Site to Site VPN Configuration on FortiGate | Lab GNS3

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] foreign [Music] [Music] thank you [Music] foreign foreign [Music] foreign [Music] [Music] [Music] foreign [Music] and we are live hey everybody welcome to this live this is ghee here with cabbage Runnings today we're going to do some Labs on gns3 I'm going to show you how to configure ipsec VPN side-to-side tunnel on gns3 here I have my topology that I have today I was trying to build this live with you here but I had a topology already created for a knife that I did earlier in French because I read in French and in English too that's a lot of work so we don't want to spend time building this but I'm going to explain to you what this is and what we're trying to accomplish here so if you like what you do if you want to encourage me do not forget to like the video on YouTube just hit the like on YouTube that would be great and share it on social media share it on Facebook on Instagram so we have some people live on YouTube right now we have some other people live on Facebook hi sonaltes I salute you hi everybody hi cook it's so hi Camille thank you so much for joining so we're going to do this live today and it's going to be fun oh my God shh it's going to be fun that's what you get when you go live so yeah I'm going to take just a quick minute here just to make sure we have enough people online so we can start doing this lab and I hope everything is good with you I hope you are having a good Sunday I am having a good Sunday doing lives and uh it's right now 2 p.m here in Denver Colorado and uh yeah say hi in the chat hi Michelle Michelle Bizarro Bizarro obizarro alright guys thank you so much for joining don't forget to like and share the video and if you don't follow me on social media I just shared something on Instagram right now on my kbtrans Instagram showing you that I'm going live and I'm showing you to behind the scene I just showed you um what I have in front of me here wait what is this let me disable this one here all right so yeah I'll just showed you what I had uh in front of me if you don't follow me on Instagram make sure you are following KB trainings on Instagram and my personal account is bisuku on Instagram so let me share this on my personal Instagram as well on my personal account I mean okay it's done and let me shut down my phone so we have about 46 people on YouTube which is great uh Army a little bit less than that yeah I'm just shutting down the phone here just to make sure I'm not getting Disturbed during the live but yeah welcome and let's get started cool so this is gns3 we built it last time uh we did a couple videos so far I think two videos the first one I showed you the Genesis VM the second one I showed you how I built the 40 gate and the Cisco router here so today I'm going to show you how to configure side to side VPN so we have two lens or two local area Networks right now we do have let me just zoom in a little bit so I can show you this beautiful topology that we have here and I also created another view that I called Zoom so if I do Zoom here I'm able to show you things in a little more detail so let's talk about this one here so this is our land this is our first local area network let me just go back so here we have a network with a subnet of 192.168.1 uh that 10.0 24. and this is our site one that's why the 49 is renamed site one because this is the first site for this company we also have the site two with the subnet internal subnet of 192 168.20.0 24. so what you're trying to accomplish is to be able to access this computer from this other computer so we need to connect these two uh subnets next to each other as if they were contiguous and we need to make sure that we can ping from this to there that's it so we're going to build a tunnel going from the site one to the side two it's going to be it's going to be an ipsec VPN tunnel and these here what you see there the clouds are just management management connections these are connected directly to my home network where I have my PC or my my computer connected this Windows computer that I'm using right now and I use this just for management so I need to make sure I'm able to access the GUI on the 40-gate number one I'm also able to access the GUI under 40 gate number two and I'm able to access the internet using the ISP and this one here is just the Cisco router I put it here because I didn't want to make it very simple I like to complicate things a little bit so here I made um I placed a Cisco router in the middle so I don't have a cable going directly from the port one side one to the port one side two so we go through the Cisco router so it does routing for us and it's our ISP or internet service provider and these ISP is also going to go out to the internet I'm also going to make sure that these links here the one going to my home network are not the one the 40 gates are using to go to the Internet the 40 gates are supposed to use they're supposed to use these public links going to the Cisco router that's where they go out and that's why I also gave these small subnets this one is 20.0008 for this side and the other side is 30.008 so I did uh 20 and 30 so they show that they are public these are public IPS and my private Network or my local network is 10.35.00 so that's what we're trying to accomplish today I hope that makes sense and um it we will take most of our time to configure the devices themselves to configure the 240 Gates and the Cisco router so that everything is set up as needed all right thank you so much everybody in the chat um I'm glad yellow everybody thank you so much merci beaucoup Michelle all right so we are here and we are live so I think we can get started already I can go in the Cisco router and start my configuration just for as a reminder or for some details this port here is going to use DHCP to get the IP out to my home network out to the internet these two ports are going to be statically configured with IP addresses and this is going to be static this is going to be dynamic with DHCP so that's what we're gonna do today now so let's start with the Cisco router um okay let me just shut this down and restart the whole secure CRT so we'll go with Cisco router first and I think you can see this very well or I can increase the size of the the font here let me push the topology on the side a little bit so we can see what we're doing while we're doing it on the side nope I don't want that so this is our Cisco what you want to do here is configure this for DHCP so we're going to do configure terminal interface gigabit three zero IP address DHCP no shot and also because I want my connections from connections from the 40 gates to go through this router here I need to do some netting on this router so these are going to be not internal so these two ports are internal for not and the gigabit 30 is external so I'm going to configure that here already so I'll do IP not outside on the gigabit 3-0 so now I'm going to go on interface gigabit one zero give it the IP address of 20.0.0.2 with a slash 8 and do ipnot inside and no shots all right we'll do the next one that is interface gig was that one zero okay so now we have two zero so I'm doing this side right now so interface gig to zero IP address 30.000 slash eight um oh no no no no that two okay and IP not inside um that's it so if I do show IP interface brief you can see that we have now 10.35.0.195 on our one interface so the one I consider uh that is considered one going to the internet and we also have these ones that we configured manually so what I want to do now is test if we have access to the internet let's see show IP routes yes we have the default route going out to my um router here in the house and let's try to Ping Google failing why I don't know it should not be failing let's try to ping my default gateway 10.35.01 yeah it's succeeding you can see there's one here that went out but for some reasons it's just maybe a gns3 thing so I may need to reboot the VM or something but I can definitely go out but this part here is is not important for us because this is going out to the internet but we just want to make sure that the traffic that is coming in here from the the 40 gate is also going out to the Internet so I need to also enable the nuts that I thought that I told you about first I need to create an access list IP access list standard local and I'm going to permit the two networks that I have with the white card mask so if you don't know anything about what I'm doing here if you don't know how to configure an ad if you don't know how to configure interfaces you should probably go and take my CCNA class or CCNA training that I do on kbtrends.com uh let me show you the link here to show the link I may need to go on my on me in full and then I'll show you the link this is the website this is kevin.com that's where you can find the CCNA course it's going really well right now people like it people seem to enjoy it and also last time in the last live that I did people were asking for the images that I shared but I shut it down after the after the live which was actually an incentive for people to come live so if you missed that I'm going to copy the link and give you that in a chat right now thank you Akin so in a chat you can see the link going to the folder where you can download all the images that I used last time so it should be there for you it's going to go down after this live as well so I was talking about um KB trainings let's see I didn't put the link in uh in a Facebook Chat hi Ellie on Facebook so I put the link to the the chat as well so if you come here on kvitones.com you can go on the CCNA training I have all the questions answered here about the CCNA you can go and take the course I also have some videos that will explain you the the whole thing the experience that you have it to examine everything else so yeah go on capitals.com for the course okay so let's go back to gns3 and pull up our CLI here so I did I created um let's see so I created the access list so I'm going to do is exit here and do ipnot inside source list local oops local um interface gigabit three zero so this is what I did in a bit three zero oh I need to add overload okay all right so with that our traffic from the 240 Gates will be able to go to the internet without any problem using that link so now let's go back to the 40 gate the first one is the site number one it's coming up now admin without password because it's new and I set up a new password okay we are in so right now if I do show system Let's Go full screen here show system interface you can see that we don't have any IP because I connected the port 10 to the management and the port one doesn't have any DHCP server enabled on it so what we want to do is make sure that we configure the port 10 to receive a DHCP um IP and then Port 1 will be manually configured so I'm going to go under the configuration mode so configure configure system interface and then I'm going to edit Port 10 set mode DHCP and I'm going to set a low http https SSH that should be enough and I can just end it from here we should have an IP assigned let me do the same thing for the site number two just so we already to configured as well so this one is admin no password I configure a new password uh I don't know I made a mistake Maybe damn it's not going to be correct okay new password okay so config system interface edit Port 10 set mode DHCP set hello HTTP https SSH that's it so let's go back to the site one see if we have an IP show system interface okay we have 10.35 that 0.214 for the site number one so I'm going to open my browser here and we'll you know what I want to change the user let me use this other user here so if I do this I get access to the GUI and from here I can log into the GUI of our 40 gate so I'm going to do admin with my new password that I have what admin alright so I'm in with the the site number one I can do this configuration here quickly give it the name of site one and change dashboard to comprehensive which is good okay but you also have ccnp course right now I do not have ccnp course on kbtroninks.com but it's coming it's coming um it's coming as early as next month I think I'm going to start a ccnp um I will go a little faster with that one won't take me long a long time like the CCNA did so we are here inside the site number one let's go and also get access to site number two what is the IP so I will do show system interface okay 193 is the site number two so I'm going to put the IP here and have access to the GUI admin all right I'm in one to part I mean one thing that I want to do every time in the lab is to increase my adult timeout so this is side two and I'll do okay okay don't show me this okay so if you go under setting or system settings you can increase the idle timeout here from 5 minutes to 480 which is the max I apply and I do the same on this other uh 48 here so settings idle timeout go to 480 so I won't be logged out when I'm doing the labs here all right and we just configured or we have access to our 40 Gates right now yes the last Shannon Francaise uh one moment so sorry guys there was somebody asking me if I do lives in French as well and I'm like yes I do live in French and I just put in a chat the link to my French Channel that's where you're going to no no that's actually the English Channel to my French channel it's right there if you have an issue with that let me know but it should bring you to my French Channel where I just did a live in French it just finished now we're doing the same thing in English all right so we have access to the 40 gate next thing I want to do let me configure these two ports the port number one going to the internet and the port number two going to our lane so let's go back this is the site number one I go under network interfaces and I'm going to first come in the 410 I want to name it MGMT as in management there's no role or anything so I should be good then I'll go to the port number one this is our Wan ports the name is one and the roll is one and I need to give it a manual IP address 20.00.1 and here it's going to be 255 8. and there's nothing else to configure it should be good and then we need to go under the port number two which is our Lan Port just name it Lan give it the role of land and IP address 192. 168.10.1 with the subnet mask of Slash 24 okay all right so this should be good I can enable https and pings or even SSH as well if I want but uh you can be very restrictive so here because this is connected to my Lan this is actually so I just give the IP address to the port number one now I'm configuring the port number two going down to my computer here so I want to enable the DHCP server so that it's going to get an IP when I um French or English is the same psychology yeah Michael or Michelle that's true yeah French or English everybody should be able to get the whole thing the link for the images let me give it to you right now so yeah I was just explaining that um this one is configured with DHCP we already have an IP here this one is configured statically this other one is configured statically as well but now I'm just enabling the DHCP server so that we can get an IP for the device that we have down there so let me go back here but in the meantime let me just share the link in the chats I think I have it in my clipboard the Google Drive Link all right the link is there let me know if it works it should be working all right so we are we are here I think all I have to do now is go back in the 40 gate and make sure DHCP is enabled and hit OK so if I do that and I return to this computer here I should be able to get it in IP so if I do IP DHCP it's going to be discovering offer request acknowledgment yes I have an IP so I can ping 192.168.10.1 no problem with that so I'm good from here I'm going to do the same thing quickly on the site number two so site number two network interfaces the port number one is our Wan port and it has the role of when with an IP of 30.0.0.1 slash eight and that's it the port number 10 is my MGMT or Management Port no specific role and that's it and the port number two is My Lan Port gonna name it LAN and give it the role of Lan give it an IP address manually of 192.168.20.1 we slash 24 all right so I can enable https pings no SSH I don't need it and a DHCP server and I'll hit OK to save that let's go back into topology and go in the PC number two at the site number two do IP DHCP here we should be able to get an IP hi be a banker IP High sales I hope you're doing well so we have another IP we have an IP for our device that is here and I can also just confirm that I can ping 192 168 that 20 Dot um one I'm able to Ping that so there's one thing that I want to show you um here so if I if I come here on the site number one and do get router I want to see the writing table on this Con on this device here get rather um info routing table all so you can see that the default gateway is 10.35.01 which goes out through the Management Port here so I don't want that I want it to go out through the port going to the Cisco switch or our ISP so I'll need to kill this entry here and create a new static route for the static IP I mean for the default gateway so I'm on site one what I have to do is go under the interface where we have that static default gateway the management number one and what I need to do is remove this option here if you come down here you can see retrieve default gateway from server I will say no so that will remove the static route that we have for the default gateway let me do the same thing on the site number two come here and say no so if I do that if you go back to the filter go back to the CLI do the same command you can see that now we don't have a default gateway now we don't have a static route for the internet so I can go inside the full gate and add a new static route under Network static route I'm going to add a new static route to say everything going out with for which we have no specific destination send that to 20.0.0. 2 and 20.002 that's the IP of this router here this is what we have on this port so we're just pointing it out to the Cisco port number one and that's it I'm going to hit okay if I go back here and do the same command you can see that our default gateway changed it's now pointing to 20.0.0.2 so that's it for the site number one I'll do the same thing for the site number two I'm going to go under management interface already done here so I can go under static route and create a new route and send it to 30.002 when one and that's it so we should be good if you want to see the routing from the GUI you can do you can go under dashboard Network routing if you hit here you can see all the details that I just showed you this is the default route the static route these are all the different routes depending on the the interfaces that we have enabled or connected to our router hi Frankie Bala hi everybody on Facebook I hope it's going well over there alright so let's go back to the topology and the next thing I want to do is maybe just make sure we have access to the internet through the Cisco I can go under site one and do exact thing 888 it should be able to go out if not we may need to troubleshoot a little bit here it's not going out uh we don't know why let's see can I ping 20.002 which is my next hope yes uh I can ping it why I cannot ping the internet okay now I can ping the internet from number one here it's kind of unstable because it's the gns2 environment but at least if I do exactress routes you can see that I send the packets to the Cisco router which is playing the role of my ISP right now so that works without any problem if you have any questions you can leave it in a chat and also please help me share the video um I'll do this for you I do this to share knowledge so make sure you like the video First on YouTube and also you share the link either on Facebook or any social media so that we can have a bigger audience here and that would be great so we can go out to the internet and if I want to verify the not translations I can do show IP not translation it's going to show me what I'm translating here so let me go and ping from the site number two as well exec ping 30.00.2 I ping that without any problem and if I want to Ping 8.8.8.8 I should be able to Ping that yes it's also going through so we are good and if I want to see the translations I'm going to see both of the translations from the 195 and we should have okay so 195 is our Port going out so we are translating everything from 20 and from 30. so these are the two devices that we have and we do not overload on The Cisco switch so we are definitely using this one as our internet connection right now let me move this back here okay that's good so now the next step is just to make sure that we have connectivity between these two sites so we we need to make sure that the site number one is able to reach the site number two on the port one and if we have that then we will be able to establish a side to side VPN between these two here because right now if I go in the PC number one the PC number one is this one here so this is the PC number one the PC number two so if I go inside the PC number one we can see that if I'm trying to Ping okay I already yeah if I'm trying to Ping 192.168.20 that one or that two on the other side I am not able to Ping it why because I don't have a link going there all I know is my default gateway I also know how to go to the internet I don't know if I can go to the internet from here because I have no I have no um yeah I have no policy configured I can do that quickly just just for fun let's go on the site one we can go under policy and create a new policy as you can see right now we only have uh why does it take this much time okay we only have this implicit deny so I can add a new policy and say um land to lent to internet and it's going to come from the Lan Port going out to the one port the source is going to be um it should be I mean anything I mean we don't have to be restricted this is a lab so let's just go Source all this nation all but everything that's connected here can come in but we should be able to specify if I've created an object for the address on the port number two that could have been specified here but this is also just fine and I need to not and that's it field require okay Services all I may need to create one for the traffic that is coming back from the internet but let's see with what we have here if we can ping the internet yes we can pin the internet so the the back traffic will just be allowed by default so it's timing out I'm pretty sure it's just some stability issue but uh it shouldn't be a problem do we need the one coming back I don't think so uh let's do internet to LAN incoming when no I think this is not good we don't need this because this will actually open the port out from the Internet to our let's just do it it's alive anyway so I'll just grab all and all and all and yes so let's try yeah it wasn't about the policy it's more about the lab itself but we at least had a ping here which is good so we have another pink there so I may need to restart my VM but we are good even if I don't have this um I don't have this uh policy here I should have been fine all right so we can now see or test if we can ping from site one can we ping 30.00.1 no exact ping yes we can ping the other side from the side to exacting 20.001 we can ping each other so we are good all right so what I want to do now is now configure the side to side VPN and one thing that one thing I want to mention is that all of this can be found online you can find any kind of documentation online for any vendor if you know how to search for information a good engineer is not somebody who knows everything but you need to be somebody who has the basics at least with the basic that you have you are able to find solution to any of your problem so I can if I want to do side to side VPN I can just look it up on Google and one of these links here I think the one down here this link is where it's all explained they explain you how to do side to side VPN so even if you are studying right now if you do one of my if you do my course or my training some of the simple questions can be answered on your own you just go and Google it that's what you get so we have this I can also uh give you this link in the chat this is where you get all the details on how to configure satisfied VPN that's what we're going to do now so you have that on Facebook and YouTube so I'm going to to start here what is this what does it why is it in uh you know what I don't need this let me just delete this because it's my it's a security issue for us so let's just kick it out okay to configure side to side VPN we need to go under VPN under ipsec tunnel we're going to create a new tunnel and it's going to be an ipsec tunnel I can call it side to side going to site 2 because I'm in site one right now I'm going to site two what kind of VPN is it is it side to side is it Hub and spoke is it remote access remote access is for remote clients I want to access the network but right now we're trying to configure a side to side VPN so we just keep this option and we don't need to not those um those vlans or those subnets will be able to see each other so we don't need to net the traffic for it to to work we can leave it just empty and we're going to use a 40 gig on the other side so I'm going to go next here I need to put the remote IP of my router on the other end or my firewall on the other end it's going to be 30.001 and here it fills up automatically and shows Port one for the the pre-shared key I'm going to use Cisco zero just a fun appreciated key that I need to use on both end you have many ways to do this you can do it basically using appreciate key lock like I'm doing here or you can do it using digital certificate everything is documented here on The Cisco on the 40net website so here I have Cisco zero as the pre-shared key I'll go next what is my local interface that I want to connect to this tunnel is going to be the land interface the subnet is here what is the subnet on the other end it's going to be 192.168. oh let's see 168.20.0 24. and that's all I need and I'll do next this is the details of what I'm about to create and I'll do create and that's it I have my VPN tunnel if I come here under VPN tunnel or ipsec tunnel you can see the tunnel that I created but everything is down because it's currently down on the other end so I need to go on the side too and do the same configuration so on site 2 I am going to come here under VPN and ipsec tunnel create new tunnel and I'm going to call it side to side for site one it's going to be a side to side to a 40 gate next what is the remote access it's going to be 20 that's 0.0.1 and the pre-shared key is Cisco 30 Cisco zero just like I did uh this is a joke I meant to say Cisco zero 40 net one but yeah it's just for fun so I have that here and next what is my local interface is the land number or the port number two the remote subnet is 192 168. that's 10.0 24. and that should be it internet access I don't want my internet traffic to go through the tunnel I want it to just to go out directly to the Internet so I'll leave it to none and next this is the summary of what I'm about to create for my ipsec tunnel and if we come here we can see that it's inactive right now because I don't have a tunnel on the other end if I do or if I double click or I click here it's trying to go active but it won't both Phase 1 and Phase 2 are not active so if you don't understand what's phase one and phase two then you may need to go on kbtrends.com and take my CCNA course that's available at cabbitrans.com we cover all of that so let's go back to our lab so this is not coming up because it's down I need to go here and confirm my tunnel by hitting create so I have a create I have a tunnel created over here on here so if I come back on this side and do a right click bring up all phase two selectors right now it should be up if I come back on this end I go under ipsec tunnel we can see that we have a tunnel that is currently up if I double click on it um don't this that's to modify but yeah if I click on it we can let's see now we don't have to save the details all right so from here I am sure that my connection is up between the two PCS so if I come back to pc1 and do the Ping to 192 that 20 that I mean 168.20.2 I am able to Ping it on the other end if I come here and do the Ping to 192.168.10.2 that is on the other end I'm able to Ping it and if we go back here you can see that if I refresh this we have some incoming data and some outgoing data these are the things that I just did here they went through the tunnel if I go under dashboard Network routing we can see that beside everything that we saw before we also have another entry here for the VPN tunnel side to side going to the site number two that is what we have active right now so in Enterprise it's very easy to have multiple tunnels on a single device like I work for an MSP in the past and we had a lot of a restaurant with a lot of sites so all the sites need to be connected to both of the Data Centers inside the company so sorry we had at least two ipsec tunnels going to the data centers and we may create as many as we want and the data center uh on the other end they had a big router like the 100 F or whatever so that will be like a concentrator for all the VPN tunnels coming from the site so that's how you do it um I think that's all I had for you today if you have any questions you can leave it in a chat I'll be able to answer and I'll be glad to do it and I just want to make sure that everything is good on the YouTube side as well thank you guys for being online with me so we just did an ipsec tunnel between two sites using a 40 gate we also throw in some Cisco in the mix just to uh to make it a little more a little complex but yeah that's it for this lab guys and um I hope there's no question if there's any question leave in a comment even later I can respond but thank you for joining this live and I see the next one next Sunday um 2 p.m my time or 4 P.M eastern time of New York time thank you everybody thank you Serge and uh have a great rest of your day thank you crypto crypto packet zero that's a great username all right thank you guys see you next time take care

Info

Channel: KBTrainings

Views: 3,097

Rating: undefined out of 5

Keywords: kbtrainings, kb trainings, kb training, cisco, ccna, ccnp, ccie, networking, security, routing, switching, nas, qnap, vpn, site to site, configuration, fortios

Id: GUwCYt-K5_s

Channel Id: undefined

Length: 47min 25sec (2845 seconds)

Published: Mon Aug 14 2023