FortiGate MikroTik IPsec site to site VPN configuration - Step by step.

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi guys welcome to another ip6 series video and in this one we are going to take a look at the configuration of ip6 side to side VPN tunnel between 48 firewall and the microe router I already have the step-by-step instruction on my blog article and here's the article that covers the stepbystep instruction so if you like to go through the stepbystep instruction I would recommend check out my article which I will link in the description and here is a topology that we are going to work on we have a 40 gate firewall at the headquarters and and that has a subnet of 10.1 1.024 similarly we have a Microtech device at the branch one and that has a subnet of 10.2.2 do0 sl24 all the devices in the 48 landsite can talk to the internal Network and the same way the Microtech lands side as well is able to talk to the in network also both the lands side can talk to the internet however the problem is the connection between the headquarters lands side and the Microtech Branch one lands side cannot communicate to each other which we are going to fix in this lab by setting up an ipvpn so let's check the connectivity between the site before we proceed I have a Linux host at the 40 gate side and Windows server at the branch one let me start with the Windows Server open the command prompt first let's check the IP address of the server so type ip config and hit Ender as you could see I have an IP address of 10.2.2 98 with the Gateway 10.2.2 do1 that is a Micro Land interface IP if I try to ping my Gateway ping 10.2.2 one you can see I'm getting a response which means the internal connectivity looks good and if I try to Ping www.google.com you can see I'm getting a response for that as well that indicates the internet connectivity looks good however if I try to Ping the remote Branch IP for example being 10.1.1.1 we won't get any response instead you get a request timeout which clearly indicates that there is no connectivity between the branch sites if I go back to the bundu host that I have in headquarters I mean on on the 4ate side you will see the similar behavior when I check the IP address by typing IP addr you can see I have an IP address 10. 1.150 which I got it from the 40 G DHCP service let me initiate a ping to my Gateway which is 10.1.1.1 Ping iph C which means how many times you want to send the Ping request which is two and 10.1.1.1 you can see that I'm getting a response from my Gateway use the up Arrow again this time change the destination from 10.1.1 to www.google.com and you can see that I'm getting a response for that as well just like we did on the other side we'll thread ping 10.2.2 do1 and you can see it is stuck we are not getting any response with that let's start the configuration of IPC from the 40 gr 5all side and once done we will then move on to the micro deck side I already have my 48 5all management GUI opened in the 48 5all go to VPN on the left side and then click on the IP set tunnels and click on create new and choose IP from the drop- down menu so this is IP configuration Wizard and we are going to configure everything step by step we'll start with the phase one setup and then move on to the phase two in the IP configuration screen start in the phase one configuration with the name since it is a Microtech Branch I will name it as mik hyphen br1 and in the comment section let me add connected to microt Branch one on the network in remote gate will leave static IP address and in the IP address field enter the Microtech vanite IP which is 9.9.9 do12 so you need to enter your own public IP here interface choose the van interface from which you are going to initiate the IPC connectivity if you got multiple van interfaces it is important that you choose the right interface here in my case it's only a single interface which is Port one connected as van interface you may also choose a local Gateway which is not mandat here if you have a single IP address but I like to enable the local Gateway and choose the primary IP if your wi interface has secondary IP then you can choose secondary IP here or if you have third IP on the van side then you might as well choose uh specify and then specify the IP address which is not needed in my case in The Knack traval I'm checking the disable option as I have connected the 40G firewall directly to the public internet in case if you're if you using the 4ate firewall behind a n device then you can choose the other option if you choose the N then the IPC tunnel will initiate the tunnel negotiation on the port 4500 else it will negotiate on the default 500 Port leave dir perer detection and dpd option default now towards the phase one authentication which I am selecting the default preciate key option which is a common ways to set up IP Phase 1 connectivity and in the pre-shared key section enter the secure pre-shared key in production Network it is important that you enter a pre-shared key which is longer and strong with multiple characters that's it I also copied the preciate key which I can use it later on on the microtex side and in the ik version choose two scroll down now let's configure the phase one proposal in 4ate by default you will see set of possible strong encryption authentication keys are chosen but it is best to choose only one set let me remove other set of parameters which I don't need at the moment so I am choosing encryption as as 256 and authentication is sh 256 you feel free to choose whatever you like in the Diffy helment group the group 14 and five is already selected let me unselect the 14 and I'm choosing the group five which is good leaving the default time to 86400 I'm now scrolling down to add the phase two parameters in the phase two select expand the advanced icon This is the End phas 2 configuration options it starts with the name let me name it as mik B1 sub1 means subnet and local address 10.1.1 Z24 and remote address 10.2.2 sl24 what I've seen the most common mistakes that people make here they interchange the subnet for example instead of choosing 10.1 1.024 as a local address they choose 10. 2.2.0 24 as a result the phase two will not come up because it doesn't match on both side I always recommend document the local and remote address so that you are not confused while setting up the VPN under Advanced here also you will see multiple phase two proposals are chosen let me remove all the parameters except one like in the phase one I'm going to choose encryption as as 256 and authentication as shot2 56 again you may feel free to choose whatever you like leave enable replay detection and enable perfect forward secrecy as default and in the def elment group unselect in the group 14 and select in the group five check Auto negotiation option that would also check Auto keep alive this will ensure the phase two is always up even there is no traffic leave key lifetime default ensure everything looks good and click on the tick button at the top to confirm the face two selectors you can now see our local and remote subnets are added if you would like to add multiple subnets you may click on the add button to add multiple subnets you may now click on okay here as you can see our tunnel at the 48 side is now completed and it is showing red with the down arrow which means it is down we completed the IPC configuration and even if you configure the remote side the tunnel will not come up so the minimum requirement for the tunnel to come up is you have to set up the IPC tunnel and you need to also have a policy for the same we need to allow the traffic coming in and going out of the tunnel we are now going to configure IP set policy at the 48 side to configure the policies go to policy and object on the left and then click on the firewall policy as you can see I have only single policy at the moment that allows land users to be able to access the internet click on create new to create new policy add a name allow traffic to micro V1 incoming interface is the landan that's where all the end users are connected outgoing interface choose IP SEC tunnel that we just created in the source click on the plus icon to add the source Subnet in that choose land you can see I already have an address group for the land subnet which is 10. 1.1.0 sl24 let me add that into the policy in the destination I have to add Microtech glance site which is 10.2.2 Z24 unfortunately I have not added that in the firewall dis group let me add that now in the destination click on the plus icon click on Create and address for the new address group enter the name of the address Group which is Microtech br1 in the IP or netm at 10.2.2 Z24 and click on okay the newly added Microtech land subet shows in a different color click on that to add into the destination choose the services to all in production setup you'll have a specific services such as SSH https or different port numbers allowed here but since it is a lab I'm just allowing all action should be accept and uncheck the N option let me log allow traffic ensure enable this policy is selected and then click on okay we need to create a second policy for this tunnel from the Microtech Branch side to the 40 gate land side click on create new and add the policy name something like allot traffic from the micro dech V1 incoming interface choose IP SEC tunnel that we just created outgoing interface choose the land Source IP choose the Microtech land subnet that we added destination choose the land subnet of the 40 gate firewall service all action accept uncheck the net option log allow traffic make sure you enable this policy is selected and then click on okay we have created the policy so so this is only needed for the IP seel to come but the traffic will not work because we don't have any routing we need to tell the 48 land users to take the Microtech tunnel if they want to talk to 10.2.2 do0 sl24 for that we need to add a route you could use Dynamic route if you are planning to use Dynamic route but in my lab I'm going to use static route on the 4 5 expand Network on the left side and then click on static routes as you can see I have a single default route towards internet that's the reason 4 land users are able to talk to the internet let me add new route here the static route window choose create new in the new static route destination choose 10.2.2 do0 24 in the interface choose the VPN tunnel that we defined that's it in case if you have multiple tunnel you can click on Advanced option and play around with priorities that way you can even have active active active standby configuration which is not needed here so click on okay that's it we have completed the ipx site toite VPN tunnel configuration at the 4ate firewall side it's now time for us to configure the Microtech router at the branch one let me now switch over to the Microtech router to configure the IP SEC tunnel in Microtech you can go to IP IP sec in the IP SEC window you can proceed to configure the phase one of the tunnel that consists of profile pier and identities and the phase two consists of proposal and policies once all done we will then then allow the traffic using the microt firewall not policy in the IPC window click on profiles click on the plus icon to add new profile under name add name something like FG iph FW iph profile hash algorithm choose sh 256 encryption algorithm choose as 256 which we already selected at the 40 gate side DH group mode p1536 which is DH group five uncheck the N traval option like we did in the 40 Gade and then click on okay next we will configure the pier click on the PE tab click on the plus icon to add new pier add a name FG hen fwy pr1 in the address enter the 48 fir wall1 address 4.4.4 51 in the profile choose the profile that we just defined exchange mode should be ik2 if you don't choose the exchange mode by default it will choose ik V1 we are not selecting the passive mode instead we choose send initial cont that way both side can initiate the IP connection and click on okay next let's configure the identities click on identities tab this is where you define the pre-shared key that you copied from the 40 gate firewall click on the plus icon to add new identity choose a pier that we just defined in the authentication method you'll see multiple options choose pre-share key here and paste the secret key that you copied from the 4ate firewall and click on okay remember we haven't configured the phase two yet we just configured the phase one if you have configured everything correctly till this point you will see the phase one of the tunnel is getting established to see the phase one status click on active PS tab you can see the tunnel State isn't starting and after few seconds it has now moved to established state remember we have not configured the phase two yet but still the 4 firewall has both phase one and phase two configured and it initiate the traffic let's now configure The Proposal click on proposals Tab and click on the icon to add new proposal enter the name FG hyen FW hyphen proposal select the authentication algorithm as sh 256 encryption algorithm as as 256 PFS group mode p1536 and click on okay in Microtech you add the phase to submit in policies click on the policies Tab and click on the plus icon to add new policy in the general tab choose Pier that we defined and check the tunnel option in the IP address add 10.2.2 sl24 destination address 10110 sl24 in the action choose encrypt and choose proposal that we defined and click on okay you can see in the face to S the message one sent and after a few second it is now inab State though the IP tunnel in 40 Gade and the microtex side is in establish State the traffic will not pass because we have not defined the policies at the micro side to allow the traffic traffic to configure the policy click on IP firewall click on the natat tab and click on the plus icon to add new natat policy in the General on chain choose Source net which is the default option in the source address add Microtech L subnet 10.2 2.24 in the destination at 4ate side land Subnet 10.1.0 sl24 in the action tab choose accept under action drop down check the log option if you'd like to see the traffic logs and click on okay once the rule is defined you will see it is sitting at the bottom move the rules to the top like so so the rules are created and it is at the top you can see no traffic so far hit on this rule let's go ahead and check the phase one and phase two SAS on both the Microtech router and the 4K firew as we mentioned earlier in micro router in the same IP window you can click on the active P Tab and see the phase one tunnel status you can see that it's already in established state to see the phase two tunnel status you can click on the policies which is in established date as well you can see the status of the IP tunnel in fortigate by going into the VPN and then IPC however the best place to manage IPC tunnel is from the dashboard widget go to the dashboard at the top left corner and click on the status at the moment only van link bandwidth utilization is now shown I'm going to add new widget for the IPC click on add widget search for IPC click on the plus icon to add the IPC widget click C on add widget expand the IPC widget you can now see the IPC phase one and the phase two status here if you h on the phase 2 SS you can see the phase 2 subnet also here one benefit of this dashboard is that you can even bounce IP tunnel interface let's now check the communication from both side starting from Branch one Windows Server let me initiate the Ping again as you can see we were not able to Ping before now we are getting the successful response which is good let's move on to the 48 side as you can see the bundu also now getting a response to the Ping traffic we have now successfully built an ip6 cyto side VPN tunnel between 40 gate and the micro router and we were also able to dress the traffic by bringing the each remote end and that's it we have successfully built ip6 side to side VPN between 40 gate and the Microtech router and we were also able to test the traffic by pinging each remote end if you find this video useful please like the video and subscribe to my channel and if you have any suggestions questions or comments please let me know in the comment section below thanks for watching and I'll see you guys on the next one

Info

Channel: Getlabsdone

Views: 2,113

Rating: undefined out of 5

Keywords:

Id: RNpdrHpp2j4

Channel Id: undefined

Length: 17min 32sec (1052 seconds)

Published: Sun Apr 14 2024