Fortinet black logo

Handbook

Gateway-to-gateway configuration

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:276731
Download PDF

Gateway-to-gateway configuration

The FortiGate units at both ends of the tunnel must be operating in NAT mode and have static public IP addresses.

When a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec Phase 1 parameters to establish a secure connection and authenticate that VPN peer. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec Phase 2 parameters and applies the IPsec security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed by both FortiGate units:

  • Define the Phase 1 parameters that the FortiGate unit needs to authenticate the remote peer and establish a secure connection.
  • Define the Phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with the remote peer.
  • Create security policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.

Configuring Phase 1 and Phase 2 for both peers

This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using the correct IP address for each. You may wish to vary the Phase 1 names but this is optional. Otherwise all steps are the same for each peer.

The Phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate FortiGate_2 and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate FortiGate_2. The same preshared key must be specified at both FortiGate units.

Before you define the Phase 1 parameters, you need to:

  • Reserve a name for the remote gateway.
  • Obtain the IP address of the public interface to the remote peer.
  • Reserve a unique value for the preshared key.

The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.

At the local FortiGate unit, define the Phase 1 configuration needed to establish a secure connection with the remote peer. See Phase 1 configuration.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Enter the following information, and select OK.
  4. Name

    Enter peer_1.

    A name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.

    Remote Gateway

    Select Static IP Address.

    IP Address

    Enter 172.20.0.2 when configuring FortiGate_1.

    Enter 172.18.0.2 when configuring FortiGate_2.

    The IP address of the remote peer public interface.

    Local Interface

    Select wan1.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the Phase 2 parameters, you need to reserve a name for the tunnel. See Phase 2 configuration.

  1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
  2. Enter a Name of peer_1_p2.
  3. Select peer_1 from the Phase 1 drop-down menu.

Creating security policies

Security policies control all IP traffic passing between a source address and a destination address.

An IPsec security policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel.

Before you define security policies, you must first specify the IP source and destination addresses. In a gateway-to-gateway configuration:

  • The IP source address corresponds to the private network behind the local FortiGate unit.
  • The IP destination address refers to the private network behind the remote VPN peer.

When you are creating security policies, choose one of either route-based or policy-based methods and follow it for both VPN peers. DO NOT configure both route-based and policy-based policies on the same FortiGate unit for the same VPN tunnel.

The configuration of FortiGate_2 is similar to that of FortiGate_1. You must:

  • Define the Phase 1 parameters that FortiGate_2 needs to authenticate FortiGate_1 and establish a secure connection.
  • Define the Phase 2 parameters that FortiGate_2 needs to create a VPN tunnel with FortiGate_1.
  • Create the security policy and define the scope of permitted services between the IP source and destination addresses.

When creating security policies it is good practice to include a comment describing what the policy does.

Creating firewall addresses

Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the security policies that permit communication between the networks.

To define the IP address of the network behind FortiGate_1
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter the Name of Finance_network.
  3. Select a Type of Subnet.
  4. Enter the Subnet of 10.21.101.0/24.
  5. Select OK.
To specify the address of the network behind FortiGate_2
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter the Name of HR_network.
  3. Select a Type of Subnet.
  4. Enter the Subnet/IP Range of 10.31.101.0/24.
  5. Select OK.

Creating route-based VPN security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses.

To create route-based VPN security policies
  1. Go to Policy & Objects > IPv4 Policy and select Create New
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter the following, and select OK.
  4. Incoming Interface

    Select internal.

    The interface that connects to the private network behind this FortiGate unit.

    Source Address

    Select Finance_network when configuring FortiGate_1.

    Select HR_network when configuring FortiGate_2.

    The address name for the private network behind this FortiGate unit.

    Outgoing Interface

    Select peer_1.

    The VPN Tunnel (IPsec Interface) you configured earlier.

    Destination Address

    Select HR_network when configuring FortiGate_1.

    Select Finance_network when configuring FortiGate_2.

    The address name that you defined for the private network behind the remote peer.

    Action

    Select ACCEPT.

    Enable NAT

    Disable.

    Comments

    Allow Internal to remote VPN network traffic.

  5. Optionally, configure any additional features you may want, such as UTM or traffic shaping.
  6. Select Create New to create another policy for the other direction.
  7. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  8. Enter the following information, and select OK.
  9. Incoming Interface

    Select peer_1.

    The VPN Tunnel (IPsec Interface) you configured.

    Source Address

    Select HR_network when configuring FortiGate_1.

    Select Finance_Network when configuring FortiGate_2.

    The address name defined for the private network behind the remote peer.

    Outgoing Interface

    Select internal.

    The interface that connects to the private network behind this FortiGate unit.

    Destination Address

    Select Finance_Network when configuring FortiGate_1.

    Select HR_network when configuring FortiGate_2.

    The address name defined for the private network behind this FortiGate unit.

    Action

    Select ACCEPT.

    Enable NAT

    Disable.

    Comments

    Allow remote VPN network traffic to Internal.

  10. Configure any additional features such as UTM or traffic shaping you may want. (optional).

All network traffic must have a static route to direct its traffic to the proper destination. Without a route, traffic will not flow even if the security policies are configured properly. You may need to create a static route entry for both directions of VPN traffic if your security policies allow bi-directional tunnel initiation.

To configure the route for a route-based VPN:

  1. On FortiGate_2, go to Network > Static Routes and select Create New.
  2. Enter the following information, and then select OK:
  3. Destination IP / Mask

    10.21.101.0/24

    Device

    FGT2_to_FGT1_Tunnel

    Gateway

    Leave as default: 0.0.0.0.

    Distance (Advanced)

    Leave this at its default.

    If there are other routes on this FortiGate unit, you may need to set the distance on this route so the VPN traffic will use it as the default route. However, this normally happens by default because this route is typically a better match than the generic default route.

Creating policy-based VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Complete the following:
  3. Incoming Interface

    Select internal.

    The interface that connects to the private network behind this FortiGate unit.

    Source Address

    Select Finance_network when configuring FortiGate_1.

    Select HR_network when configuring FortiGate_2.

    The address name defined for the private network behind this FortiGate unit.

    Outgoing Interface

    Select wan1.

    The FortiGate unit’s public interface.

    Destination Address

    Select HR_network when configuring FortiGate_1.

    Select Finance_network when configuring FortiGate_2.

    VPN Tunnel

    Select Use Existing and select peer_1 from the VPN Tunnel drop-down list.

    Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

    Comments

    Bidirectional policy-based VPN policy.

Place VPN policies in the policy list above any other policies having similar source and destination addresses.

Remote Internet browsing for Site-to-Site VPN from the IPsec VPN Wizard

The IPsec VPN Wizard Policy & Routing section includes Internet Access options to support selecting Share WAN and Force to use remote WAN:

  • The Share WAN option allows the remote subnet to browse the Internet via this FortiGate.
    When Share WAN is selected, a dropdown appears for the user to select the desired Shared WAN.
  • The Force to use remote WAN option will send all Internet browsing traffic to the remote VPN gateway. The remote gateway must be configured with the Share WAN option enabled.
    When Force to use remote WAN is selected, a Local Gateway field appears (since a static route needs to be created to reach the remote gateway, because all other addresses will be routed via the VPN tunnel).

Gateway-to-gateway configuration

The FortiGate units at both ends of the tunnel must be operating in NAT mode and have static public IP addresses.

When a FortiGate unit receives a connection request from a remote VPN peer, it uses IPsec Phase 1 parameters to establish a secure connection and authenticate that VPN peer. Then, if the security policy permits the connection, the FortiGate unit establishes the tunnel using IPsec Phase 2 parameters and applies the IPsec security policy. Key management, authentication, and security services are negotiated dynamically through the IKE protocol.

To support these functions, the following general configuration steps must be performed by both FortiGate units:

  • Define the Phase 1 parameters that the FortiGate unit needs to authenticate the remote peer and establish a secure connection.
  • Define the Phase 2 parameters that the FortiGate unit needs to create a VPN tunnel with the remote peer.
  • Create security policies to control the permitted services and permitted direction of traffic between the IP source and destination addresses.

Configuring Phase 1 and Phase 2 for both peers

This procedure applies to both peers. Repeat the procedure on each FortiGate unit, using the correct IP address for each. You may wish to vary the Phase 1 names but this is optional. Otherwise all steps are the same for each peer.

The Phase 1 configuration defines the parameters that FortiGate_1 will use to authenticate FortiGate_2 and establish a secure connection. For the purposes of this example, a preshared key will be used to authenticate FortiGate_2. The same preshared key must be specified at both FortiGate units.

Before you define the Phase 1 parameters, you need to:

  • Reserve a name for the remote gateway.
  • Obtain the IP address of the public interface to the remote peer.
  • Reserve a unique value for the preshared key.

The key must contain at least 6 printable characters and best practices dictate that it only be known by network administrators. For optimum protection against currently known attacks, the key must have a minimum of 16 randomly chosen alphanumeric characters.

At the local FortiGate unit, define the Phase 1 configuration needed to establish a secure connection with the remote peer. See Phase 1 configuration.

  1. Go to VPN > IPsec Tunnels and create the new custom tunnel or edit an existing tunnel.
  2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
  3. Enter the following information, and select OK.
  4. Name

    Enter peer_1.

    A name to identify the VPN tunnel. This name appears in Phase 2 configurations, security policies and the VPN monitor.

    Remote Gateway

    Select Static IP Address.

    IP Address

    Enter 172.20.0.2 when configuring FortiGate_1.

    Enter 172.18.0.2 when configuring FortiGate_2.

    The IP address of the remote peer public interface.

    Local Interface

    Select wan1.

The basic Phase 2 settings associate IPsec Phase 2 parameters with the Phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the Phase 2 parameters, you need to reserve a name for the tunnel. See Phase 2 configuration.

  1. Open the Phase 2 Selectors panel (if it is not available, you may need to click the Convert to Custom Tunnel button).
  2. Enter a Name of peer_1_p2.
  3. Select peer_1 from the Phase 1 drop-down menu.

Creating security policies

Security policies control all IP traffic passing between a source address and a destination address.

An IPsec security policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single policy is needed to control both inbound and outbound IP traffic through a VPN tunnel.

Before you define security policies, you must first specify the IP source and destination addresses. In a gateway-to-gateway configuration:

  • The IP source address corresponds to the private network behind the local FortiGate unit.
  • The IP destination address refers to the private network behind the remote VPN peer.

When you are creating security policies, choose one of either route-based or policy-based methods and follow it for both VPN peers. DO NOT configure both route-based and policy-based policies on the same FortiGate unit for the same VPN tunnel.

The configuration of FortiGate_2 is similar to that of FortiGate_1. You must:

  • Define the Phase 1 parameters that FortiGate_2 needs to authenticate FortiGate_1 and establish a secure connection.
  • Define the Phase 2 parameters that FortiGate_2 needs to create a VPN tunnel with FortiGate_1.
  • Create the security policy and define the scope of permitted services between the IP source and destination addresses.

When creating security policies it is good practice to include a comment describing what the policy does.

Creating firewall addresses

Define names for the addresses or address ranges of the private networks that the VPN links. These addresses are used in the security policies that permit communication between the networks.

To define the IP address of the network behind FortiGate_1
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter the Name of Finance_network.
  3. Select a Type of Subnet.
  4. Enter the Subnet of 10.21.101.0/24.
  5. Select OK.
To specify the address of the network behind FortiGate_2
  1. Go to Policy & Objects > Addresses and select Create New.
  2. Enter the Name of HR_network.
  3. Select a Type of Subnet.
  4. Enter the Subnet/IP Range of 10.31.101.0/24.
  5. Select OK.

Creating route-based VPN security policies

Define an ACCEPT security policy to permit communications between the source and destination addresses.

To create route-based VPN security policies
  1. Go to Policy & Objects > IPv4 Policy and select Create New
  2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  3. Enter the following, and select OK.
  4. Incoming Interface

    Select internal.

    The interface that connects to the private network behind this FortiGate unit.

    Source Address

    Select Finance_network when configuring FortiGate_1.

    Select HR_network when configuring FortiGate_2.

    The address name for the private network behind this FortiGate unit.

    Outgoing Interface

    Select peer_1.

    The VPN Tunnel (IPsec Interface) you configured earlier.

    Destination Address

    Select HR_network when configuring FortiGate_1.

    Select Finance_network when configuring FortiGate_2.

    The address name that you defined for the private network behind the remote peer.

    Action

    Select ACCEPT.

    Enable NAT

    Disable.

    Comments

    Allow Internal to remote VPN network traffic.

  5. Optionally, configure any additional features you may want, such as UTM or traffic shaping.
  6. Select Create New to create another policy for the other direction.
  7. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
  8. Enter the following information, and select OK.
  9. Incoming Interface

    Select peer_1.

    The VPN Tunnel (IPsec Interface) you configured.

    Source Address

    Select HR_network when configuring FortiGate_1.

    Select Finance_Network when configuring FortiGate_2.

    The address name defined for the private network behind the remote peer.

    Outgoing Interface

    Select internal.

    The interface that connects to the private network behind this FortiGate unit.

    Destination Address

    Select Finance_Network when configuring FortiGate_1.

    Select HR_network when configuring FortiGate_2.

    The address name defined for the private network behind this FortiGate unit.

    Action

    Select ACCEPT.

    Enable NAT

    Disable.

    Comments

    Allow remote VPN network traffic to Internal.

  10. Configure any additional features such as UTM or traffic shaping you may want. (optional).

All network traffic must have a static route to direct its traffic to the proper destination. Without a route, traffic will not flow even if the security policies are configured properly. You may need to create a static route entry for both directions of VPN traffic if your security policies allow bi-directional tunnel initiation.

To configure the route for a route-based VPN:

  1. On FortiGate_2, go to Network > Static Routes and select Create New.
  2. Enter the following information, and then select OK:
  3. Destination IP / Mask

    10.21.101.0/24

    Device

    FGT2_to_FGT1_Tunnel

    Gateway

    Leave as default: 0.0.0.0.

    Distance (Advanced)

    Leave this at its default.

    If there are other routes on this FortiGate unit, you may need to set the distance on this route so the VPN traffic will use it as the default route. However, this normally happens by default because this route is typically a better match than the generic default route.

Creating policy-based VPN security policy

Define an IPsec security policy to permit communications between the source and destination addresses.

  1. Go to Policy & Objects > IPv4 Policy.
  2. Complete the following:
  3. Incoming Interface

    Select internal.

    The interface that connects to the private network behind this FortiGate unit.

    Source Address

    Select Finance_network when configuring FortiGate_1.

    Select HR_network when configuring FortiGate_2.

    The address name defined for the private network behind this FortiGate unit.

    Outgoing Interface

    Select wan1.

    The FortiGate unit’s public interface.

    Destination Address

    Select HR_network when configuring FortiGate_1.

    Select Finance_network when configuring FortiGate_2.

    VPN Tunnel

    Select Use Existing and select peer_1 from the VPN Tunnel drop-down list.

    Select Allow traffic to be initiated from the remote site to enable traffic from the remote network to initiate the tunnel.

    Comments

    Bidirectional policy-based VPN policy.

Place VPN policies in the policy list above any other policies having similar source and destination addresses.

Remote Internet browsing for Site-to-Site VPN from the IPsec VPN Wizard

The IPsec VPN Wizard Policy & Routing section includes Internet Access options to support selecting Share WAN and Force to use remote WAN:

  • The Share WAN option allows the remote subnet to browse the Internet via this FortiGate.
    When Share WAN is selected, a dropdown appears for the user to select the desired Shared WAN.
  • The Force to use remote WAN option will send all Internet browsing traffic to the remote VPN gateway. The remote gateway must be configured with the Share WAN option enabled.
    When Force to use remote WAN is selected, a Local Gateway field appears (since a static route needs to be created to reach the remote gateway, because all other addresses will be routed via the VPN tunnel).