Site-to-site IPsec VPN with two FortiGates

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this recipe, you create a route-based IPsec VPN tunnel to allow transparent communication between two networks that are located behind different FortiGates. The VPN will be created on both FortiGates using the VPN Wizard’s Site to Site – FortiGate template.

In this example, one FortiGate will be referred to as HQ and the other as Branch.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Configuring the IPsec VPN on HQ

On HQ, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

In the Authentication step, set IP Address to the public IP address of the Branch FortiGate (in the example, 172.25.177.46).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

Set a secure Pre-shared Key.

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to Branch’s local subnet (in the example, 192.168.13.0/24).


 

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

 

2. Configuring the IPsec VPN on Branch

On Branch, go to VPN > IPsec Wizard and create a new tunnel.

In the VPN Setup step, set Template Type to Site to Site and Remote Device Type to FortiGate.

In the Authentication step, set IP Address to the public IP address of the HQ FortiGate (in the example, 172.25.176.142).

After you enter the IP address, an available interface will be assigned as the Outgoing Interface. If you want to use a different interface, select it from the drop-down menu.

Set a secure Pre-shared Key that was used for the VPN on HQ.


 

In the Policy & Routing step, set Local Interface to LAN. The local subnet is added automatically. Set Remote Subnets to HQ’s local subnet (in the example, 192.168.37.0/24).

A summary page shows the configuration created by the wizard, including firewall addresses, static routes, and security policies.

 

3. Results

On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. Right-click under Status and select Bring Up.

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping Branch’s LAN interface from a device on HQ’s internal network.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No