3 Simple Steps to Configure IPSec VPN on Fortigate

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in this first video of our ipvpn series we're going to build a very basic side to side VPN connection between forgate 641 and 4ate 642 so I'm on 4ate 1 we go to VPN IP SEC tunnel I'm going to choose custom and give it a name tunnel zero here the remote Gateway there are a couple of options but I'm just going to select static IP address and specify the static IP address the remote p is 10160 120.1 so I'm going to specify that 10.1 160. 120.1 and our outgoing interface is when one all right I'm not going to select anything else here I I'm just going to leave pretty much everything as default and then I'll just put in the password Here the appreciate key would be 4 net for this connection we want to use ik version 2 I version one is not recommended especially if you're setting up a new VPN connection foret recommends for new deployments to run with ik version 2 and here with the proposal I'm going to select only one proposal so I'm going to delete all of these and have only one proposal as 256 GCM with PF sh 256 and our def helmet groups I'm going to select only one which is 30 now onto our phase two phase two I'm going to leave everything as defaults and just change the proposal configurations once again here I'm selecting only one that will be as 256 GCM and again I'll select the same D Helman group and with that we're done with our IPC tunnel now that we have our IPC tunnel config complete it's created a tunnel interface now what do we want to do with this interface we said that the idea is for us to connect this network 101010 with network 202020 so now we need to Define route that says to reach 20 to 20 to 20 we want to go over this new tunnel interface so now we create a static route and for that we go to network static routes create create new and that our destination network is 20202020 sl32 and here we don't have an IP address on this channel interface but what we do have is an exit interface we know that we we want to go over the tannel interface that we just created and now our route is in place the third and the final thing that we need for our tunnel to come up is to now allow the Pol is to now allow the traffic if we go back we want for 101010 Network to reach 202020 so we need policy for this but I'm going to start with the address objects first and go to addresses create a new address I'm going to call it local 10 and the IP address is 10101010 sl32 and I'm creating the address object for remote 20 and that will be 20202020 sl32 so now I have the local and the remote now I can create our F policy for outbound I'll just call it tunnel um tunnel out and our incoming interface would be our L back zero it's loot zero because this IP address resides on our loot interface diagnose IP address list 10101010 is on our loop back interface LC zero interface and the outgoing interface is tannel zero and the source the source is our local 10 and the destination is remote 20 the service I'm only going to select um all icmp and we don't want to net anything and accept now we have the traffic in the outbound direction we're just going to clone this in reverse and call it tunnel [Music] in and I'm going to set the status to enable so now we have our two F policies allowing traffic outbound and traffic inbound and now we're done with firewall 1 let's move on to firewall 2 now on F wall 2 I guess we might as well start with creating our objects first and this one will be local 20 because the 20.20 network is local to this firewall /32 and then I'll create another one that says remote 10/32 all right so now let's create our VPN tunnel IP set tunnels create new I'm going to call this tunnel zero as well and select custom because we want to build everything custom again we're going to select the type of Gateway static IP and the Gateway the remote p is 10.1 160101 and we reach this P via the when interface which is Port one we leave everything as defaults and for the appreciate key it must match the other side it must match on both for the 4 Gate 1 and 4 gate 2 so that is 4 n and again the protocol is I version 2 I'm going to delete all these other proposals and only select a 256 GCM which automatically um selects prf sh 256 I'm going to select D Helman group 30 and on the phase two I am going to delete everything again and only have one proposal as 256 GCM and select group 13 and okay now this is the first step our tunnel interface is configured our tunnel interfaces in place now the second thing is we have the tanel interface now we need to use this tanel interface to Route the traffic over it now we create our static route we for that we go to network static route and our destination Network that we want to reach is 10101010 sl32 and we're going to reach this via the tunnel interface and with that the only remaining thing is the firewall policy now I'm on the firewall policy let's create our first policy statement that says tunnel out again I'll just bring up the IP config diagnose IP address list our Network here 20202020 is on a back interface loot back zero so the incoming interface would be our loot back and outgoing interface would be our brand new tunnel interface our source would be our local address local 20 and the destination is the remote remote 10 and the service just icmp we don't want to net this traffic and that's it so the next thing is to duplicate this in reverse and this one is tunnel up out and I'll call this new one tunnel in because it's allowing traffic inbound and set status to enable and now if we go to our dashboard and look at our Network we'll see that our tannel interfac is up and yes it is and now it's time time to do our tests our verifications so for our test I'll log on to our console here that I have open and I'll open our JS 3 just so that it's available it's handy I'll put this over there and on 4ate 2 I'm going to do diagnos diagnos sniffer packet any and then I'll begin our test EXA ping options our source would be 10101010 and exact ping 20202020 basically what we're saying is we want to use 10101010 as as the source address and ping 2020.2 because we know that this is the traffic that will go over the VPN and now for the test and it's successful we can see that the traffic is we're getting a a reply and the remote and is seeing on the output on the debug output now this config here was simple and straightforward but it's not always going to be simple and straightforward in our next video we're going to introduce net we're going to on Art one we're going to be netting the traffic that comes from 40 Gate 1 and we're going to do a lot of debugging and following the packets and analyzing and understanding why net breaks IPC I hope to see you there thank you for watching and thank you for supporting in the channel

Info

Channel: Static Route

Views: 648

Rating: undefined out of 5

Keywords: ipsec vpn asa fortigate, fortigate firewall ipsec vpn configuration, fortigate dialup ipsec vpn, fortigate vpn ipsec, ipsec vpn fortigate firewall, fortigate ipsec vpn, ipsec vpn asa and fortigate, fortigate vpn ipsec configuration, fortigate ipsec vpn setup, fortigate remote access ipsec vpn sina, ssl vpn vs ipsec vpn fortigate, dial up ipsec vpn fortigate, pass ipsec vpn traffic through fortigate firewall, ipsec ike phase 1 and phase 2, networking, fortinet, vpn, ipsec

Id: Sp4KSILHOWI

Channel Id: undefined

Length: 11min 2sec (662 seconds)

Published: Tue Apr 30 2024