How to set up a Site-to-Site VPN between two FortiGate firewalls

  • هذا الموضوع فارغ.
  • Post
    • ديسمبر 21, 2024 الساعة 6:22 ص
    Weekend Wiki
    مدير عام
    To set up a Site-to-Site VPN via the FortiGate GUI, follow these steps for both FortiGate devices (Main office and remote office). This guide uses IPsec VPN, which is the most common method for connecting remote offices securely over the internet.

    1. Configure the IPsec VPN on the Main Office FortiGate

    Step 1: Create the VPN Tunnel

    1. Log in to the FortiGate Web GUI at the main office.
    2. Go to VPN > IPsec Tunnels.
    3. Click Create New to create a new tunnel.
    4. Select Custom and click Next.
    5. Enter a Name for the tunnel (e.g., SiteToSite_VPN_Main).
    6. In the Remote Gateway section, select Static IP Address.
      • Remote Gateway IP: Enter the public IP address of the remote office’s FortiGate.
    7. Under Interface, select the interface that connects to the internet (e.g., wan1).
    8. Under Authentication Method, select Pre-shared Key.
      • Enter a Pre-shared Key (e.g., vpnpassword123), which must be the same on both FortiGate devices.

    Step 2: Configure Phase 1 (IKE) Settings

    1. IKE Version: Choose IKEv2 (recommended) or IKEv1.
    2. Encryption: Select an encryption algorithm (e.g., AES256).
    3. Authentication: Choose an authentication algorithm (e.g., SHA256).
    4. DH Group: Select a Diffie-Hellman group (e.g., Group 14).
    5. Key Lifetime: Leave it as default or set it to 28800 seconds (8 hours).

    Click Next.

    Step 3: Configure Phase 2 (IPsec) Settings

    1. Local Subnet: Set it to the local subnet (e.g., 192.168.1.0/24).
    2. Remote Subnet: Set it to the remote office subnet (e.g., 192.168.2.0/24).
    3. Encryption: Choose AES256 (or other preferred algorithms).
    4. Authentication: Choose SHA256.
    5. Key Lifetime: Leave it at the default (e.g., 3600 seconds).

    Click OK to create the tunnel.

    2. Configure the IPsec VPN on the Remote Office FortiGate

    Step 1: Create the VPN Tunnel on the Remote FortiGate

    1. Log in to the FortiGate Web GUI at the remote office.
    2. Go to VPN > IPsec Tunnels.
    3. Click Create New to create a new tunnel.
    4. Select Custom and click Next.
    5. Enter a Name for the tunnel (e.g., SiteToSite_VPN_Remote).
    6. In the Remote Gateway section, select Static IP Address.
      • Remote Gateway IP: Enter the public IP address of the main office’s FortiGate.
    7. Under Interface, select the interface that connects to the internet (e.g., wan1).
    8. Under Authentication Method, select Pre-shared Key.
      • Enter the same pre-shared key used in the main office.

    Click Next.

    Step 2: Configure Phase 1 (IKE) Settings on the Remote Office FortiGate

    1. IKE Version: Choose IKEv2 (recommended) or IKEv1.
    2. Encryption: Select AES256.
    3. Authentication: Select SHA256.
    4. DH Group: Select the same group as the main office (e.g., Group 14).
    5. Key Lifetime: Leave it at 28800 seconds.

    Click Next.

    Step 3: Configure Phase 2 (IPsec) Settings on the Remote Office FortiGate

    1. Local Subnet: Set it to the remote office subnet (e.g., 192.168.2.0/24).
    2. Remote Subnet: Set it to the main office subnet (e.g., 192.168.1.0/24).
    3. Encryption: Select AES256.
    4. Authentication: Select SHA256.
    5. Key Lifetime: Leave it at 3600 seconds.

    Click OK to create the tunnel.

    3. Create Firewall Policies to Allow VPN Traffic

    On the Main Office FortiGate:

    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New to create a new policy.
    3. Configure the policy:
      • Name: Enter a name (e.g., VPN-to-Remote).
      • Incoming Interface: Select the local network interface (e.g., internal).
      • Outgoing Interface: Select the VPN tunnel.
      • Source Address: Choose the local subnet (e.g., 192.168.1.0/24).
      • Destination Address: Choose the remote office subnet (e.g., 192.168.2.0/24).
      • Action: Set to Accept.
      • NAT: Leave NAT disabled (as this is a VPN).
    4. Click OK to save the policy.

    On the Remote Office FortiGate:

    1. Go to Policy & Objects > IPv4 Policy.
    2. Click Create New to create a new policy.
    3. Configure the policy:
      • Name: Enter a name (e.g., VPN-to-Main).
      • Incoming Interface: Select the local network interface (e.g., internal).
      • Outgoing Interface: Select the VPN tunnel.
      • Source Address: Choose the remote subnet (e.g., 192.168.2.0/24).
      • Destination Address: Choose the main office subnet (e.g., 192.168.1.0/24).
      • Action: Set to Accept.
      • NAT: Leave NAT disabled.
    4. Click OK to save the policy.

    4. Verify the Site-to-Site VPN Connection

    Step 1: Check VPN Tunnel Status

    1. Go to VPN > IPsec Tunnels.
    2. Verify that the VPN tunnel is Up. If it’s not, check the logs for errors.

    Step 2: Test Connectivity

    1. From a machine in the main office, try to ping a device in the remote office network (e.g., ping 192.168.2.1).
    2. From a machine in the remote office, try to ping a device in the main office network (e.g., ping 192.168.1.1).

    5. Monitor the VPN Connection

    1. Go to Log & Report > Traffic Log to monitor traffic passing through the VPN tunnel.
    2. Use Monitor > IPsec Monitor to get real-time statistics on the tunnel.

    Summary

    1. Create IPsec VPN Tunnel on both FortiGate devices (Main and Remote Office).
    2. Configure Phase 1 and Phase 2 settings to ensure secure connection parameters.
    3. Create firewall policies to allow traffic through the VPN tunnel.
    4. Verify that the VPN tunnel is up and test connectivity between the two sites.
    5. Monitor the tunnel to ensure continuous operation.

    Once completed, the Site-to-Site VPN between the two FortiGate devices will allow secure communication between the main and remote offices.

    To set up a Site-to-Site VPN between two FortiGate firewalls, allowing you to connect two offices over the internet, you need to configure IPsec VPN on both ends. Below is a step-by-step guide to set up a Site-to-Site VPN via the FortiGate Web GUI.

    Prerequisites:

    • FortiGate firewall installed at both sites (Main office and remote office).
    • Public IP addresses for both locations.
    • Internal network information (local IP subnets for both sites).

    1. Configure the IPsec VPN on the First FortiGate (Main Office)

    Step 1: Create a New IPsec VPN Tunnel

    1. Log in to the FortiGate Web GUI.
    2. In the left-hand menu, go to VPN > IPsec Tunnels.
    3. Click Create New to start creating a new tunnel.
    4. Select Custom and give it a Name (e.g., SiteToSiteVPN_Main).

    Step 2: Configure the VPN Settings

    In the VPN Tunnel Wizard, configure the following:

    • Remote Gateway: Set it to Static IP Address.
      • Remote Gateway IP Address: Enter the public IP address of the remote FortiGate (remote office).
    • Interface: Select the interface connected to the internet (e.g., wan1).
    • Local Gateway IP: Set this to your own FortiGate’s public IP address (this is auto-detected if using wan1).
    • Authentication Method: Set this to Pre-shared Key.
      • Pre-shared Key: Enter a secure key (the same key must be used on both ends of the VPN tunnel).
    • IKE Version: Select IKEv2 for a more secure connection or IKEv1 for compatibility with older devices.
      • Phase 1 Proposal: Select encryption settings (e.g., AES256 for encryption, SHA256 for authentication).
    • Local Address: Set it to the local network subnet (e.g., 192.168.1.0/24).
    • Remote Address: Set it to the remote office subnet (e.g., 192.168.2.0/24).

    Click Next.

    Step 3: Configure Phase 2 Settings

    1. Phase 2 Proposal: Choose encryption and authentication algorithms (e.g., AES256, SHA256).
    2. Local Subnet: Set this to your local network subnet (e.g., 192.168.1.0/24).
    3. Remote Subnet: Set this to the remote office subnet (e.g., 192.168.2.0/24).

    Click OK to create the tunnel.

    2. Configure the IPsec VPN on the Second FortiGate (Remote Office)

    Step 1: Create a New IPsec VPN Tunnel

    1. Log in to the second FortiGate Web GUI (remote office).
    2. Go to VPN > IPsec Tunnels.
    3. Click Create New to start creating a new tunnel.
    4. Select Custom and name the tunnel (e.g., SiteToSiteVPN_Remote).

    Step 2: Configure the VPN Settings

    Follow the same steps as on the first FortiGate, with these key changes:

    • Remote Gateway IP Address: Enter the public IP of the main office FortiGate (the first office).
    • Pre-shared Key: Use the same pre-shared key as on the main office FortiGate.
    • Local Subnet: Set it to the remote office subnet (e.g., 192.168.2.0/24).
    • Remote Subnet: Set it to the main office subnet (e.g., 192.168.1.0/24).

    Click Next and configure Phase 2 settings (similar to the main office) with appropriate encryption/authentication settings.

    Click OK to create the tunnel.

    3. Configure Firewall Policies for IPsec VPN Traffic

    On the Main Office FortiGate:

    1. Go to Policy & Objects > IPv4 Policy.
    2. Create a New Policy to allow traffic between the local network and the VPN tunnel:
      • Name: Name the policy (e.g., VPN-to-Remote).
      • Incoming Interface: Select the internal network interface (e.g., internal or lan).
      • Outgoing Interface: Select the IPsec VPN tunnel.
      • Source Address: Choose the local network (e.g., 192.168.1.0/24).
      • Destination Address: Choose the remote office network (e.g., 192.168.2.0/24).
      • Action: Set to Accept.
      • NAT: Disable NAT (since this is a VPN).
    3. Click OK to save the policy.

    On the Remote Office FortiGate:

    1. Go to Policy & Objects > IPv4 Policy.
    2. Create a New Policy to allow traffic between the local network and the VPN tunnel:
      • Name: Name the policy (e.g., VPN-to-Main).
      • Incoming Interface: Select the internal network interface (e.g., internal or lan).
      • Outgoing Interface: Select the IPsec VPN tunnel.
      • Source Address: Choose the remote network (e.g., 192.168.2.0/24).
      • Destination Address: Choose the main office network (e.g., 192.168.1.0/24).
      • Action: Set to Accept.
      • NAT: Disable NAT.
    3. Click OK to save the policy.

    4. Verify the Site-to-Site VPN Connection

    Step 1: Test Connectivity

    • From either office, try to ping a host from the other office. For example, from a computer in the main office: 
      ping 192.168.2.1 (a host in the remote office)
    • Similarly, test from the remote office.

    Step 2: Check VPN Tunnel Status

    1. On either FortiGate, navigate to VPN > IPsec Tunnels.
    2. Check the status of the tunnel. It should show as Up if the tunnel is successfully established.

    5. Monitoring and Troubleshooting

    • Log & Report: Go to Log & Report > VPN Events to view logs for VPN connections.
    • Monitor > IPsec Monitor: Check the status of the VPN tunnel, the traffic passing through it, and any potential errors.
    • Ping Test: If you encounter issues, use the ping test to check if the traffic is routing correctly.

    Summary of Steps:

    1. Configure IPsec Tunnel on both FortiGates (Main and Remote Office).
    2. Apply Firewall Policies to allow traffic to pass through the tunnel.
    3. Verify Connectivity by pinging between the two sites.
    4. Monitor Tunnel status and check logs for troubleshooting.

    Once everything is configured, your two offices will be securely connected via a Site-to-Site IPsec VPN.

  • يجب تسجيل الدخول للرد على هذا الموضوع.
arArabic
en_USEnglish arArabic