according to the following parameters:

  • Name: VPN_FG_2_PA
  • Incoming Interface: Floor B (This is LAN interface 1)
  • Outgoing Interface: Select VPN Tunnels VPN_FG_2_PA just created
  • Source: select VLAN_Floor B
  • Destination: select LAN_Palo Alto
  • Service: select ALL
  • Action: select ACCEPT
  • Log Allowed Traffic: turn on and select All Session
  • Enable this policy: ON
  • Click OK to save

The policy configuration allows traffic from Palo Alto’s LAN network to pass through Fortinet’s LAN network according to the following parameters:

  • Name: VPN_PA_2_FG
  • Incoming Interface: Select VPN Tunnels VPN_FG_2_PA just created
  • Outgoing Interface: Floor B (This is interface LAN 1)
  • Source: select LAN_Palo Alto
  • Destination: select VLAN_Floor B
  • Service: select ALL
  • Action: select ACCEPT
  • Log Allowed Traffic: turn on and select All Session
  • Enable this policy: ON
  • Click OK to save

5.2 Palo Alto PA-220

5.2.1. Create Zone

We need to create zones for the VPN connections.

To create go to Network > Zones.

Click Add and create the following information:

  • Name: VPN
  • Type: Layer3
  • Click OK to save

Press Commit and OK to save the configuration changes.

5.2.2. Create Address Object

We will create the Address Object for 2 LAN layers of Palo Alto and Fortinet devices.

To create go to Object> Addresses.

Click Add and create according to the following parameters.

Palo Alto LAN:

  • Name: PA_LAN
  • Type: IP Netmask – 10.146.41.0/24
  • Click OK to save.

FG_LAN:

  • Name: FG_LAN
  • Type: IP Netmask – 192.168.2.0/24
  • Click OK to save

5.2.3. Create Interface Tunnel

To create go to Network> Interface> Tunnel.

Click Add and create the following information:

  • Interface Name: tunnel – 2
  • Virtual Router: None
  • Security Zone: VPN
  • Click OK to save.

5.2.4. Create Virtual Routers

To create Virtual Routers go to Network > Virtual Routers> click Add and configure the following information.

Tab Router Settings:

  • Name: VR1
  • Tab General: Click Add and select the vlan ports (LAN port), ethernet1/1 (internet port) and tunnel.2 (the tunnel used to connect the VPN).

Tab Static Routes > IPv4:

Click Add to add static routes and fill in the following information:

  • Name: VPN_PA_2_FG
  • Destination: FG_LAN
  • Interface: tunnel.2
  • Click OK twice to save.

Press Commit and OK to save the configuration changes.

5.2.5. Create IKE Crypto

We will create IKE Crypto ie Phrase 1 for the VPN connection.

To create on Network> IKE Crypto click Add and create the following information:

  • Name: VPN_PA_2_FG
  • DH Group: group14
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: Seconds – 5600
  • Click OK To save

5.2.6. Create IPSec Crypto

To create IPSec Crypto go to Network > IPSec Crypto and click Add.

Configure according to the following parameters:

  • Name: VPN_PA_2_FG
  • IPSec Protocol: ESP
  • Encryption: aes-128-cbc
  • Authentication: sha256
  • DH Group: no-pfs
  • Lifetime: Seconds – 3600
  • Click OK to save.

Press Commit and OK to save the configuration changes.

5.2.7. Create IKE Gateways

To create go to Network> IKE Gateways and click Add.

Configure according to the following parameters

General tab:

  • Name: VPN_PA_2_FG
  • Version: IKEv2 only mode
  • Address Type: IPv4
  • Interface: ethernet 1/1 (WAN port of Palo Alto)
  • Local IP Address: None
  • Peer Address: 203.205.35.x
  • Authentication: Pre-shared Key
  • Pre-shared key: enter the connection password (this must be the same as the Fortinet named password)
  • Confirm Pre-shared key: re-enter the connection password.

Advanced Options tab:

  • IKE Crypto Profile: VPN_PA_2_FG
  • Click OK to save

Press Commit and OK to save the configuration changes.

5.2.8. Create IPSec Tunnels

Now we will start creating the VPN connection with the Fortinet device.

To create go to Network> IPSec Tunnels and press Add.

Create with the following information.

General tab:

  • Name: VPN_PA_2_FG_Tunnel
  • Tunnel Interface: tunnel.2
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateways: VPN_PA_2_FG
  • IPSec Crypto Profile: VPN_PA_2_FG

Proxy IDs tab:

Click Add and configure the following information:

  • Proxy ID: Peer-1
  • Local: 10.146.41.0/24
  • Remote: 192.168.2.0/24
  • Protocol: Any
  • Click OK twice to save.

Press Commit and OK to save the configuration changes.

5.2.9 Create Policy

We need to create a policy that allows traffic from Palo Alto’s LAN network to pass through Fortinet’s LAN network and vice versa.

To create the policy go to Policies > Security and click Add.

Create a policy that allows traffic from Palo Alto’s LAN network to pass through Fortinet’s LAN network with the following information:

Tab General:

  • Name: VPN_PA_2_FG
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select Trust-Layer3 (This is the zone of the LAN layer)
  • Source Address: Click Add and select PA_LAN (PA_LAN is the Address Object that we created earlier)

Tab Destination:

  • Destination Zone: VPN
  • Destination Address: FG-LAN (This is the Address Object created in the beginning)

Tab Action:

  • Action: Select Allow.
  • Click OK to save.

Next, we will click Add and create a policy that allows traffic from Fortinet’s LAN network to the Palo Alto LAN network with the following information:

Tab General:

  • Name: VPN_FG_2_PA
  • Rule Type: universal (default)

Tab Source:

  • Source Zone: Click Add and select VPN
  • Source Address: Click Add and select FG_LAN (FG_LAN is the Address Object that we created earlier)

Tab Destination:

  • Destination Zone: Trust-Layer3 (Zone of the LAN network)
  • Destination Address: PA-LAN (This is the Address Object created in the beginning)

Tab Action:

  • Action: Select Allow.
  • Click OK to save.

5.3. Result

To check the results on a Palo Alto device we go to Network > IPSec Tunnels.

We will see 2 status dots on green tunnel and IKE Gateways which means the VPN connection is established successfully.

Switching to Fortinet device, you can check whether the VPN connection is successful or not by going to Monitor> IPSec Monitor.

You should see that the VPN connection has been established and that the Incoming Data and Outgoing Data traffic is available.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.