FortiGate to FortiGate IPSEC Configuration (FortiOS 6.4.0)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this video is going to cover a basic side-to-side IPSec tunnel between two four two gates none of that wizard crap either we're going to do this customer hey guys so I got a couple of messages via Facebook and an email and basically it was a couple of people that were asking about setting up IPSec tunnels between two forty gates which is extremely useful if you're in a situation where you have two branches and then they need to share information between each other without it going over the public Internet for those of you that don't know IPSec is basically a means of tunneling traffic between two locations so that it's encrypted and protected it also keeps you from having to open up anything from like the outside world coming in so it helps the security and helps keep things tight there so we're going to jump into our lab for the gates so we can actually do this process and we'll go through it some things to consider you need four parameters proper in order for an IPSec to take place you phase-one settings first and foremost have to be right if they're not right you're going to run into a situation where the phase ones won't match you won't work step two your phase twos need to match accordingly as well that's what defines networks that will be protected etc step three is these are route based tunnels using interface mode IPSec on a FortiGate so you must make sure that you have your static routes or whatever routing you're using setup to tell the FortiGate to send traffic over said IPSec tunnel and then step four you have to have your policy to allow the traffic to traverse so with that being said let's jump in and we'll do some edits so we're sitting here these are our two for two days now they're outside interfaces are on the same network 10.30 dot one to ten 10.30 dot one dot twenty it's a private network but it's not really pertinent for this situation I just wanted you guys not to freak out whenever you see that these are on the same lab environment so as far as they're concerned the two subnets that are behind each FortiGate are still hanging out so I'm gonna first step is login if I can remember the password to each one I did not shut these things down properly by the way I just powered them off don't do that in your production environment so when you're doing your IPSec tunnel you need to pay attention to things like your phase 1 your face to your static routes and your policies but before you even get that far you need to know what networks do I want to talk to each other for instance FortiGate one has 10.1 hundred dot two 5.0 slash twenty four that whole subnet 1482 has 20 6.0 for this video our goal is to make it to where 25.1 can ping 26.1 and vice versa so that being said we know what our local and remote subnets will be so on the Left you go to VPN you click Ivy SEC tunnels now whenever you create new you will get the option to do so I decide how the smoke remote access and custom I do custom I recommend custom when you do the Wizards it automatically creates address objects and a whole bunch of other stuff it makes the configuration messy which later down the road can get quite cumbersome so I want to do custom I'm gonna name this 240 Gate 2 click Next and it will take you into where you define your phase 1 our static IP address of the other end is 1030 dot one dot 20 and we're going to connect to that using or port one interface which is our way an interface in this situation we're not doing any NAT traversal for this so for those of you that don't know NAT traversal is when the device is creating the IPSec tunnel is behind or has to pass through a NAT device like a router or maybe even another firewall in order for it to build the tunnel we're not going to do that because these are just presenting as they're both on the internet and they do all the net for their internal networks themselves so we'll click disable for NAT reversal dead peer detection we will leave two undemanding out determines if the other end is upper live and dead and then we will leave the Advanced Options out of it because this is for a basic video right so now we dive in to our authentication we're going to use item one I've run into a lot of situations where connecting FortiGate to a sa you want to do like a person to because they can't handle some stuff but for FortiGate the FortiGate I like to use I version one and we'll define our pre shared key here which for the sake of this video is just going to be password keep it simple these are our encryption methods for phase one I'm going to leave all these there but basically usually what you want to do is choose the most secure encryption and authentication algorithm you can that the device is support and then D H groups there's different levels of capability between a D H groups so at the higher to be age group usually the more secure and capable it is our lifetime this is how long the SI is going to be built between the 240 gates I leave this at default for a fortigate the FortiGate configuration in fact from from phase one down you can leave almost everything to default just for the sake of this type of deployment in the phase two this is 248 to now this is where you have to be specific on some things I need to enter my local subnet that I want to be able to go over this tunnel which is 10.25 10 dot 120 5.0 / 24 if you want your face to be loosey-goosey and allow any network traverse that knows to go over it you can do 0.0 desert of 0 / 0 dot 0 dot 0 dot 0 that's not best practice though from a security perspective so we recommend tying down the phase twos based on the actual networks that wish to traverse and then 10 dot 126,000 0/24 is my remote in that's for to get a twos network come down here I like to have audit negotiate and auto keep alive up I like the tunnel to stay up non-stop modern for de gates are a little bit better at overhead and things of that nature so you don't have to worry about situations where you need to keep resources low so if the tunnel is not usable it down type thing so that's our phase 1 configuration and then our phase 2 configuration click OK now we need to make sure our static routes are improper so we got a network static routes and we will create a new and we're going to create a route this has to get to 28 6.0 / 24 10 . 126 0/24 go over the 42 tunnel if you have multiple tunnels to different locations maybe each one has multiple weigh-in interfaces you can set multiple static routes and give them weights which we will discuss later in s dewayne interface video so for the sake of this single site the site no failover anything like that will keep all routes very simple administrative distance of 10 with a priority of 0 click ok so we have our phase 1 setup we have our phase 2 set up we have our static route now for this FortiGate we just need the actual firewall policy so ipv4 policy under policy and objects and will create new and basically inside to remote FortiGate my inside interface to my FortiGate IPSec tun now when I do this I usually create a zone called IPSec or remote or branches you know something along those lines and I put my IPSec tunnel interfaces within that zone if you guys want to know more about zones I have a video about it check it out it'll give you some details but for the sake of this video we're just going to go from our inside interface to our IPSec tunnel and we're going to allow the communication to take place I'm going to select all four source and destination I'm going to select and create actual subnets for this so created local network and $125.00 0/24 and that'll be my source and for my destination I'm gonna create a remote network and that'll be the 1026 so my policy is a fairly granular right only those two networks can go over it we're not going to do any NAT translations because there's no overlap if 192.168.1.0 existed on both sides and we wanted those networks to be able to communicate we would have to do some level of NAT to do that that's for a later video so no net you will do our basic application control and antivirus log all sessions and we are good to click ok so that's our policy so we're done before to gate one for right now so now we need to jump over the FortiGate to our local network is 26 0 / 24 so VPN IPSec tunnels will create our new tunnel and we're basically gonna do the same thing on this side to FortiGate 1 it's gonna be our tunnel name click Next for our phase 1 we will configure the remote end for the remote IP address of the Gateway we're using port 1 because that's our yn interface we're not using that traversal because this is not having to pass through in that device in order to build a tunnel our pre shared key we configured that to password on the other end I am one for two gate before to get keep it simple main mode protection we're going to leave our encryption and authentication exactly as is same with our D age groups a lifetime we set it to 86,400 on one side so we have to have that match on this side these ones on each FortiGate need to match phase twos need to match with one thing being different obviously the local network and the phase two is going to be the local network of the FortiGate that you're configuring the remote network will be the remote network of the other end so you'll flip those depending on which forty gate you're on right so we'll go down to our Advanced section of our phase two our local network on this one is 10 mm 10 dot 102 26.0 slash 24 and our remote on this one is the 25 slash 24 on a negotiate I'll go keep live and our timer for the phase 2 is 40 3200 which is exactly what it was on the other one so we'll click ok so we have our phase 1 in our phase 2 is configure now just like on the other one we have to configure a route anytime afforda gate gets a packet it goes to I have a route for this know go out default gateway if I do to send it out the path that route defines so in 109 25.0 slash 24 is accessible over the FortiGate 1 IPSec tunnel click OK and now we just need our policy to allow that traffic to traverse so we'll do two before to get one incoming interface will be port 2 I'm going interface will be 240 gate 1 and as you can see this FortiGate hasn't been configured with sones a lot of times if you're not the owner of both for decades or maybe they were deployed at different times they may not have the same interface dolls so pay attention to your source and destination interfaces to make sure that you're selecting the right ones based on your source traffic that you wish to allow and the destination you wish to to go to and then on this side I'll create our local network for this one and then 10 not 126 0/24 is the local on this side and the remote it's going to be this mine and 0/24 and for those of you that don't know a slash 24 is a Class C disabled net allow the traffic same thing I don't think we have any actually this side we're gonna let this IP lose maybe this is someone else's 40 is they're not as secure right click okay so we have our policy so what were the requirements phase 1 phase 2 static route policy those are the four main things so let's take a look and see if our IPSec titles up and it is so if you go under monitor IPSec monitor you can see that our IPSec tunnel is up if we check on the other side we can see that as well which is good that means phase 1 and phase 2 is match now we need to see if traffic can actually traverse and what you would do in a situation like this is you can set your source IP we're logged in the FortiGate one right now because I switched over so we can do exact ping - options source and tell it the ping from the 25.1 for those of you that don't know you can set certain parameters on your pings and things of that nature so if you want to do a ping from one device to another exact space ping - options space source space your source IP and then let's make sure I actually have ping enabled on this interface than I do so now I should be able to ping 26.1 and na replying so that means we got to troubleshoot and find out why oh why is this not working because my policy allows the inside network to go to the branch not the other way around so I'm going to clone the reverse of this and enable it seeing policy always gives you know some good things see now we'll see and it works for de gates our session based firewalls so what that means is once the sessions built the returned traffic can be allowed and since I didn't have the policy on FortiGate to to allow the traffic to traverse inbound it blocked it initially so what we're looking at here is my policy that allows from the remote network to the local network has traffic on it which means it works as intended so that's how you do that and if we were to actually if we were to try on this end it won't work either until I do that same policy so for the sake of this one we're just going to ping - options source and 100 26.1 because this is FortiGate to exact pain and 100 25.1 and as you can see it's not working if I come over here and create the policy just by cloning the reverse of the one I already made this traffic will start working these ones are good phase twos are good my static routes are good and as long as the policy is built to allow the traffic that you wish to traverse that's what you need in order for things to work appropriately one of the biggest things that people run into and troubleshooting knife you stuck tunnels especially if the tunnel is up the traffic isn't passing as intended is they forget to look at the path of a packet every time a packet gets to a new hop or new destination that destination goes okay you're trying to get where do I have a route for there mmm no go out default route if you don't have a route whether it be static or dynamically learned it's gonna go out the default realm that 0.0 0.0 /endindent 0.0 the tunnel built the policy the way it should had a two-way communication and things started working so simple things can cause big problems just keep troubleshooting more familiar you get with troubleshooting and especially when we start diving in 2d bugs the better things get if you like this video and you'd like to see more like it do me a favor hit the like button on the video then hit subscribe and ring that little notification bell so you'll get updates whenever new videos come out remember guys we don't just focus on the how we focus on the Y so stay tuned [Music]
Info
Channel: Fortinet Guru
Views: 26,419
Rating: undefined out of 5
Keywords:
Id: zpGxmyRmN-g
Channel Id: undefined
Length: 19min 29sec (1169 seconds)
Published: Sun May 10 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.