How to configure VPN site to site on Fortigate

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone welcome back to my video in this video we will learn together how to configure vpn site to site so... when you have many offices in different location so... you can configure vpn site to site in order to exchange the resource exchange the DATA between your site office for example you have HQ office and have many branch offices in different location so.. err for vpn site to site you can communicate each other in different location and then can share the resource from HQ to different site location ok... if you are new here watching my video if you like my video please give the thumbs up let's go back to our lab and we will see together uh.. in this video ok so.. this is ahh our gns3 lab and it is a blank project ok so we add the switch.... core switch and we add the fortigate firewall and then we.... have ethernet switch that running on gns3 vm okay and then we choose cloud here ok running on gns3 vm as well ok so I choose classic is better ok ok so please give me one second let's start our fortigate this one we can say wan ok this one we can say internet okay so.. this is HQ let's say errr sr, sr means Seim Reap okay and then this one we can say err.. 100 and this one okay so this is our wan ip and our lan we have... local lan we have a vlan 10 vlan 20, vlan 30 okay local lan sr we have a vlan 40 vlan 50 and then vlan 60 we will have client okay duplicate where is duplicate ok okay okay so we start our fortigate here ok this is vlan 10 it will be 192.168.10.10 err 10.10 ok this one will be 192.168.20.10/24 so let's start our configuration from HQ okay for the first login username admin password no password we just press enter it will ask for the new password and I same thing admin okay so now we want to set the wan ip to this 192.168.1.100 for the wan in order to access via our web browser here so it is easy to configure we can see that we don't have any ip yet for the port 1 and the mode is dhcp ok uh one second everyone I will show config system interface edit port 1 ok mode static set ip 192.168.1.100 1.100 set allow access ping http https okay so now our part one we have this ip address and we allow ping https http so now we can access via web browser we go to our google chrome and we can say 192.168.1.100 ah sorry everyone 192.168.1.100 ok so our username admin password admin okay this is uh the pop-up i can say fortigate HQ okay don't show this again okay okay here we go you can see here it update to the hostname to fortigate-HQ and we can say show system interface we also can see our port 1 ip address if we go here our user interface via web browser we go to network we also see the port 1 ip address and ping what we want to do next is we want to create our vlan we have three vlan 10, 20, 30 we go back here under port 2 ok so create interface ok our vlan 10 we can say office interface port 2 vlan ID we will allow ping and then dhcp server we want to have dhcp server our client start from okay now we have uh uh vlan 10 office we do the same thing for vlan 20 we can say cctv for vlan 20 under port 2 and vlan ID 20 this will be 20 and dhcp server allow ping we start from 10 okay okay another vlan, vlan 30 we called it ahh we call it a server ok for example server under interface port 2 as well and then okay 30 allow ping dhcp server apply okay so now we have three vlan under port 2 and then we allow ping ok so..if we take a look here can see show system interface this is our port1 and then we will see our vlan here our vlan vlan 10 where is vlan 10 here vlan 10 office vlan 20 cctv and vlan 30 our server zone so after we create our vlan so we have we have three vlan and then we want to assign the ip address to our client we need to configure our switch here ok so please wait for a moment wait for the switch start ok now our switch start up we can see show interface show our interface our switch we don't have any configure yet show vlan brief we also don't have any vlan we create vlan vlan 10 office okay vlan 20 name cctv vlan 30 name svr server okay okay now we have before before we not yet have any vlan but for now we just create three vlan 10, 20, 30 ok so we... configure this port as trunk port ethernet 1 as trunk port and this is vlan 10 vlan 20 vlan 30 ok interface e0/0 ethernet 0/3 switchport mode access switchport access vlan 30 okay so we save our configuration and then we show interface status ok now we have trunk vlan 10 vlan 20, 30 if we start our pc start our pc and then our pc will get ip address from the from our router from our firewall ip dhcp okay it will ask or request the ip address ok now correct pc2 ip dhcp okay 20.10 if we try to ping 192.168.20.1 our gateway yes we can ping but we cannot ping vlan 10 because we not allow our vlan to do the... inter vlan routing or to communicate with each other so we try to ping gateway of vlan 10 okay now cannot okay so same thing for pc3 ip dhcp okay 30.10 so our client get the ip address from our firewall if you want to do the inter vlan routing for each vlan you can create one zone ok we go back to our firewall okay okay so if you want to allow all the vlan can communicate each other you can create one zone here and we say inter intel vlan and then this this option block intra zone traffic you need to disable this option and add your vlan yes add your three vlan here and this option you need to disable so all this vlan can communicate with each other so after we create this zone this zone here our zone let's go back to our pc three that is under vlan 30 we can ping vlan 10 also here the vlan 20 also can ping vlan 10 ok that's for inter vlan routing in fortige firewall we already ahhh configure this part so we continue to this part ok so let's go to our firewall at uhh let me close okay this is our fortigate here let's me... okay we also have three vlan no password for the first time and then we need to set the password admin admin so show system interface also port 1 not yet have ip address so we need to add ip address for the port1 and we can access via web browser config system interface we edit port 1 and then we set to set to static mode and then we can set ip to 192.168.1.101/24 and then we set allow access ping http https we show agian now we have ip so we go back to our this is our HQ okay admin admin we can say it is fortigate add our branch SR this one don't show it again ok so now this is our branch this our HQ you also can see the identifier here you go to network okay so you have port 1 here also port 2 you don't have anything yet we need to create three vlan as well under port 2 40, 50, 60 ok so we do the same thing create interface we can say SR office vlan 40 also we nee ping we need dhcp server and we start from 10 create another interface so now we have three vlan ok so three vlan continue to this part for the for the switch so we start our switch okay we start our switch here and our switch we can say show we don't have any thing yet it is new one ok so let's go to configuration and then we create vlan 40 vlan 50 vlan 60 we show our vlan we have vlan 40 50 60 okay and then we need to create the trunk port yes configure our trunk port here this is access port trunk encapsulation dot 1q switchport mode trunk ok we save our configuration and then we show interface status so now we have trunk port vlan 40, 50, 60 all these ip, oh all this client will get exactly the same these ip start start and then ok pc4 ip dhcp okay this client can get the ip address so let's try ping 192.168.1.100 we try to ping this cannot pin we try to ping this as well cannot ping okay so we continue to pc5 ip dhcp this is vlan 50 and if you try to ping vlan 40 cannot ping because what because we don't have any inter vlan routing configuration the same as this firewall so it cannot ping pc3 ip dhcp okay correct so now if you want to do the inter vlan routing you go to the same thing I am at the firewall Siem Reap site okay zone inter vlan routing here and we try to ping now can 50 from vlan 50 also can ping vlan 40 ok so now this site HQ site all the vlan can communicate each other also this site all the vlan 3 vlan here can communicate with each other now we want to do the vpn site to site vpn site to site so all this vlan can communicate with these vlan after we do the vpn site to site configuration let's go through together for the vlan configuration oh sorry vpn configuration I go to HQ firewall if you go to static route I don't have any static route firewall policy also for the firewall policy we don't have any firewall policy configuration with our vpn we go to here vpn and then you can see all the list down here is the option that you can configure so err you also can choose from this template site to site vpn for the fortigate site to site vpn with cisco dial up fortigate and dial up firewall cisco you can choose from here or you can start from here so now we start with ipsec vpn wizard in here for site to site it means that no NAT between site same as our lab here this is no NAT no NAT this is our lab practice right now and this is behind NAT it mean that you will have another router before the fortigate and this is same thing we choose this option when you do another option for the dial up fortigate so for this lab site to site fortigate ok I am on HQ so name it HQ to SR site ok and then this is fortigate if you do with cisco you choose cisco but our lab here we practice on the fortigate click next and then remote ip address remote ip address here it mean that errr you can see remote fortigate so our example remote fortigate is here we are on HQ so the remote ip it will be this ip address out going interface so you can see the list down here but as you know out going interface is the port that connect to here our wan here so we can see that this is port 1 and this is the ip address of port 1 pre share key so I put it with the simple way 123123 123123 this is just our example for this lab you can put whatever you pre share key this is our local interface so our local interface we will have inter vlan ok and then for local subnet local subnet we have three for our local subnet here so you need to allow all the subnet that's why because you want to you want to access from both site from HQ to Siem Reap and from Siem Ream to HQ our local subnet we will have three also we have this is our local subnet and then remote subnet remote subnet we also have three here ok we have three vlan 40 50 and then 60 okay ok so this is internet access internet access we have three option if you choose none it mean that our fortigate at HQ and our forget at remote site SR site they will have their own internet access and if you use share local it mean that this site want to access through the internet it will use these internet from this site if you select this option it means that HQ site want to access to the internet it will use the errr SR site ok so this is errr for our practice here we choose none because this HQ site it will have their own internet connection SR site it will use their own internet connection to access to the internet for the client please take note for this option here so now we have local subnet we have remote subnet click next and then review our configuration after we click create everything will automatically create okay so everything here static route it will automatically create static route also here the policy role if we go to okay we go to static route you can see before we don't have any static route but now after we do the vpn wizard it will automatically create for you for us ok and then if we go to policy firewall policy yeah also the same thing for the firewall policy you can have 2 policy here for the vpn site to site it will allow from HQ to remote site and from remote site to from remote site to HQ yes two direction so this is from exquisite we go to sr size admin admin ok so from SR site I will go it fast same thing I want to confirm with you that we don't have any static route policy firewall policy ok so we don't have anything yet so we go to vpn and vpn wizard for us okay no NAT remote ip remote ip it will be this ip address this is our remote ip ok port 1 as well pre share key 123123 this is the key that we need to know in order to establish vpn connection okay so now our vpn okay our vpn already created we try to ping it will show the status inactive because we don't have any establish connection yet also you can go to vpn here also inactive you can see this is the static route that our firewall automatically create we have two firewall policy for both direction so now we have uh successfully configure vpn site to site and this status you can see inactive and it in the red down when you go back to pc5 pc5 okay this is in in a in SR site so you try to ping to one of these or you try to ping all this vlan let's say ping to vlan 10 10.10 it will establish the connection okay now we can see that we can ping from this uh client to this client and when you go back to our where is the refresh here we try to refresh ok so now after after the connection established and you try to ping so the status go back to up okay so now up this is from pc5 so let's try from here pc3 okay pc3 ip address is 30.10 ok we try to ping 192.168.60.10 okay can ping we try to ping 40.10 ok can ping so now our configuration is finished we can establish and configure the vpn site to site for fortigate firewall if you have any other question you can ask me at any time this is all uh for this video watching my video

Info

Channel: TAN Kirivann

Views: 27,509

Rating: undefined out of 5

Keywords: Tan Kirivann, fortinet, fortigate, fortinet firewall, fortigate vpn, fortiget site to site vpn, vpn site to site fortiget, Cybersecurity, firewall, Configure inter-VLAN routing using fortigate firewall, inter vlan fortigate firewall, GNS3, GNS3 VM, how to create sub interface fortigate firewall, how to configure router on a stick, vlan, trunking, fortigate firewall vlan configuration, how to configure DHCP Server for vlan, DHCP Server for VLAN, interface vlan, routing, Networking, ccna

Id: RPgx_ouspgU

Channel Id: undefined

Length: 58min 7sec (3487 seconds)

Published: Mon Dec 13 2021