In this example I configured a Site-to-Site VPN between 2 Fortigate boxes. It was realised with route based VPN and not with policy based VPN.
I route everything through the tunnel here.
Topology:
ntp server and syslog server
192.168.1.159/24
|
192.168.1.1/24 (internal)
myfirewall3
3.3.3.1/24 (wan)
|
3.3.3.2
router
2.2.2.2
|
2.2.2.1 (wan)
myfirewall1
1.1 Upgrade to the latest version.
We have our tftp server on the ip 192.168.1.100 and lets assume the gateway has already an ip in this network.
| FGT50B1111111111 # get system status Version: Fortigate-50B v4.0,build0192,091222 (MR1 Patch 2) Virus-DB: 9.00795(2008-12-08 15:09) Extended DB: 0.00000(2003-01-01 00:00) IPS-DB: 2.00593(2009-02-05 20:34) FortiClient application signature package: 1.131(2009-12-22 19:16) Serial-Number: FGT50B1111111111 BIOS version: 04000010 Log hard disk: Not available Hostname: FGT50B1111111111 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Distribution: International Branch point: 192 Release Version Information: MR1 Patch 2 System time: Fri Jan 28 05:33:43 2011FGT50B1111111111 # execute restore image tftp FGT_50B-v400-build0194-FORTINET.out 192.168.1.100 This operation will replace the current firmware version! Do you want to continue? (y/n)yPlease wait…Connect to tftp server 192.168.1.100 … ################ Get image from tftp server OK. CheckFirmware upgrade in progress … Done. |
The System will be automatically rebooted
| The system is going down NOW !! Please stand by while rebooting thFGT50B (14:15-10.01.2008) Ver:04000010 Serial number:FGT50B1111111111 RAM activation Total RAM: 256MB Enabling cache…Done. Scanning PCI bus…Done. Allocating PCI resources…Done. Enabling PCI resources…Done. Zeroing IRQ settings…Done. Verifying PIRQ tables…Done. Enabling Interrupts…Done. Boot up, boot device capacity: 64MB. Press any key to display configuration menu… ……Reading boot image 1319595 bytes. Initializing firewall… System is started. |
After that we need to login again and check if the version is correct.
| FGT50B1111111111 login: fwadmin Password: Welcome !FGT50B1111111111 # get system status Version: Fortigate-50B v4.0,build0194,100121 (MR1 Patch 3) Virus-DB: 9.00795(2008-12-08 15:09) Extended DB: 0.00000(2003-01-01 00:00) IPS-DB: 2.00593(2009-02-05 20:34) FortiClient application signature package: 1.131(2010-01-21 14:48) Serial-Number: FGT50B1111111111 BIOS version: 04000010 Log hard disk: Not available Hostname: FGT50B1111111111 Operation Mode: NAT Current virtual domain: root Max number of virtual domains: 10 Virtual domains status: 1 in NAT mode, 0 in TP mode Virtual domain configuration: disable FIPS-CC mode: disable Current HA mode: standalone Distribution: International Branch point: 194 Release Version Information: MR1 Patch 3 System time: Fri Jan 28 05:40:48 2011 FGT50B1111111111 # |
1.2 Set the interfaces
1.2.1 Set the inside interface
| FGT50B1111111111 # config system interface FGT50B1111111111 (interface) # edit “internal” FGT50B1111111111 (internal) # set ip 192.168.1.1 255.255.255.0 FGT50B1111111111 (internal) # set description “Inside interface” FGT50B1111111111 (internal) # end |
1.2.2 Set the outside interface (WAN Link)
| myfirewall3 # config system interface myfirewall3 (interface) # edit “wan1” myfirewall3 (wan1) # set mode static myfirewall3 (wan1) # set ip 3.3.3.1 255.255.255.0 myfirewall3 (wan1) # set allowaccess ping https ssh |
1.2.3 Wlan (optional)
| edit “wlan” set vdom “root” set ip 192.168.2.1 255.255.255.0 set allowaccess ping https set type wireless set wifi-ssid “Getoutofhere12” set wifi-broadcast-ssid disable set wifi-security WPA2 set wifi-passphrase ENC preshared key next |
1.3 Set Admin password
| myfirewall3 # config system admin myfirewall3 (admin) # edit admin myfirewall3 (admin) # set password PasswordHere myfirewall3 (admin) # end |
1.4 Set hostname
| FGT50B1111111111 # config system global FGT50B1111111111 (global) # set hostname myfirewall3 FGT50B1111111111 (global) # end myfirewall3 # |
1.5 Time Setting
If possible we should use an ntp server intern. A correct time setting for vpn is really important.
| config system ntp config ntpserver edit 1 set server “192.168.1.159” next end set ntpsync enable set syncinterval 60 end |
1.6. DHCP
1.6.1 on inside
Even if we use dynamic IP on the LAN, it is useful to let some space for static IPs. The first IP is .30 in the example below, leaving 29 IPs for the future.
| myfirewall3 # config system dhcp server myfirewall3 (server) # edit “internal_dhcp_server” myfirewall3 (internal_dhcp_~e) # set default-gateway 192.168.1.1 myfirewall3 (internal_dhcp_~e) # set dns-server1 4.2.2.2 myfirewall3 (internal_dhcp_~e) # set dns-server2 4.2.2.1 myfirewall3 (internal_dhcp_~e) # set interface “internal” myfirewall3 (internal_dhcp_~e) # set netmask 255.255.255.0 myfirewall3 (internal_dhcp_~e) # set end-ip 192.168.1.254 myfirewall3 (internal_dhcp_~e) # set start-ip 192.168.1.30 myfirewall3 (internal_dhcp_~e) # end |
1.7. Routing
2 route required:
– route to the vpn peer
– route any traffic to vpn tunnel interface (This is possible if we have created a phase1 and phase2 vpn)
The value fort he distance is by default 10 and cannot be seen in the config if not changed.
| myfirewall3 # config router static myfirewall3 (static) # edit 1 new entry ‘1’ added myfirewall3 (1) # set device “wan1” myfirewall3 (1) # set dst 2.2.2.1 255.255.255.255 myfirewall3 (1) # set gateway 3.3.3.2 myfirewall3 (1) # set weight 50 myfirewall3 (1) # next myfirewall3 (static) # edit 2 new entry ‘2’ added myfirewall3 (2) # set device “fortigw-311b” myfirewall3 (2) # set distance 5 myfirewall3 (2) # set weight 50 myfirewall3 (2) # next myfirewall3 (static) # end |
1.8 Configuring syslog server
| myfirewall3 # config log syslogd setting myfirewall3 (setting) # set status enable myfirewall3 (setting) # set server 192.168.1.159 myfirewall3 (setting) # set port 514 myfirewall3 (setting) # set facility local7 myfirewall3 (setting) # endmyfirewall3 # config log syslogd filter myfirewall3 (filter) # set severity debug myfirewall3 (filter) # end |
1.9 VPN Configuration
1.9.1 Phase 1.
| myfirewall3 # config vpn ipsec phase1-interface myfirewall3 (phase1-interface) # edit fortigw-311b myfirewall3 (fortigw-311b) # set interface “wan1” myfirewall3 (fortigw-311b) # set proposal 3des-sha1 aes128-sha1 myfirewall3 (fortigw-311b) # set remote-gw 2.2.2.1 myfirewall3 (fortigw-311b) # set psksecret YourSecret myfirewall3 (fortigw-311b) # next myfirewall3 (phase1-interface) # end |
1.9.2 Phase 2.
| myfirewall3 # config vpn ipsec phase2-interface myfirewall3 (phase2-interface) # edit “fortigw-311b-ph2” myfirewall3 (fortigw-311b-ph2) # set phase1name “fortigw-311b” myfirewall3 (fortigw-311b-ph2) # set proposal 3des-sha1 aes128-sha1 myfirewall3 (fortigw-311b-ph2) # set src-subnet 192.168.1.0 255.255.255.0 myfirewall3 (fortigw-311b-ph2) # next myfirewall3 (phase2-interface) # end |
1.10. Firewall Policy
If the VPN tunnel is up the following policy should be implemented to the tunnel interface:
| myfirewall3 # config firewall policy myfirewall3 # edit 1 myfirewall3 # set srcintf “internal” myfirewall3 # set dstintf “fortigw-311b” myfirewall3 # set srcaddr “all” myfirewall3 # set dstaddr “all” myfirewall3 # set action accept myfirewall3 # set schedule “always” myfirewall3 # set service “ANY” myfirewall3 # set nat disable myfirewall3 # next myfirewall3 # end |
The same configuration is required on the other side, on the other Fortigate Firewall.
itsecworks 
Posted on September 20, 2011
0