How to confgiure IPSec VPN Site to site between Fortigate and Draytek 2925 firewalls

1.The purpose of the article

The article will show you how to configure IPSec VPN Site-to-Site between two firewall devices Fortinet and Draytek Vigor2925.

2.Diagram

Details:

Site A:

  • We have an internet connection at WAN 1 of the Fortigate FG-81E device with a static WAN IP of 203.205.x.x using a media converter.
  • Next is the 192.168.2.0/24 LAN layer configured on port 2 of the Fortinet FG-81E device.

       Site B:

  • We have an internet connection on WAN port 1 of the Draytek Vigor2925 router with a static WAN IP of 113.190.x.x using a media converter.
  • Next is the LAN layer 192.168.4.0/24 configured on port 1 of the Draytek device.

3.Scenario

We will perform IPSec VPN Site-to-Site configuration between two Fortinet FG-81E and Draytek Vigor2925 devices so that the LAN subnet of both sites 192.168.2.0/24 and 192.168.4.0/24 can be connected to each other. together.

4.Step to take

Draytek Vigor2925:

  • Configure Common Settings
  • Configure Dial-In Settings
  • Configure TCP/IP Network Settings

Fortinet FG-81E:

  • Create VPN Tunnels
  • Create Static Route
  • Create Policy

Result

5.Configuration

5.1.Draytek Vigor2925

To create a VPN connection on Draytek we need to log in to the admin page, then go to VPN and Remote Access > LAN to LAN.

Click on any Index you want to create, here techbast click on Index 2.

The Profile Index table appears, we will configure the Common Settings, Dial-In Settings, TCP/IP Network Settings sections.

5.1.1.Configure Common Settings

In this section we will configure the following parameters:

  • Profile Name: VPN_DR_FG
  • Check Enable this profile
  • Call Direction : Select Dial-Out ( Draytek device will wait for another device to make incoming VPN connection )
  • Tunnel Mode: select Always on
  • VPN Dial-Out Through: Select WAN1 First and select the IP address of the WAN1 port as 113.190.x.x
  • Netbios Naming Packet: select Pass
  • Multicast via VPN: Block

5.1.2.Configure Dial-Out Settings

In this section we will configure the following parameters:

  • Type of  Server I am calling: select IPSec Tunnel IKEv1
  • Server IP/Host Name for VPN: Enter the Fortinet FG-81E’s WAN IP address 203.205.x.x.
  • IKE Authetication Method: Select Pre-Shared Key and enter the password in the box next to it. (Note to remember this password to enter the same for Fortinet side)
  • IPSec Security Method: Select High(ESP) and select 3DES with authentication.
  • Then click Advanced, the IKE Advanced settings panel appears, we will configure with the following parameters.
  • IKE phrase 1 mode (IKEv1): select Main mode
  • IKE phrase 1 proposal: select 3DES_MD5_G2
  • IKE phrase 2 proposal: select 3DES_MD5
  • IKE phrase 1 key lifetime: 28800
  • IKE phrase 2 key lifetime: 3600
  • Perfect Forward Secret: select Disable.
  • Click OK to save.

5.1.3.Configure TCP/IP Network Settings

In this section we will configure the following parameters:

  • Remote Network IP: Enter the LAN IP of the Fortinet FG-81E as 192.168.2.1
  • Remote Network Mask: select 255.255.240.0/20
  • Local Network IP: enter Draytek’s LAN IP as 192.168.4.1
  • Local Network Mask: select 255.255.255.0/24
  • Click OK to save.

Go back to the LAN-to-LAN Profiles table, select Enable for the newly created index profile and click OK to enable this profile.

5.2.Fortinet FG 81E

5.2.1.Create VPN Tunnels

To create VPN Tunnels go to VPN > IPSec Tunnels > click Create New.

The VPN Create Wizard table appears and fills in the following configuration information:

  • Name: VPN_FG_TO_DR
  • Template type: select Custom
  • Click Next to continue.

We will configure the Network table with the following parameters:

  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: Enter the WAN IP of the Draytek Vigor 2925 device as 113.190.x.x
  • Interface: Select the WAN port of the Fortinet device used to establish the VPN connection. According to the WAN2 port selection diagram
  • Local Gateway: uncheck
  • Mode Config: uncheck
  • NAT Traversal: select Disable
  • Dead Peer Detection: select Disable

Authentication section:

  • Method: select Pre-sahred Key
  • Pre-shared Key: Enter a password to establish a VPN connection (note that this password must be set the same on both Draytek and Fortinet devices).
  • IKE Version: 1
  • Mode: Main (ID protection)

Phrase 1 Proposal section:

  • Encryption: 3DES
  • Authentication: MD5
  • Diffe-Hellman Group: select 2
  • Key Liftime (second): 28800

XAUTH section:

  • Type: select Disable

Phrase Selectors section:

  • Local Address: Select Subnet and enter Fortinet’s 192.168.2.0/24 LAN subnet.
  • Remote Address: Select Subnet and enter Draytek’s 192.168.4.0/24 LAN subnet.
  • Click Advanced… to display the Phrase 2 Proposal panel.

Phrase 2 Proposal section:

  • Encryption: 3DES
  • Authentication: MD5
  • Enable Perfect Forward Secrecy: uncheck
  • Key Lifetime: select Seconds
  • Second: 3600

Click OK to create IPSec connection.

5.2.2.Create Static Routes

We need to create a static route to route the route to Draytek’s LAN subnet through the VPN connection we just created for the Fortinet firewall device.

To create go to Network > Static Routes and click Create New.

Configure according to the following parameters:

  • Destination: enter the LAN subnet of the Draytek Vigor 2925 device as 192.168.4.0/24.
  • Interface: select the IPSec tunnels VPN_FG_TO_DR just created.
  • Status: select Enable.
  • Click OK to save.

5.2.3.Create Policy

We need to create a policy so that the VPN connection can access Fortinet’s LAN and vice versa.

To create a policy go to Policy & Objects > IPv4 Policy and click Create New.

Configure the policy to allow traffic from Fortinet’s LAN subnet to pass through Sophos’ LAN subnet according to the following parameters:

  • Name: VPN_FG_TO_DRAYTEK
  • Incoming Interface: Floor B (it’s interface LAN 2)
  • Outgoing Interface: select VPN Tunnels VPN_FG_TO_DR just created
  • Source: select 192.168.2.0 address
  • Destination: select LAN_Draytek
  • Service: select ALL
  • Action: select ACCEPT
  • Log Allowed Traffic: enable and select All Session
  • Enable this policy: ON
  • Click OK to save

Configure the policy to allow traffic from Draytek’s LAN subnet to pass through Fortinet’s LAN subnet according to the following parameters:

  • Name: VPN_DRAYTEK_TO_FG
  • Incoming Interface: select VPN Tunnels VPN_FG_TO_DR just created
  • Outgoing Interface: Floor B (it’s interface LAN 2)
  • Source: Select LAN_Draytek
  • Destination: Select 192.168.2.0 address
  • Service: Select ALL
  • Action: Select ACCEPT
  • Log Allowed Traffic: Enable and select All Session
  • Enable this policy: ON
  • Click OK to save

5.3.Result

On the Fortinet device, you can check whether the VPN connection is successful or not by going to Monitor > IPSec Monitor.

You will see that the VPN connection has been established and there is Incoming Data and Outgoing Data traffic.

Switch to Draytek device, you can check whether the VPN connection is successful or not by going to VPN and Remote Access > Connection Management.

You will see that the VPN connection has been established, it provides the status of the connection, the time connected, …

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.