FortiGate Site-to-Site IPsec VPN with NAT Device

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
you are welcome in this tutorial we are going to configure an ipsec VPN tunnel between two fortigate one of the firewalls is behind a NAD device you can clearly see from the network topology that fortigate a is behind a router at site a that router serves as the gateway to the internet thus all traffic either from the Lan or from fortigate a to the internet is Source netted to the router's outside interface IP which is 192.168.1.20 let's begin with the configuration test connectivity to fortigate B's 1 IP we will start with the ipsec VPN tunnel configuration on fortigate a enter name of VPN the remote Gateway IP address will be the outside interface IP of fortigate B make sure Nat traversal is enabled I will explain why this is needed during testing enter the pre-shared key in Phase 1 choose the required encryption and authentication algorithms we do not recommend the use of Des sha-1 or diffie-hellman group of 5 or less in a production environment enter the local and remote addresses for the phase 2 selectors I will reduce the key lifetime from 12 hours to 1 hour we are done with the ipsec VPN tunnel configuration next is static route the next hop interface will be the tunnel interface include a black hole route to the destination 2. the purpose of the black hole route is to ensure that when the ipsec tunnel is down traffic to the remote end is silently dropped instead of using a default route on the fortigate the administrative distance of the black hole route should be higher than that of the actual route configure firewall policies to allow traffic between the two sites over the ipsec tunnel for bi-directional flow we will configure two firewall rules one for inbound traffic and the other for outbound traffic disable Nat in the firewall policies next we will configure fortigate B but differently configure the remote Gateway as dialup user make sure add root is enabled with this we do not need to configure static route for the remote Network for peer options select any peer ID we have finished with configuration let's bring up the tunnel and do some tests only four to gate a which was configured as a dial-up user can initiate the ipsec VPN tunnel between the two firewalls then fortigate V will only respond this is because fortigate a knows the VPN Gateway IP address of fortigate B but not the vice versa after bringing up the tunnel at site a it now appears on fortigate B's dashboard 2. testing connectivity from site a to site B via the VPN tunnel checking some VPN details do you see Port 4500 that is UDP Port 4500 this is because we enabled Nat traversal and the two firewalls have detected a Nat device in between them net traversal makes sure that ipsec VPN connections stay open when traffic goes through nag Gateway devices the ESP packet is encapsulated in a UDP packet with source and destination ports as 4500. we can see that fortigate a is the initiator of the ipsec tunnel on fortigate V we can see that it has labeled the remote Gateway as Dynamic and the IP address is that of the internet gateway device fortigate V learned of this address after fortigate a has initiated Ike communication a route to the network behind fortigate a has automatically been added to the routing information base even though we did not configure a static route everything is fine we are good to go thanks for watching our tutorial if you have any questions or need further assistance please feel free to leave a comment below don't forget to subscribe to our channel for more helpful tutorials see you next time
Info
Channel: Verifine Academy
Views: 10,224
Rating: undefined out of 5
Keywords: FortiGate, IPsec VPN, FortiGate IPsec, FortiGate IPsec Loopback, IPsec with Loopback Interface, Site-to-Site IPsec Loopback Interface, FortiGate Site-to-Site VPN, FortiGate IPsec VPN, Site-to-Site VPN with Loopback, IPsec VPN with Loopback
Id: OQ0TQPrC4js
Channel Id: undefined
Length: 10min 17sec (617 seconds)
Published: Wed May 17 2023
Related Videos
FortiGate Site to Site IPsec VPN with Loopback Interface
Verifine Academy
2.5K
FortiGate IPsec ADVPN with SDWAN and Dual ISPs
Verifine Academy
16K
FortiGate Site-to-Site IPsec VPN with Overlapping Subnets
Verifine Academy
6.7K
How to Configure Load Balance on FortiGate Firewall? (Step by Step Guide)
SILAS INFOTECH
6.7K
FortiGate SDWAN with IPsec VPN
Verifine Academy
11K
Site to Site VPN Configuration on FortiGate | Lab GNS3
KBTrainings
6.9K
Configure IPSec VPN between FortiGate in Hindi
Sarwara Tech
6.2K
Virtual Private Network (VPN) - Deep Dive
Kevin Wallace Training, LLC
11K
site-to-site IPsec VPN Tunnel between Fortigate and Mikrotik .
Mirhosein Garakouei
11K
Fortinet: Troubleshoot 5 IPSec Site-to-Site VPN Scenarios - FortiGate
ToThePoint Fortinet
29K
How to Configure IPsec VPN Remote Access on FortiGate Firewall FortiOS 7
IgoroTech Official
75K
[Fortigate] Hub-and-spoke ADVPN using IPsec VPN wizard/Dynamically add spokes using autoconfig key
TechTalkSecurity
6.2K
Configure Site-to-Site IPSec Tunnel & SD-WAN
Static Route
13K
How to configure VPN site to site on Fortigate
TAN Kirivann
26K
FortiGate v7.2.0 SSLVPN Configuration (Local & LDAP Auth)
The Network Berg
23K
Fortinet: IPsec Site-to-Site VPN Setup on FortiGate Firewall
ToThePoint Fortinet
64K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.