Fortinet black logo

Configuring IPsec or GRE tunnels on FortiOS

6.2.0
Copy Link
Copy Doc ID 1e9179fe-c082-11ea-8b7d-00505692583a:657864
Download PDF

Configuring IPsec or GRE tunnels on FortiOS

In this case, you will configure either IPsec tunnels or GRE tunnels, and not both.

To configure an IPsec tunnel:
  1. Go to VPN > IPsec Wizard. The VPN Creation Wizard displays.
  2. Enter a Name for the tunnel and select the Template type to be Custom.

    VPN Creation Wizard

  3. Click Next. The New VPN Tunnel settings are displayed.
  4. Configure the Network settings as indicated in the table below. The Dynamic DNS field should be the Zscaler ZEN hostname that you will use.

    IP Version

    IPv4

    Remote Gateway

    Dynamic DNS

    Dynamic DNS

    <Zscaler SF Host>

    Interface

    Internet_A(port1)

    VPN tunnel network settings

  5. Configure the Authentication settings with the Method to be Pre-shared Key and entering the pre-shared key (PSK). The PSK should be unique per site, and the IKE Version should be selected to be 2.

    Pre-shared key authentication

  6. Configure the Phase 1 Proposal settings as indicated in the table below. The Local ID field should be set to the FQDN you configured in the previous steps.

    Encryption

    AES256

    Authentication

    SHA1

    Diffie-Hellman Group

    2

    Key Lifetime (seconds)

    86400

    Local ID

    <Zscaler SF Host>

    VPN phase 1 proposal settings

  7. Configure the Phase 2 Selectors settings as indicated in the table below. Leave all other settings to their default values.

    Local Address (Subnet)

    0.0.0.0/0.0.0.0

    Remote Address (Subnet)

    0.0.0.0/0.0.0.0

    Encryption

    NULL

    Authentication

    MD5

    Enable Perfect Forward Secrecy (PFS)

    Unchecked.

    Key Lifetime (Seconds)

    28800

    VPN phase 2 selector settings

  8. Click OK.

Similarly, configure another IPsec tunnel Zscaler-DC over the Internet_B(port2) interface.

Verify your IPsec tunnels by navigating to VPN > IPsec tunnels from the tree menu on the left side of the FortiGate GUI.
IPsec VPN tunnel status

Note

You may configure GRE tunnels, though Fortinet recommends configuring IPsec tunnels.

To configure a GRE tunnel from the CLI:
  1. Create a GRE tunnel and add it as an interface:
    config system gre-tunnel
      edit "Zscaler-SF"
        set interface "port1"
        set remote-gw <Zscaler SF Host>
        set local-gw <Internet_A>
      next
    end
  2. Configure the GRE tunnel interfaces:
    config system interface
      edit "Zscaler-SF"
        set ip <ip address in a /30 subnet provided by Zscaler> 255.255.255.255
        set allowaccess ping
        set type tunnel
        set interface "port1"
      next
    end

Similarly, configure another GRE tunnel Zscaler-DC over the Internet_B(port2) interface.

Configuring IPsec or GRE tunnels on FortiOS

In this case, you will configure either IPsec tunnels or GRE tunnels, and not both.

To configure an IPsec tunnel:
  1. Go to VPN > IPsec Wizard. The VPN Creation Wizard displays.
  2. Enter a Name for the tunnel and select the Template type to be Custom.

    VPN Creation Wizard

  3. Click Next. The New VPN Tunnel settings are displayed.
  4. Configure the Network settings as indicated in the table below. The Dynamic DNS field should be the Zscaler ZEN hostname that you will use.

    IP Version

    IPv4

    Remote Gateway

    Dynamic DNS

    Dynamic DNS

    <Zscaler SF Host>

    Interface

    Internet_A(port1)

    VPN tunnel network settings

  5. Configure the Authentication settings with the Method to be Pre-shared Key and entering the pre-shared key (PSK). The PSK should be unique per site, and the IKE Version should be selected to be 2.

    Pre-shared key authentication

  6. Configure the Phase 1 Proposal settings as indicated in the table below. The Local ID field should be set to the FQDN you configured in the previous steps.

    Encryption

    AES256

    Authentication

    SHA1

    Diffie-Hellman Group

    2

    Key Lifetime (seconds)

    86400

    Local ID

    <Zscaler SF Host>

    VPN phase 1 proposal settings

  7. Configure the Phase 2 Selectors settings as indicated in the table below. Leave all other settings to their default values.

    Local Address (Subnet)

    0.0.0.0/0.0.0.0

    Remote Address (Subnet)

    0.0.0.0/0.0.0.0

    Encryption

    NULL

    Authentication

    MD5

    Enable Perfect Forward Secrecy (PFS)

    Unchecked.

    Key Lifetime (Seconds)

    28800

    VPN phase 2 selector settings

  8. Click OK.

Similarly, configure another IPsec tunnel Zscaler-DC over the Internet_B(port2) interface.

Verify your IPsec tunnels by navigating to VPN > IPsec tunnels from the tree menu on the left side of the FortiGate GUI.
IPsec VPN tunnel status

Note

You may configure GRE tunnels, though Fortinet recommends configuring IPsec tunnels.

To configure a GRE tunnel from the CLI:
  1. Create a GRE tunnel and add it as an interface:
    config system gre-tunnel
      edit "Zscaler-SF"
        set interface "port1"
        set remote-gw <Zscaler SF Host>
        set local-gw <Internet_A>
      next
    end
  2. Configure the GRE tunnel interfaces:
    config system interface
      edit "Zscaler-SF"
        set ip <ip address in a /30 subnet provided by Zscaler> 255.255.255.255
        set allowaccess ping
        set type tunnel
        set interface "port1"
      next
    end

Similarly, configure another GRE tunnel Zscaler-DC over the Internet_B(port2) interface.