Thursday, June 2, 2022

FortiGate Site-to-Site IPSec VPN

Here's a link in configuring a Site-to-Site IPSec VPN in a FortiGate firewall. Below is the virtual lab I used to established a Site-to-Site IPSec VPN between a FortiGate and a Cisco CSRv router.

To create a Site-to-Site IPSec VPN in FortiGate, go to VPN > IPSec Wizard.

 

Under VPN Setup tab > type a Name: FTG_CISCO_VPN > select Template type: Site to Site > NAT configuration: No NAT between sites > Remote device type: Cisco > click Next.

 

Under Authentication tab > type the Remote IP address (CSRv WAN IP): 192.168.1.140 > select Outgoing Interface (WAN): port1 > select Authentication method: Pre-shared Key (default) > type Pre-shared key: fortinet (same PSK on the remote CSRv) > click Next.

Under Policy & Routing tab > select Local interface: port2 (LAN) > the Local subnets will auto detect/fill: 172.16.1.0/24 > type Remote Subnets (LAN behind CSRv): 10.1.1.0/24 (you could also create an Address Object) > leave the default Internet Access: None > click Next.

Under Review Settings > review the Object Summary settings > click Create.

Click Show Tunnel List.

It will redirect you to IPSec Tunnels > click the created FTG_CISCO_VPN template > click Edit (or just double-click).

Click Convert to Custom Tunnel.

Under Phase 1 Proposal > click Edit.

Notice the only available Encryption is DES since this is an Eval VM.


 The only available Authentication are: MD5, SHA1, SHA256, SHA384 and SHA512 for the Eval VM.

Remove the second Phase 1 Proposal: DES and SHA1 > deselect Diffie-Hellman Group 14 and 5 > select DH Group 2 > click the check icon (beside refresh) in order to save.

Click on the Phase 2 Selectors area/box in order to edit.

Click Advanced (+ icon).

Remove the second Phase 2 Proposal: DES and SHA1 > delesect PFS (generate Phase 2 DH keys).

Leave the default settings for Key Lifetime > click OK.

The FortiGate IPSec Wizard automatically created two Firewall Policies for Inbound and Outbound traffic.

 

Using the IPSec Wizard is very convenient compared to doing the VPN setup manually.

 

This is the Firewall Policy for Inbound traffic (from remote Cisco CSRv to FortiGate).

Under Log Allowed Traffic > select All Sessions > click OK.

This is the Firewall Policy for the Outbound traffic (FortiGate to CSRv).


 Under Log Allowed Traffic > select All Sessions > click OK.

The IPSec Wizard also created the static routes needed.



I generated the "interesting" traffic to establish an IPSec Security Association (SA) between the FortiGate and Cisco CSRv.

To view VPN traffic logs, go to Log & Report > Forward Traffic.

Select a specific log > click Details.

You can also view specific VPN events by going to Log & Report > Events > VPN Events.