Site-to-site IPsec VPN with two FortiGates

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard’s Site to Site FortiGate template.

In this example, one office will be referred to as HQ and the other will be referred to as Branch.

 

Find this recipe for other FortiOS versions
5.2 | 5.4

1. Configuring the HQ IPsec VPN

On the HQ FortiGate, go to VPN > IPsec > Wizard and select Site to Site – FortiGate.

In the Authentication step, set the Branch FortiGate’s IP as the Remote Gateway (in the example, 172.20.120.142). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select Change.

Set a secure Pre-shared Key

In the Policy & Routing section, set Local Interface to your lan interface. The Local Subnet will be added automatically. Set Remote Subnets to the Branch FortiGate’s local subnet (in the example, 192.168.50.0/24).

A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.

2. Configuring the Branch IPsec VPN

On the Branch FortiGate, go to VPN > IPsec > Wizard and select Site to Site – FortiGate.

In the Authentication step, set the HQ FortiGate’s IP as the Remote Gateway (in the example, 172.20.120.123). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select Change.

Set the same Pre-shared Key that was used for HQ’s VPN.

In the Policy & Routing section, set Local Interface to your lan interface. The Local Subnet will be added automatically. Set Remote Subnets to the HQ FortiGate’s local subnet (in the example, 192.168.100.0/24).

A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.

3. Results

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping the Branch FortiGate’s internal interface from the HQ’s internal network.

Go to VPN > Monitor > IPsec Monitor to verify the status of the VPN tunnel. Ensure that its Status is Up and that traffic is flowing.

 

For further reading, check out Gateway-to-gateway configurations in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin

Latest posts by Victoria Martin (see all)

  • Was this helpful?
  • Yes   No
  • dgeeklord

    Hi,

    I am having trouble setting up a site-to-site IPsec VPN between a Checkpoint and a Fortinet Fortigate 110C. The challenge is on the Fortigate 110C end. Is there any help resources you can refer me to?
    Thanks

  • Arunkumar S

    Can create redundant tunnel if we have two different ISP connections?

  • Francisco Aguilar

    Hi, I’m having trouble pinging from HQ to Branch Office on VPN IPSEC DialUp tunnel. Why is happening this? I can ping from the Branch to the HQ but no HQ to Branch. I have traffic up/down on the VPN.

    Thank you for your help!

    P.S. HQ Fortigate is 300B last update and Branch Fortigate is 60B 4.0 MR3 Patch 18

  • Mik

    Hi sir. I’m new in firewall. I have 2 fortinet 30E configuring site to site VPN using a broadband wireless connection does it work? What IP i will set in the remote gateway? The broadband giving me a dhcp address for interface w/c is private ip. Thank you all.

    • Victoria Martin

      Hello Mik,

      In order to configure a site-to-site IPsec, the FortiGates will need to be able to connect to each other using public IPs. It sounds like you need to contact your ISP in order to get this set up.

  • Marzooq A

    what if i have multiple remote subnets , How will i add them?

  • Bibek Thapa

    Hi there, How can i create a site to site vpn using CLI? Do you have predefined examples that you can send me?

    • Keith Leroux

      Hi Bibek, here’s some example CLI for phase1 and phase2 IPsec configuration (on one endpoint; the other endpoint confniguration would be quite similar, with source and destination subnets reversed, most likely):

      config vpn ipsec phase1-interface
      edit
      set interface “wan1”
      set peertype any
      set dpd on-idle
      set wizard-type static-fortigate
      set remote-gw
      set psksecret ENC [hash]
      set dpd-retryinterval 5
      next
      end
      config vpn ipsec phase2-interface
      edit
      set phase1name
      set src-subnet 192.168.1.0 255.255.255.0
      set dst-subnet 192.169.1.0 255.255.255.0
      next
      end

      You then add your policies as required.

      Cheers~

      • Bibek Thapa

        Thanks a lot Keith! 🙂

  • Daniela Rivas

    Good afternoon everybody, is it possible to configure a site-to-site IPsec VPN between two Fortigates, but I have in the middle a mushroom traffic management device? Will it work normally?

  • Tanjil Borah

    How to see the packets are encapsulated and decapsulated in vpn tunnel.

    • Taher Elbar

      Hi Tanjil,
      Wireshark packet capture is a good tool for that, capture the traffic on wan1 interface you will see it encrypted (cipher text), in the same time capture the traffic on the LAN interface you will see it decrypted (plain text).
      Regards,
      Taher.

      • Tanjil Borah

        Hi Taher,

        Thanks for your advice. My concern is there any command in fortinet firewall which gives similar out put of Cisco ” show cryoto ipsec sa”.

        • Taher Elbar

          If you’re looking for SA information try this:
          diagnose vpn ike status summary
          diagnose vpn ike status detailed

          You can also type “diagnose vpn ike ?” for more available options.
          Regards,
          Taher.

          • Tanjil Borah

            Thanks for your support.

  • Chris Joe

    How to set configure in VPN IPsec site to site HQ and Branch , Both are using Fortigate firewall .
    But Both side was Configured Vlan Branch (Vlan 200,201,209) , HQ have (Vlan 100,101,110,109).
    Please let me get the ways for this .

    Thanks

    • Kerrie Newton

      Hello Chris,

      In order to route VLAN traffic acrross the tunnel you will needthe following:

      – Phase2 (quick mode) selectors for each VLAN subnet.
      – Two Policies allow each VLAN to use the tunnel in both directions
      – Static routes for each VLAN using the tunnel interfac

      For further assistance/troubleshooting please feel free to contact Fortinet Support

      How to work with Fortinet Support
      http://cookbook.fortinet.com/how-to-work-with-fortinet-support/

      Kerrie

  • Ziel Cassamo

    Good Day, is it possible to confgure a site-to-site IPsec VPN between a Fortigate and another router brand such as Linksys or Cisco, using the same above steps for the Fortigate? Will t work normally?

  • Keith Leroux

    Hello Jhon,

    Please see my reply to Shuy below for some helpful links.

    Cheers!

  • Jhon leon

    Same question what about DDNS?

  • Shuy Rz

    what about use a ddns in remote gateway instead public ip.

  • Andy

    that’s a great crib, how would it be done on 2 fortigates on different firmware versions? say 5.2.1 and v4mr3p18?

    • Keith Leroux

      Hi Andy,
      I’m going to work on this recipe pronto, and we hope to have it available online next week, so stay tuned! We will likely do a 5.2.1 to 5.0.0 configuration, with a note or two on 4.3.18, or some such variant.