Embed Size (px)
Citation preview
(http://www.ipspace.eu)
Home (http://www.ipspace.eu/)
About (http://www.ipspace.eu/about-2/)
Contact (http://www.ipspace.eu/contact/)
<
Home (http://www.ipspace.eu)
Cisco (http://www.ipspace.eu/category/cisco/)
Fortinet (http://www.ipspace.eu/category/fortinet/)
General Security (http://www.ipspace.eu/category/general-security/)
Linux (http://www.ipspace.eu/category/linux/)
News (http://www.ipspace.eu/category/news/)
Riverbed (http://www.ipspace.eu/category/riverbed/)
Scripts (http://www.ipspace.eu/category/scripts/)
Windows (http://www.ipspace.eu/category/windows/)
Creating a Fortigate VPN
May 28th, 2012 Daniel
Hello,
In this post i will show you how to create a policy based Fortigate VPN (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/). I will be
using FortiOS version 4.0 MR3.
For the VPN tunnel we used the following topology:
(http://www.ipspace.eu/wp-content/gallery/fortigate-vpn-policy-based/fortigate-
topology_0.jpg)
Creating Fortigate VPN Steps:
I. Go to VPN > IPsec ->Auto Key (IKE) and select “Create Phase 1“
(http://www.ipspace.eu/wp-content/gallery/fortigate-vpn-policy-based/fortigate-vpn-
phase1-1.jpg)
II. Enter the following information in Phase1
(http://www.ipspace.eu/wp-content/gallery/fortigate-vpn-policy-based/fortigate-vpn-phase1-2.jpg)
Name: Fortigate_VPN 1- This is a name to identify the VPN tunnel, you must remember this name as it will appear when configuration the
Phase2.
Remote Gateway – Enter the static IP of the VPN remote peer. In our example it is “2.2.2.2″
Local Interface – Select the interface that has outside Internet access. In our case we picked “WAN1″. Note: This interface cannot be a
loopback interface.
Mode: Main Mode
Authentication: Pre Shared Key -> pick a share key with more than 6 letters.
Looking For A VPN?
Check Out Spotflux, the 100% Free One-Click US VPN Solution Today!www.spotflux.com
Click Advanced:
Select the P1 Proposals (we picked):
Encryption: 3DES
Authentication: MD5
DH Group: 2
Keylive: 28800
Local ID: <none>
XAUTH: Disabled
NAT Traversal: Disabled
Dead Peer Detection: Disable – Note:please keep in mind to set this to disabled
in case you are peering with another VPN vendor. I have found out that this can
break the VPN tunnel
Click “OK”
The VPN Phase1 one was now created successful.
III. Now we need to create VPN Phase2, below are the steps:
(http://www.ipspace.eu/wp-content/gallery/fortigate-vpn-policy-based/fortigate-vpn-
phase2-1.jpg)
Name: Select a name that suits you, we picked “Phase2_Fortigate_VPN1”
Phase1: Select the name of the Phase1 you created earlier. We picked”
Fortigate_VPN1”
Encryption: 3DES
Authentication: MD5
Quick Mode Selector: This describes the IP ranges that you want passing
through the VPN.
As in the picture, we picked:
The Source Address: 10.10.10.0/24 , that is behind our Fortigate_1 VPN appliance.
The Destination Address: 10.20.20.0/24. that is behind our Fortigate_2 VPN appliance.
IV. Define VPN Source Selectors
1. Create a firewall address, go to Firewall Objects > Addresses > Address and select “Create New“.
Enter the following information and press “OK“:
Address Name: Sales_Network
Subnet/IP Range: 10.10.10.0/24
2. Create another firewall address( that is behind Fortigate 2) and go to Firewall Objects > Addresses > Address and select “Create New“.
Enter the following information and press “OK“:
Address Name: Remote_Sales_Network
Subnet/IP Range: 10.20.20.0/24
V. Create a Firewall Policy on the Fortigate:
a. Go to Policy > Policy
b. Select Create New
c. Enter the following information and press “OK”
Source Interface/Zone – Select Internal
Source Address Name – Select “Sales_Network”
Destination Interface/Zone – Select WAN1
Destination Address Name – ”Remote_Sales_Network”
Action – IPSEC
VPN tunnel: Fortigate_VPN1
Select ONLY the following option: Allow Inbound and Allow Outbound
Everything should be up and running now.
Please let me know if you have any questions.
Related Posts
Fortigate Tips and Tricks (http://www.ipspace.eu/fortinet/fortigate-tips-and-tricks/)
Fortigate Troubleshooting – VPN (http://www.ipspace.eu/fortinet/fortigate-troubleshooting-vpn/)
Posted in Fortigate (http://www.ipspace.eu/category/fortinet/fortigate/), Fortinet (http://www.ipspace.eu/category/fortinet/) Tags:
fortigate policy based vnp (http://www.ipspace.eu/tag/fortigate-policy-based-vnp/), fortigate vpn
(http://www.ipspace.eu/tag/fortigate-vpn/), fortinet vpn (http://www.ipspace.eu/tag/fortinet-vpn/)
« ipSpace Forum ? (http://www.ipspace.eu/news/ipspace-forum/)
CCIE Security v4 Blueprint is out (http://www.ipspace.eu/cisco/asa/ccie-security-v4-blueprint-is-out/) »
You can skip to the end and leave a response. Pinging is currently not allowed.
8 Responses to “Creating a Fortigate VPN”
1. Santosh Kumar Nayak (http://santoshnayak.in) says:
June 2, 2012 at 5:09 pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-3631)
Can you please help me in Blocking Google+ in Fortinet Firewall? I have already blocked Social Networking but it doesn’t get
blocked by Firewall.
Reply (/fortinet/creating-a-fortigate-vpn/?replytocom=3631#respond)
Daniel (http://www.ipspace.eu) says:
June 2, 2012 at 5:22 pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-3633)
Santhosh,
You can create a new URL filter, or add to an existing one the “plus.google.com” URL and mark it as blocked. Also please be
carefull that when applying the Web Filter, you also mark the inspection for HTTPS (as google plus could be using SSL).
Hope it helps.
Reply (/fortinet/creating-a-fortigate-vpn/?replytocom=3633#respond)
Santosh Kumar Nayak (http://santoshnayak.in) says:
June 13, 2012 at 9:34 am (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-3873)
Hi!!!!
I tried that also, it didn’t work. It works only if I set https(Deep Scan). But in this case all my websites are asking for
certificates even in outlook also. Is there any other way.
Reply (/fortinet/creating-a-fortigate-vpn/?replytocom=3873#respond)
Daniel (http://www.ipspace.eu) says:
June 15, 2012 at 8:11 pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-4005)
So you added plus.google.com as a blocked URL and it didn’t work ?
Please try something like this in the url filter:
url: .*dropbox\.com.*
type: regex
action: blocked
enable: yes (ticked)
I did not try this, but it should work. Please let me know the outcome
Reply (/fortinet/creating-a-fortigate-vpn/?replytocom=4005#respond)
Santosh Kumar Nayak (http://santoshnayak.in) says:
June 18, 2012 at 8:07 am (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-
4061)
Hi!
It works for other sites. But for Google Plus it doesn’t block.
If I give deep scanning then it blocks as Social Networking category. But for most of the sites it is getting
Certificate issues.
Is there any other solutions?
2. Daniel (http://www.pc-howto.com) says:
June 11, 2012 at 10:53 am (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-3813)
Hi!
Very nice description. You described the settings for one Fortigate. Is it right that I have to set up the remote sales network
Fortigate the same way as the sales network Fortigateunit?
Thank you in advance!
Reply (/fortinet/creating-a-fortigate-vpn/?replytocom=3813#respond)
Daniel (http://www.pc-howto.com) says:
June 13, 2012 at 6:33 am (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-3868)
Well, now I can answer my question myself: YES!
Reply (/fortinet/creating-a-fortigate-vpn/?replytocom=3868#respond)
3. Daniel (http://www.ipspace.eu) says:
July 8, 2012 at 5:41 pm (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/#comment-4679)
Which IE browser are you using ? IE9 works fine.
Reply (/fortinet/creating-a-fortigate-vpn/?replytocom=4679#respond)
Leave a Reply
Name (required)
Mail (w ill not be published) (required)
Website
Submit Comment
Search
(#) (http://www.addthis.com/bookmark.php?v=250&winname=addthis&pub=xa-4a65e1d93cd75e94&source=tbx-
250&lng=fr&s=delicious&url=http%3A%2F%2Fwww.ipspace.eu%2Ffortinet%2Fcreating-a-fortigate-
vpn%2F&title=Creating%20a%20Fortigate%20VPN%20%7C%20Network%20%26%20Security%20Blog&ate=AT-xa-
4a65e1d93cd75e94/-/-/5006ab642cb337dd/1&frommenu=1&uid=5006ab6457305beb&ct=1&tt=0) (#)
(http://www.addthis.com/bookmark.php?v=250&winname=addthis&pub=xa-
4a65e1d93cd75e94&source=tbx-
250&lng=fr&s=digg&url=http%3A%2F%2Fwww.ipspace.eu%2Ffortinet%2Fcreating-a-fortigate-
vpn%2F&title=Creating%20a%20Fortigate%20VPN%20%7C%20Network%20%26%20Security%20Blog&ate=AT-xa-4a65e1d93cd75e94/-/-
/5006ab642cb337dd/2&frommenu=1&uid=5006ab6413642e96&ct=1&tt=0) (http://www.addthis.com/bookmark.php?
v=250&winname=addthis&pub=xa-4a65e1d93cd75e94&source=tbx-
250&lng=fr&s=stumbleupon&url=http%3A%2F%2Fwww.ipspace.eu%2Ffortinet%2Fcreating-a-fortigate-
vpn%2F&title=Creating%20a%20Fortigate%20VPN%20%7C%20Network%20%26%20Security%20Blog&ate=AT-xa-4a65e1d93cd75e94/-/-
/5006ab642cb337dd/3&frommenu=1&uid=5006ab6465335a77&ct=1&tt=0) (#) (#)
(https://twitter.com/ipSpace_eu)Follow Me on Twitter! (https://twitter.com/ipSpace_eu)
Search
(http://feeds.feedburner.com/ipspace/vHcM)
Certifications
Recent Posts
Fortinet Useful Links
(http://www.ipspace.eu/fortinet/fortinet-useful-links/)
CCIE Security v4 Blueprint is out (http://www.ipspace.eu/cisco/asa/ccie-security-v4-blueprint-is-out/)
Creating a Fortigate VPN (http://www.ipspace.eu/fortinet/creating-a-fortigate-vpn/)
ipSpace Forum ? (http://www.ipspace.eu/news/ipspace-forum/)
Linux File System (http://www.ipspace.eu/linux/linux-file-system/)
Categories
ASA (http://www.ipspace.eu/category/cisco/asa/)
Call Manager (http://www.ipspace.eu/category/cisco/callmanager/)
Fortigate (http://www.ipspace.eu/category/fortinet/fortigate/)
Fortinet (http://www.ipspace.eu/category/fortinet/)
General Security (http://www.ipspace.eu/category/general-security/)
Linux (http://www.ipspace.eu/category/linux/)
News (http://www.ipspace.eu/category/news/)
Windows (http://www.ipspace.eu/category/windows/)
Blogroll
Daniels CCIE blog (http://lostintransit.se)
Darren's CCIE mission (http://mellowd.co.uk/ccie/)
Devirusare (http://devirusare.com/)
Recent Comments
RouterSecure (http://routersecure.com) on Twitter Account (http://www.ipspace.eu/news/twitter-account/#comment-4782)
Daniel (http://www.ipspace.eu) on Fortigate IPS (http://www.ipspace.eu/fortinet/fortigate/fortigate-ips/#comment-4709)
jblastman on Fortigate IPS (http://www.ipspace.eu/fortinet/fortigate/fortigate-ips/#comment-4708)
Windows ToolsStop Data Loss & Security Threats. ExpertAnalysis, Tips and Tools.techtarget.com/Data-Security
Performance EngineeringTutorials, Howto's & Reviews on Performance &Capacity Managementwww.practicalperformanceanalyst.com
Draytek ManufacturerUSA Headquarters - Support, Sales Inventory,Service 301-924-7400data-connect.com/DrayTek_Products
SYNERGIX InternationalOnline sales Telegartner, InfilinkTyco,FlukeNetworks Network Solutionwww.synergix-int.com
Daniel (http://www.ipspace.eu) on Creating a Fortigate VPN (http://www.ipspace.eu/fortinet/creating-a-fortigate-
vpn/#comment-4679)
Alex (http://alexamarandei.ca) on Insecure Magazine (http://www.ipspace.eu/news/insecure-magazine/#comment-4285)
Archives
June 2012 (http://www.ipspace.eu/2012/06/)
May 2012 (http://www.ipspace.eu/2012/05/)
April 2012 (http://www.ipspace.eu/2012/04/)
March 2012 (http://www.ipspace.eu/2012/03/)
February 2012 (http://www.ipspace.eu/2012/02/)
January 2012 (http://www.ipspace.eu/2012/01/)
Featured Video
Copyright © Network & Security Blog (http://www.ipspace.eu) - It's all about Security
Powered by WordPress (http://wordpress.org/) | Designed by: SharePoint Hosting (http://www.apps4rent.com/sharepoint.html) | Thanks to
Business Email Hosting (http://businessemailhosting.com/), Project Server Hosting (http://projectserverhosting.com/) and Hosted Virtual
Desktop (http://virtualdesktoponline.com/hosted-desktop/)
ASA (http://www.ipspace.eu/category/cisco/asa/)
Call Manager (http://www.ipspace.eu/category/cisco/callmanager/)
Catalyst Switches (http://www.ipspace.eu/category/cisco/switches/)
FortiAnalyzer (http://www.ipspace.eu/category/fortinet/fortianalyzer-fortinet/)
Fortigate (http://www.ipspace.eu/category/fortinet/fortigate/)
Fortimail (http://www.ipspace.eu/category/fortinet/fortimail/)
RedHat (http://www.ipspace.eu/category/linux/redhat/)
Ubuntu (http://www.ipspace.eu/category/linux/ubuntu/)
