Remote browsing using site-to-site IPsec VPN

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you will configure a site-to-site, also called gateway-to-gateway, IPsec VPN between an office with Internet access restrictions (Remote Office) and an office without these restrictions (Head Office) so that the Remote Office can access the Internet through the Head Office, avoiding the restrictions.

To bypass this restriction, this example shows how create a site-to-site VPN to connect the Remote Office FortiGate unit to the Head Office FortiGate unit, and allow Remote Office staff to transparently browse the Internet to google.com using the Head Office’s Internet connection.

Note that both FortiGates run FortiOS firmware version 5.2.2 and have static IP addresses on Internet-facing interfaces. You will also need to know the Remote Office’s gateway IP address.

1. Configuring IPsec VPN on the Head Office FortiGate

In a real world scenario, a Remote Office’s ISP or something in their local Internet may be blocking access to Google, or any other site for that matter.

On the Head Office FortiGate, go to VPN > IPSec > Wizard.

Name the VPN, select Site to Site – FortiGate, and click Next.

FGTHQVPNWizard1

Set the Remote Gateway to the Remote Office FortiGate IP address

The Wizard should select the correct Outgoing Interface when you click anywhere else in the window. Depending on your configuration, you may have to manually set the outgoing interface.

Select Pre-shared Key for the Authentication Method.

Enter a pre-shared key then click Next.

FGTHQVPNWizard2

Under Policy & Routing, set the Local Interface to the interface connected to the Head Office internal network.

For Local Subnets, enter the subnet range of the Head Office internal network. Depending on your configuration, this may be set automatically by the wizard.

For Remote Subnets, enter the subnet range of the Remote Office internal network then click Create.

FGTHQVPNWizard3

The VPN Wizard informs you that a static route has been created, as well as two two security policies and two address objects, which are added to two address groups (also created).

FGTHQVPNWizard4

Create a security policy to allow the Remote Office to have Internet access. Go to Policy & Objects > Policy > IPv4 and select Create New.

Set Incoming Interface to the VPN interface created by the VPN wizard and set Source Address to the remote office address group created by the VPN wizard.

Set Outgoing Interface to the Internet-facing interface and set Destination Address to all.

Enable NAT and (optionally) enforce any company security profiles.

FGTHQVPNInternetAccessPolicy

 

2. Adding a route on the Remote Office FortiGate

On the Remote Office FortiGate, create a static route that forwards traffic destined for the Head Office FortiGate to the ISP’s Internet gateway.

(In this example, the Head Office FortiGate IP address is 172.20.120.154 so the destination IP/Mask is 172.20.120.154/255.255.255.0 and the ISP’s gateway IP address is 10.10.20.100.)

 FGT-Remote-StaticRoute

3. Configuring IPsec VPN on the Remote Office FortiGate

On the Remote Office FortiGate, go to VPN > IPSec > Wizard.

Name the VPN, select Site to Site – FortiGate, and click Next.

FGTRemoteVPNWizard1

Set the Remote Gateway to the Head Office FortiGate IP address.

The Wizard should select the correct Outgoing Interface.

Select Pre-shared Key for the Authentication Method and enter the same Pre-shared Key as you entered in Step 1.

FGTRemoteVPNWizard2

Under Policy & Routing, set the Local Interface to the interface connected to the Remote Office internal network.

For Local Subnets, enter the subnet range of the Remote Office internal network.

For Remote Subnets, enter the subnet range of the Head Office internal network then click Create.

FGTRemoteVPNWizard3

The VPN Wizard informs you that a static route has been created, as well as two address groups and two security policies.

FGTRemoteVPNWizard4

Allow Internet traffic from the remote office to enter the VPN tunnel.

On the Remote Office FortiGate, go to Policy & Objects > Policy > IPv4.

Edit the outbound security policy created by the VPN Wizard.

Change the Destination Address to all so that the policy accepts Internet traffic.

FGT-Remote-Policy-Edit-All

4. Establishing the tunnel

On either FortiGate, go to VPN > Monitor > IPsec Monitor.

Right-click the newly created tunnel and select Bring Up.

BringTunnelUp
If the tunnel is established, the Status column will read Up on both of the FortiGates. TunnelUp

6. Results

With the tunnel up, you can now visit google.com without being blocked, since the Internet traffic is handled by the Head Office FortiGate and the access restrictions on the remote FortiGate have been bypassed.

WebFilterBypassed

For further reading, check out IPsec VPN in the web-based manager in the FortiOS 5.2 Handbook.

 

Fortinet Technical Documentation

Fortinet Technical Documentation

Contact Fortinet Technical Documentation at techdoc@fortinet.com.
Fortinet Technical Documentation

Latest posts by Fortinet Technical Documentation (see all)

  • Was this helpful?
  • Yes   No
The pre-shared key is a credential for the VPN and should differ from the user’s password. Both FortiGate’s must have the same pre-shared key.