How to configure IPSec VPN between two Fortinet firewall devices with WAN IP as static IP

1.The purpose of the article

In this article, techbast will show you how to configure IPSec VPN Site to site between two Fortinet firewall devices.

2.Diagram

Details:

Fortinet FG 1:

  • The internet connection is connected at port wan2 with a static IP of 203.205.x.x.
  • LAN configured at Port 5 with IP 192.168.2.1/24 and configured DHCP.

Fortinet FG 2:

  • The internet connection is connected at port wan2 with a static IP of 14.161.x.x.
  • LAN configured at Port 5 with IP 10.10.10.1/24 and configured DHCP.

3.Scenario

According to the parameters like the above network diagram, techbast will configure IPSec VPN Site to site between the Fortinet FG 1 and Fortinet FG 2 firewalls so that the 2 LANs at the 2 devices can communicate with each other.

4.What to do

Fortinet FG 1:

  • Create IPSec tunnels

Fortinet FG 2:

  • Create IPSec tunnels

Result.

5.Configuration

5.1. Fortinet FG 1

5.1.1. Create IPSec tunnels

To create IPSec tunnels we need to login to the admin page of Fortinet FG 1 and go to VPN > IPsec tunnels.

Click Create New > IPsec Tunnel and create according to the following parameters.

Tab VPN Setup:

  • Name: VPN_FG1_TO_FG2.
  • Template type: Site to Site.
  • NAT configuration: No NAT between sites.
  • Remote device type: FortiGate.
  • Click Next.

Tab Authentication:

  • Remote device: IP Address.
  • Remote IP address: Enter Fortinet FG 2’s WAN IP as 14.161.x.x.
  • Outgoing Interface: select wan2 port.
  • Authentication method: Pre-shared Key.
  • Pre-shared Key: enter VPN connection password.
  • Click Next.

Tab Policy & Routing:

Local interface: Floor B (192.168.2.0) ie port 5.

Local subnets: 192.168.2.0/24 (Local subnets: 192.168.2.0/24 (It will automatically show the subnet corresponding to the selected Local Interface above).

Remote subnets: Remote subnets: enter the LAN subnet of Fortinet FG 2 as 10.10.10.0/24..

Click Create.

A review table of the configurations that we have entered will appear, if we want to change we can click on the pencil icon.

After creating IPsec vpn tunnel will appear as shown below.

When the VPN connection is created, Fortinet will also automatically create the relevant static route, policy, group address,  ….

We go to Network > Interface and see that the Ipsec connection has been created.

The group addresses of the two LAN subnets of the two devices are also created at Policy & Objects > Address.

Static routes are also created at Network > Static Routes.

The policy that allows traffic to go back and forth between two LANs of two devices is also created at Policy & Objects > IPv4 Policy.

5.2.Fortinet FG 2

5.2.2. Create IPSec tunnels

We will also create IPSec tunnels on Fortinet FG 2 similar to what we did on Fortinet FG 1.

To create IPSec tunnels we need to login to the admin page of Fortinet FG 2 and go to VPN > IPsec tunnels.

Click Create New > IPsec Tunnel and create according to the following parameters.

Tab VPN Setup:

  • Name: VPN_FG2_TO_FG1.
  • Template type: Site to Site.
  • NAT configuration: No NAT between sites.
  • Remote device type: FortiGate.
  • Click Next.

Tab Authentication:

  • Remote device: IP Address.
  • Remote IP address: Enter the Fortinet FG 2’s WAN IP as 203.205.x.x.
  • Outgoing Interface: select wan2 port.
  • Authentication method: Pre-shared Key.
  • Pre-shared Key: enter the VPN connection password (note the same password set in Fortinet FG 1).
  • Click Next.

Tab Policy & Routing:

Local interface: dmz ie port 5.

Local subnets: 10.10.10.0/24 (Local subnets: 10.10.10.0/24 (It will automatically show the subnet corresponding to the selected Local Interface above).).

Remote subnets: Remote subnets: enter the LAN subnet of Fortinet FG 1 as 192.168.2.0/24..

Click Create.

A review table of the configurations that we have entered will appear, if we want to change we can click on the pencil icon.

After creating IPsec VPN tunnel will appear as shown below.

When the VPN connection is created, Fortinet will also automatically create the relevant static route ,policy ,group address,  ….

We go to Network > Interface and see that the Ipsec connection has been created.

The group addresses of the two LAN subnets of the two devices are also created at Policy & Objects > Address.

Static routes are also created at Network > Static Routes.

The policy that allows traffic to go back and forth between two LANs of two devices is also created at Policy & Objects > IPv4 Policy.

5.3.Result

To establish an IPSec VPN connection, go to Monitor > IPsec Monitor on Fortinet FG 1.

We select the newly created VPN connection and click Bring Up > Phase 2 Selector: VPN_FG1_TO_FG2.

After clicking Bring Up, we see that the IPsec VPN connection has been established with a green status.

On the Fortinet FG 2 device there is a similar green status.

Thus, techbast has successfully performed IPSec site-to-site VPN configuration between two Fortinet firewall devices.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.