site-to-site IPsec VPN Tunnel between Fortigate and Mikrotik .

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi there it's miro today i'm going to show you how to set up ipsec vpn tunnel between fortinet fortigate and necrotic router for this scenario i'm using pnet lab emulator as you can see we have fortigate on side a and necrotic router on side b we will have some basic configuration on both sides and we will use cisco switch as a dhcp server for our end devices well let's get start with fortigate configuration on side a first we connect to our fortigate and open cli interface double-click on fortigate in your pnet lab or use console cable on real device write your username and password then you should set new password as you logged in for the first time then execute show system interface command to see fortigate port status here we see the port 1 that we've chosen as the internet interface port has been set on dhcp mode by default so first we need to change its mode to static now we can set the ip on port 1. in this scenario i've chosen 1 0.10.15 24 that it's on my local network ip range then set allow access as you prefer all right now we can access to fortigate web interface and continue our configuration via web to do that open your web browser and enter the ip you already set on port 1. enter your user and password and hit login alright we are in go to network menu and select interfaces there you can see port 1 that we already configured via cli follow the configuration process and choose one for its role then we should configure port 2 as our lawn interface that is connected to cisco switch as it's shown on topology we choose 1.1.1.1 30ip for port 2 lafortigate well we have done the first steps of fortigate basic configuration now let's go to cisco switch and we will back to fortigate again as you can see i changed its name to side a switch you can name it whatever you want select interface gigabit ethernet 0 0 as our routed interface to fortigate and set ip1.1.1.2 30 for it as it's shown on topology oh i made a mistake on subnet mask for interface 0 0 i set slash 24 instead of slash 30. let me correct it all right now it is slash 30. back to our scenario now we should configure dhcp pool for our local network and devices follow the process has been shown on the video as you can see our local ip range is 172.16.1. we have done with dhcp pool configuration and now we need to make routing configuration as you know our default gateway is 1.1.1.1 all right now it's time for vlan configuration i gonna make vlan 2 and assign interface 0 1 and 0 2 to it now we assign vlan 2 to interface 0 1 and 0 2. assign ip address to vlan 2. our basic configuration on switch has been done now we can turn on our virtual pcs and set their interface to dhcp mode to get ip from our switch dhcp pool something is wrong it shouldn't take this ip 1.2 it might be because of ip excluded address configuration let's go back to switch and check it yes excluded range is wrong i wanted to exclude addresses from 1.1 to 1.100 but i've typed 1.10 instead of 1.1 let's fix that go back to our virtual pc and check it all right now it is correct so on my first pc i will release and renew the address okay that's it go back to fortigate and set up routing configuration note that i'm using 40 os version 7.0.3 in your lab or device its might has different version with different interface but configuration is same first we need to configure default route to reach internet via r1 gateway to do that we go under network and static routes followed by crete new as this is our default route we can leave the destination address as it is it basically means all packets from fortigate firewall would be sent to outgoing gateway to reach internet then we can set gateway address or choose from interface list as our outgoing interface for the static route let's check if our default route works or what okay our fortigate now can reach internet the next step is to make another route to reach our local network ip addresses through port 2 and cisco switch in this case our destination ip ranges 172.16.1.0 24 and our gateway is 1.1.1.2 and clearly our outgoing interface is port 2. all right our route from fortigate to our local area has been set now another option we should set up is ip policy or firewall policy to make it enable that the traffic from our local network area reach fortigate and then internet to do that under policy and object choose firewall policy and click create new as i mentioned before packets comes from our lawn through incoming interface that is port 2 and goes to outgoing interface that is port 1. in this scenario i choose all four source and services but depends to your network you can create different addresses and subnets and choose which one follows this policy okay our simple configuration on firewall policy has been set now i'm going to check my virtual pc and local area to see if my root configuration in firewall policy works and if it can reach my fortigate and internet yes it can see port one of fortigate ip that is r1 it also reach my lab gateway and finally it can ping google dns means my local network can reach internet and now let's check if we can reach to our local area from fortigate great we can see both of our virtual pcs now we can go to our site b network configuration and start with mccrotic connect to your mccrotic or double click on the crotic node in your lab to open command line interface login with username admin without password then set your preferred password execute ip interface print command to check our interface ip status we can see our ethernet port 1 has different ip that comes from my homeland dhcp server but our preferred ip on this topology is 10.10.15.19 so i go for it and set my preferred ip now i'm going to check if my home network can reach this microtic yes so now i can connect to my mccrotic using winbox okay we are in now go to ip firewall and choose net then click plus bottom and create masquerade net we can see our mccrotic can reach internet now and also we can see external ip address of our fortigate on site a now we will configure ether2 that is connected to our local area network and set ip 2.2.2.1 30 for it as it was shown on topology okay now it's time to log into our cisco switch and set the required configuration such as routing configuration dhcp pool and vlan configuration something similar to our site a cisco configuration note that these configuration and setup process are so basic and depends to your network topology or network devices you would add or change some more settings setip 2.2.2.2 30 on interface 0 0 as our routed interface to mcrotic ether2 set dhcp pool configuration for our side b local network ip range set interface 0 1 and 0 2 as access ports create vlan 2 and set ip address for it then assign vlan 2 to your access interfaces in this scenario our access interfaces that are connected to our virtual pcs are 0 1 and 0 2. now i'm going to set my virtual pc's interface to dhcp mode to get ip from switch dhcp pool all right my virtual pcs get ip from dhcp pool range now let's go back to switch and set routing configuration check our routing and connectivity from local area as you can see mcrotic external ip and internet are not reachable from our local area actually packets from our pcs go through switch and reach mccrotic but there is no route from mccrotic to send packets back so we need to make another route in necrotic open the root window and set new route configuration the destination is our local ip range and the gateway should be 2.2.2.2 that is our switch interface 0 0ip address now check again okay we can see our local area can reach mccrotic and from mccrotic also we can reach to both of our vpcs in local area network and both of our virtual pcs can also reach internet as well as external ip of side a but it is obvious that both internal ip ranges cannot ping each other because they are located in separated networks so now we will set ipsec vpn tunnel between these two network to make it enable all right our basic network configuration has been done and now we can start ipsec vpn configuration between these two sites to do that let's log in to fortigate and under vpn select ipsec tunnels then click create new then select ipsec tunnel in new page we have different options for creating site-to-site or client-to-site vpn tunnels but as we are setting this tunnel between fortigate and another device we should choose custom give a name to this vpn tunnel and hit next under network setting choose static ip address for remote gateway and write your remote device static ip in my lab as you know my remote device on side b is microtic and its ip address is 10.10.15.19 then select your one interface disable nat traversal and go to authentication setting choose pre-shared key method and put a secure key for it on phase 1 proposal select ds data encryption standard for encryption algorithm and choose sha1 for authentication i choose group number two for diffie-hellman group as a 1024 bit field size that later on mikrotik i'm going to choose and set same as here okay on phase 2 put local ip range of site a4 local address field and then for remote address field write the side b local ip range expand advanced option and again choose des and shi-1 for encryption and authentication unselect pfs and select auto negotiation option ipsec vpn setup on fortigate has been done and now go back to network staticroot to make new route for our vpn here on this route our destination address should be site b local area ip range that is 192.168.1.0.24 and our gateway to reach the destination is our vpn tunnel that recently created then we need to create two new firewall policy on first one we will let the packets that comes from our local area can reach the vpn tunnel as external gateway to reach the selected destination note that here we can also specify the source and destination address but in this scenario i select all four of them to make it simple for this training video there's some more firewall and security option that depends to your policy and fortigate license you can choose or customize our first firewall policy has been created to create second one we can easily right-click on the first policy and select clone reverse from the option because second policy is exactly reverse form of the first one it basically means that the packets that are coming from side b through vpn tunnel and wanted to reach the local area ip range are accepted just open it and give it a name and don't forget to make it enable at the end and click ok ipsec vpn configuration ip policies and routing on site a has been done and now we need to go to side b and set up ipsec vpn on mccrotic open winbox and login to mccrotic then expand the ip option and select ipsec from the menu depends to your router os version this windows menu and icons might have some differences but configuration has same process okay first i'm gonna create new profile for my ipsec vpn same as authentication algorithm on fortigate vpn setup here i select dias and 1024 for dh group also unselect nat traversal now go to peer and click plus icon to create new peer on peer address field write the site a public ip in my lab it is 10.10.15.112 then select the profile that you recently created for this vpn click ok now go to identities and click plus icon to create new ipsec identity select the recently created peer and choose pre-shared key for authentication method and write the same secret key that you have set on fortigate let the rest of the options remains as default and click ok now go to policies and create new policy in general tab select the peer you have created for this vpn tunnel select tunnel for source address field put the internal ip range of side b local network and for destination address put the internal ip range of site a local network on action tab we need to select the proposal but first let create the proposal then we go back to this action tab all right go to proposals and create new ipsec proposal here again select shot1 for authentication algorithm and des for encryption and choose none for pfs same as what we have done on fortigatevpn configuration then click ok now go back to proposal go to action tab and select our recently created proposal then click ok all right ipsec vpn setup on mccrotic has been done on action pier tab we can see our vpn status that established now go to ip firewall and click net tab and select masquerade nat then go to advanced tab there on ipsec policy select out from the option list and click ok okay now we can check our vpn tunnel and the connections between two sides local area network i gonna ping the pc on side b local area from the pc on site a yes we can see side b local network from site a and now i'm going to check it from side b and ping the pc on site a network yes we can ping i'm going to check sane ping test with other two pcs good as you can see we can reach other network through the vpn tunnel okay that's it thank you for watching and hope you enjoyed this video

Info

Channel: Mirhosein Garakouei

Views: 8,415

Rating: undefined out of 5

Keywords: fortigate, Fortinet, Fortios, mikrotik, router, Firewall, IPsec, VPN, tunnel, Pnet, lab, eve-ng, Cisco, Switch, DHCP, site-to-site

Id: RwRTvQficLg

Channel Id: undefined

Length: 40min 49sec (2449 seconds)

Published: Fri May 13 2022