Site2Site IPSec VPN With Dynamic IP

Fortinet Inc. 09-28006-0119-20100605 Page 1 of 15

Site-to-site IPSec VPN by using dynamic IP example

Technical Note

Site-to-site IPSec VPN by using dynamic IP example Technical Note

Document Version: Version 2

Publication Date: 24 August 2012

Description: This technical note features a detailed configuration example that demonstrates

how to set up a basic site-to-site IPSec VPN that uses preshared keys to

authenticate the two VPN peers.

Product: FortiGate v4.00 MR3

Document Number: 09-28006-0119-20100605

http://www.fortinet.com/

http://www.fortinet.com/


© Copyright 2012 Fortinet Inc. All rights reserved.

No part of this publication including text, examples, diagrams or illustrations

may be reproduced, transmitted, or translated in any form or by any means,

electronic, mechanical, manual, optical or otherwise, for any purpose, without

prior written permission of Fortinet Inc.

Site-to-site IPSec VPN by using dynamic IP example Technical Note

FortiGate v4.00 MR3

24 August 2012

09-28006-0119-20100605

Trademarks

Products mentioned in this document are trademarks or registered trademarks of their respective holders.


Contents

Table of Contents Network topology ... .................................................................................................................... 4

Infrastructure requirements .................................................................................................4

Setup Firewall-Address on FortiGate_1... .................................................................................. 5

Define the IP/Netmask or FQDN... ......................................................................................... 5

Setup Firewall-Address on FortiGate_2... .................................................................................. 6

Define the IP/Netmask or FQDN... ......................................................................................... 6

Configuring IPSEC VPN on FortiGate_1... ................................................................................ 7

Define the phase 1 parameters... ........................................................................................... 7


Configuring IPSEC VPN on FortiGate_2... ................................................................................ 9



Define Policy and Router on FortiGate_1... ............................................................................... 11

Define Policy and Router on FortiGate_2... ............................................................................... 13

Finalize Policy and VPN... .......................................................................................................... 15



This technical note features a detailed configuration example that demonstrates how to set up a basic

site-to-site IPSec VPN that uses preshared keys to

authenticate the two VPN peers. The following sections are included:

• Network topology

• Setup Firewall-Address on FortiGate_1

• Setup Firewall-Address on FortiGate_2

• Configuring FortiGate_1

• Configuring FortiGate_2

• Define Policy and Router on FortiGate_1

• Define Policy and Router on FortiGate_2

• Finalize

Network topology

In a site-to-site configuration, two FortiGate units create an IPSec tunnel between two separate

private networks. All traffic between the two networks is encrypted and protected by FortiGate

firewall policies. See Figure 1. Figure 1: Example Site-to-site configuration

Site_1 Site_2

FortiGate_1 FortiGate_2

Internet

111.111.111.111 222.222.222.222 us.dyndns.org tw.dyndns.org (WAN1) (WAN1)

US Network TW Network

192.168.11.0/24 192.168.22.0/24

(Internal) (Internal)

In the examples throughout this technical bulletin, the network devices are assigned IP

addresses as shown in Figure 1.

Infrastructure requirements

• The FortiGate units at both ends of the tunnel must be operating in NAT mode and have public

IP addresses by static or dynamic with www.dyndns.org as service.

http://www.dyndns.org/


Site-to-site IPSec VPN by using dynamic IP Example

Setup Firewall-Address on FortiGate_1

Define the IP/netmask or FQDN

To define the IP/netmask

1 Go to Firewall > Address > Address.

2-1 Select (Create New), enter the following information, and select OK:

Address Name Type a name for the local network (e.g., US_Network)

Type Subnet / IP Range

Subnet / IP Range 192.168.11.0/255.255.255.0

Interface Internal


Address Name Type a name for the local network (e.g., TW_Network)


Subnet / IP Range 192.168.22.0/255.255.255.0

Interface WAN1(ADSL)

To define the FQDN


2 Select (Create New), enter the following information, and select OK:


Type FQDN

FQDN tw.dyndns.org




Setup Firewall-Address on FortiGate_2

Define the IP/netmask or FQDN

To define the IP/netmask





Subnet / IP Range 192.168.22.0/255.255.255.0

Interface Internal




Subnet / IP Range 192.168.11.0/255.255.255.0


To define the FQDN




Type FQDN

FQDN us.dyndns.org




Configuring FortiGate_1

Define the phase 1 parameters

Before you define the phase 1 parameters, you need to:

• Reserve a name for the remote gateway.

• Obtain the IP address of the public interface to the remote peer.

• Reserve a unique value for the preshared key (e.g. passkey1$).

The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters.

To define the phase 1 parameters

1 Go to VPN > IPsec > Auto Key (IKE).

2-1 Select (Create Phase 1), enter the following information, and select OK:

Gateway Name Type a name for the remote gateway (e.g., ToFortiGate2).

Remote Gateway Dynamic DNS

Dynamic DNS tw.dyndns.org

Local Interface WAN1(ADSL)

Mode Main (ID protection)

Authentication Method Preshared Key

Pre-shared Key Enter the preshared key (e.g., passkey$).

Peer Options Accept any peer ID

2-2 Select (Advanced…), enter the following information, and select OK:

Local Gateway IP Main Interface IP

P1 Proposal 1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5

DH Group 5

Keylife 28800

XAUTH Disable

NAT Traversal Enable

Keepalive Frequency 10

Dead Peer Detection Enable



Configuring FortiGate_1 (continue…)


The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1

configuration and specify the remote end point of the VPN tunnel. Before you define the

phase 2 parameters, you need to reserve a name for the tunnel.


1 Go to VPN > IPSEC > Auto Key (IKE).

2-1 Select (Create Phase 2), enter the following information and select OK:

Name Enter a name for the tunnel (e.g., ToFortigate2-ph2).

Phase 1 Select the gateway that you defined previously (e.g., ToFortigate2).

2-2 Select (Advanced…), enter the following information and select OK:

P2 Proposal 1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5

Keylife Seconds 1800

Autokey Keep Alive Enable

Quick Mode Selector Source address: (*)select: 192.168.11.0/24 or US_NETWORK Source port:0 Destination port: (*)select: 192.168.22.0/24 or TW_NETWORK Destination port: 0 Protocol: 0



Configuring FortiGate_2


Before you define the phase 1 parameters, you need to:

• Reserve a name for the remote gateway.

• Obtain the IP address of the public interface to the remote peer.

• Reserve a unique value for the preshared key (e.g. passkey1$).

The key must contain at least 6 printable characters and should only be known by

network administrators. For optimum protection against currently known

attacks, the key should consist of a minimum of 16 randomly chosen

alphanumeric characters.



2-1 Select (Create Phase 1), enter the following information, and select OK:

Gateway Name Type a name for the remote gateway (e.g., ToFortiGate1).

Remote Gateway Dynamic DNS

Dynamic DNS us.dyndns.org

Local Interface WAN1(ADSL)

Mode Main (ID protection)

Authentication Method Preshared Key

Pre-shared Key Enter the preshared key (e.g., passkey$).

Peer Options Accept any peer ID

2-2 Select (Advanced…), enter the following information, and select OK:

Local Gateway IP Main Interface IP

P1 Proposal 1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5

DH Group 5

Keylife 28800

XAUTH Disable

NAT Traversal Enable

Keepalive Frequency 10

Dead Peer Detection Enable



Configuring FortiGate_2 (continue…)


The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1

configuration and specify the remote end point of the VPN tunnel. Before you define the

phase 2 parameters, you need to reserve a name for the tunnel.



2-1 Select (Create Phase 2), enter the following information and select OK:

Name Enter a name for the tunnel (e.g., ToFortigate1-ph2).

Phase 1 Select the gateway that you defined previously (e.g., ToFortigate1).

2-2 Select (Advanced…), enter the following information and select OK:

P2 Proposal 1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5

Keylife: Seconds 1800

Autokey Keep Alive Enable

Quick Mode Selector Source address: (*)select: 192.168.22.0/24 or TW_NETWORK Source port:0 Destination port: (*)select: 192.168.11.0/24 or US_NETWORK Destination port: 0 Protocol: 0



Define Policy and Router on FortiGate_1

Define the firewall encryption policy

Firewall policies control all IP traffic passing between a source address and a

destination address. A firewall encryption policy is needed to allow the

transmission of encrypted packets, specify the permitted direction of VPN

traffic, and select the VPN tunnel that will be subject to the policy. A single

encryption policy is needed to control both inbound and outbound IP traffic

through a VPN tunnel.

Before you define the policy, you must first specify the IP source and

destination addresses. In a Site-to-site configuration:

• The source IP address corresponds to the private network behind the local FortiGate

unit.

• The destination IP address refers to the private network behind the remote VPN peer.

To define the firewall encryption policy for a policy-based VPN

1 Go to Firewall > Policy > Policy.


Source Interface/Zone Internal

Source Address US_Network or 192.168.11.0/24

Destination Interface/Zone WAN1 (ADSL)

Destination Address TW_Network or 192.168.22.0/24

Schedule Always

Service ANY

Action IPSEC

VPN Tunnel 2Fortigate2

Allow inbound [v]

Allow outbound [v]

Inbound NAT Disable

Outbound NAT Disable

3 Place the policy in the policy list above any other policies having similar source and destination addresses.



Define Policy and Router on FortiGate_1 (continue…)

To define the firewall encryption policy for a route-based VPN





Destination Interface/Zone 2Fortigate2


Schedule Always

Service ANY

Action ACCEPT

Inbound NAT Disable


Source Interface/Zone 2Fortigate2

Source Address TW_Network or 192.168.22.0/24

Destination Interface/Zone Internal

Destination Address US_Network or 192.168.11.0/24

Schedule Always

Service ANY

Action ACCEPT

Inbound NAT Disable


5 Go to Router > Static.


Destination IP / Mask 192.168.22.0/24

Service 2Fortigate2

Gateway Leave as default: 0.0.0.0

Distance Leave this as its default



Define Policy and Router on FortiGate_2

Define the firewall encryption policy

Firewall policies control all IP traffic passing between a source address and a

destination address. A firewall encryption policy is needed to allow the

transmission of encrypted packets, specify the permitted direction of VPN

traffic, and select the VPN tunnel that will be subject to the policy. A single

encryption policy is needed to control both inbound and outbound IP traffic

through a VPN tunnel.

Before you define the policy, you must first specify the IP source and

destination addresses. In a Site-to-site configuration:

• The source IP address corresponds to the private network behind the local FortiGate

unit.

• The destination IP address refers to the private network behind the remote VPN peer.

To define the firewall encryption policy





Destination Interface/Zone WAN1 (ADSL)


Schedule Always

Service ANY

Action IPSEC

VPN Tunnel 2Fortigate1

Allow inbound [v]

Allow outbound [v]

Inbound NAT Disable

Outbound NAT Disable




Define Policy and Router on FortiGate_2 (continue…)

To define the firewall encryption policy for a route-based VPN





Destination Interface/Zone 2Fortigate1


Schedule Always

Service ANY

Action ACCEPT

Inbound NAT Disable


Source Interface/Zone 2Fortigate1


Destination Interface/Zone Internal


Schedule Always

Service ANY

Action ACCEPT

Inbound NAT Disable


5 Go to Router > Static.


Destination IP / Mask 192.168.11.0/24

Service 2Fortigate1

Gateway Leave as default: 0.0.0.0

Distance Leave this as its default



Finalize

Policy and VPN

To Move up the firewall encryption policy on top

1 Go to Firewall > Policy > select internal -> wan1 policy.

2 Click the Move To and move the policy to the very top. (If you don’t put it on top, you are unable to ping site’s IP from the other site’s client PC)

To Bring Up the site-to-site VPN

1 Go to VPN > IPSEC > Monitor Click on Bring Up under Status.

SOURCE:

http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf

http://docs.fortinet.com/cookbook.html

http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf

http://docs.fortinet.com/cookbook.html

Date post:	10-Apr-2015
Category:	Documents
Upload:	charlih-chen
View:	5,734 times
Download:	3 times

Site2Site IPSec VPN With Dynamic IP

Documents