Site-to-site IPsec VPN with two FortiGates

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard’s Site to Site – FortiGate template.

In this example, one office will be referred to as HQ and the other will be referred to as Branch.

Find this recipe for other FortiOS versions
5.2 | 5.4 | 5.6

1. Configuring the HQ IPsec VPN

On the HQ FortiGate, go to VPN > IPsec Wizard.

Select the Site to Site template, and select FortiGate.

In the Authentication step, set IP Address to the IP of the Branch FortiGate (in the example, 172.20.120.135). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select it from the drop-down menu.

Set a secure Pre-shared Key.

In the Policy & Routing step, set the Local Interface. The Local Subnets will be added automatically. Set Remote Subnets to the Branch FortiGate’s local subnet (in the example, 5.5.5.5/24).

A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.

2. Configuring the Branch IPsec VPN

On the Branch FortiGate, go to VPN > IPsec Wizard.

Select the Site to Site template, and select FortiGate.

In the Authentication step, set IP Address to the IP of the HQ FortiGate (in the example, 172.20.121.92). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select Change.

Set the same Pre-shared Key that was used for HQ’s VPN.

In the Policy & Routing step, set the Local Interface. The Local Subnets will be added automatically. Set Remote Subnets to the HQ FortiGate’s local subnet (in the example, 10.10.10.1/24).

A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.

3. Results

On either FortiGate, go to Monitor > IPsec Monitor to verify the status of the VPN tunnel. Right-click under Status and select Bring Up.

 

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping the Branch FortiGate’s internal interface from the HQ’s internal network.

Adam Bristow

Adam Bristow

Technical Writer at Fortinet
Adam Bristow is a Technical Writer working for the FortiOS technical documentation team. He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate certificate in Technical Writing from Algonquin College. Stay tuned for more FortiOS Cookbook videos!
Adam Bristow
  • Was this helpful?
  • Yes   No
  • GJ

    Hello Adam,

    How to Access a Remote Subnet which is configured on a Layer3 Cisco Switch not on Fortigate Interface ?

    Suppose .. My HQ Fortigate Internal Interface(Port1) IP is 192.168.10.254 which is Connected with a Cisco Layer 3 Switch (Gi0/1 – access vlan 10 and VLAN SVI is 192.168.10.1). And have many VLAN’s Configured on this Cisco L3 switch(IP Routing Enabled)

    Cisco L3 Switch VLAN’s

    VLAN 11(Server) – 192.168.11.0/24 (SVI 192.168.11.1)
    VLAN 12(User) – 192.168.12.0/24 (SVI 192.168.12.1)
    VLAN 13(VOICE) – 192.168.13.0/24 (SVI 192.168.13.1)

    Could you Please explain how can we access Server/User/Voice VLAN’s Subnet from Branch Office Subnet

    Branch office Fortigate has its Internal(Port1) IP 192.168.100.254 which connects with a Cisco Layer2 Switch, All the Systesm connected to this Cisco layer2 switch getting IP Scope from Fortigate Firewall(Port1) – Subnet 192.168.100.0/24

    Could you please Explain in this scenario how can i access my HQ Subnets and Branch Office Subnet and Vice Versa. Appreciate your Suggestions.

  • nguyễn duy thiện

    dear
    i set up site to site with two foritgates 5.4, and i wonder that do we need to config static route of ip range in the Routing – Static Route or it will be auto route itself
    thanks and regards

    • Kerrie Newton

      Hello nguyễn duy thiện,

      If you used the wizard to create the IPSec VPN tunnels it would of automatically created the routes needed based on your configuration.

      Kerrie

  • tyler

    If the branch fortigate sits behind a NAT device, how do you modify this recipe? I’ve seen examples in older versions that have different interfaces. Hoping for a straightforward recipe so I don’t have to hunt around to solve this.

  • Eric Woodman

    I would really like to see this configuration done with certificate authentication.

    • Victoria Martin

      Hello Eric,

      I have put site-to-site IPsec with certificate authentication on our to-do list.

  • Brian Willms

    I would like to set this up so that DNS works between HQ and Branch. I am currently able to ping by number, but would like name resolution to work both ways between them for apps that require UNC.

  • Darren Asher Haun

    How to do a redundant ISP at home office with remote fortigates (Single ISP). I have redundant ISP at office, (Different IP networks) and remote clients. How do you configure the remote FG devices to use multiple IP to lookup and connect to Home Office?

  • Hakim Mani

    Hi, will site-to-site vpn work with older fortios like v4?

  • Kristian Villapando

    Hi, will site-to-site ipsec vpn work with different fortiOS? 5.4.1 and 5.2.5?

    • Keith Leroux

      Hi Kristian,
      Yes it will, and the procedure is nearly identical for both releases.