Basic VPN Configuration

Posted on September 20, 2011

0



In this example I configured a Site-to-Site VPN between 2 Fortigate boxes. It was realised with route based VPN and not with policy based VPN.
I route everything through the tunnel here.

Topology:

ntp server and syslog server
192.168.1.159/24
|
192.168.1.1/24 (internal)
myfirewall3
3.3.3.1/24 (wan)
|
3.3.3.2
router
2.2.2.2
|
2.2.2.1 (wan)
myfirewall1

1.1 Upgrade to the latest version.

We have our tftp server on the ip 192.168.1.100 and lets assume the gateway has already an ip in this network.

FGT50B1111111111 # get system status
Version: Fortigate-50B v4.0,build0192,091222 (MR1 Patch 2)
Virus-DB: 9.00795(2008-12-08 15:09)
Extended DB: 0.00000(2003-01-01 00:00)
IPS-DB: 2.00593(2009-02-05 20:34)
FortiClient application signature package: 1.131(2009-12-22 19:16)
Serial-Number: FGT50B1111111111
BIOS version: 04000010
Log hard disk: Not available
Hostname: FGT50B1111111111
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 192
Release Version Information: MR1 Patch 2
System time: Fri Jan 28 05:33:43 2011FGT50B1111111111 # execute restore image tftp FGT_50B-v400-build0194-FORTINET.out 192.168.1.100
This operation will replace the current firmware version!
Do you want to continue? (y/n)yPlease wait…Connect to tftp server 192.168.1.100 …
################
Get image from tftp server OK.
CheckFirmware upgrade in progress … Done.

The System will be automatically rebooted

The system is going down NOW !!
Please stand by while rebooting thFGT50B (14:15-10.01.2008)
Ver:04000010
Serial number:FGT50B1111111111
RAM activation
Total RAM: 256MB
Enabling cache…Done.
Scanning PCI bus…Done.
Allocating PCI resources…Done.
Enabling PCI resources…Done.
Zeroing IRQ settings…Done.
Verifying PIRQ tables…Done.
Enabling Interrupts…Done.
Boot up, boot device capacity: 64MB.
Press any key to display configuration menu…
……Reading boot image 1319595 bytes.
Initializing firewall…
System is started.

After that we need to login again and check if the version is correct.

FGT50B1111111111 login: fwadmin
Password:
Welcome !FGT50B1111111111 # get system status
Version: Fortigate-50B v4.0,build0194,100121 (MR1 Patch 3)
Virus-DB: 9.00795(2008-12-08 15:09)
Extended DB: 0.00000(2003-01-01 00:00)
IPS-DB: 2.00593(2009-02-05 20:34)
FortiClient application signature package: 1.131(2010-01-21 14:48)
Serial-Number: FGT50B1111111111
BIOS version: 04000010
Log hard disk: Not available
Hostname: FGT50B1111111111
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 194
Release Version Information: MR1 Patch 3
System time: Fri Jan 28 05:40:48 2011
FGT50B1111111111 #

1.2 Set the interfaces

1.2.1 Set the inside interface

FGT50B1111111111 # config system interface
FGT50B1111111111 (interface) # edit “internal”
FGT50B1111111111 (internal) # set ip 192.168.1.1 255.255.255.0
FGT50B1111111111 (internal) # set description “Inside interface”
FGT50B1111111111 (internal) # end

1.2.2 Set the outside interface (WAN Link)

myfirewall3 # config system interface
myfirewall3 (interface) # edit “wan1”
myfirewall3 (wan1) # set mode static
myfirewall3 (wan1) # set ip 3.3.3.1 255.255.255.0
myfirewall3 (wan1) # set allowaccess ping https ssh

1.2.3 Wlan (optional)

edit “wlan”
set vdom “root”
set ip 192.168.2.1 255.255.255.0
set allowaccess ping https
set type wireless
set wifi-ssid “Getoutofhere12”
set wifi-broadcast-ssid disable
set wifi-security WPA2
set wifi-passphrase ENC preshared key
next

1.3 Set Admin password

myfirewall3 # config system admin
myfirewall3 (admin) # edit admin
myfirewall3 (admin) # set password PasswordHere
myfirewall3 (admin) # end

1.4 Set hostname

FGT50B1111111111 # config system global
FGT50B1111111111 (global) # set hostname myfirewall3
FGT50B1111111111 (global) # end
myfirewall3 #

1.5 Time Setting

If possible we should use an ntp server intern. A correct time setting for vpn is really important.

config system ntp
config ntpserver
edit 1
set server “192.168.1.159”
next
end
set ntpsync enable
set syncinterval 60
end

1.6. DHCP

1.6.1 on inside

Even if we use dynamic IP on the LAN, it is useful to let some space for static IPs. The first IP is .30 in the example below, leaving 29 IPs for the future.

myfirewall3 # config system dhcp server
myfirewall3 (server) # edit “internal_dhcp_server”
myfirewall3 (internal_dhcp_~e) # set default-gateway 192.168.1.1
myfirewall3 (internal_dhcp_~e) # set dns-server1 4.2.2.2
myfirewall3 (internal_dhcp_~e) # set dns-server2 4.2.2.1
myfirewall3 (internal_dhcp_~e) # set interface “internal”
myfirewall3 (internal_dhcp_~e) # set netmask 255.255.255.0
myfirewall3 (internal_dhcp_~e) # set end-ip 192.168.1.254
myfirewall3 (internal_dhcp_~e) # set start-ip 192.168.1.30
myfirewall3 (internal_dhcp_~e) # end

1.7. Routing

2 route required:
– route to the vpn peer
– route any traffic to vpn tunnel interface (This is possible if we have created a phase1 and phase2 vpn)

The value fort he distance is by default 10 and cannot be seen in the config if not changed.

myfirewall3 # config router static
myfirewall3 (static) # edit 1
new entry ‘1’ added
myfirewall3 (1) # set device “wan1”
myfirewall3 (1) # set dst 2.2.2.1 255.255.255.255
myfirewall3 (1) # set gateway 3.3.3.2
myfirewall3 (1) # set weight 50
myfirewall3 (1) # next
myfirewall3 (static) # edit 2
new entry ‘2’ added
myfirewall3 (2) # set device “fortigw-311b”
myfirewall3 (2) # set distance 5
myfirewall3 (2) # set weight 50
myfirewall3 (2) # next
myfirewall3 (static) # end

1.8 Configuring syslog server

myfirewall3 # config log syslogd setting
myfirewall3 (setting) # set status enable
myfirewall3 (setting) # set server 192.168.1.159
myfirewall3 (setting) # set port 514
myfirewall3 (setting) # set facility local7
myfirewall3 (setting) # endmyfirewall3 # config log syslogd filter
myfirewall3 (filter) # set severity debug
myfirewall3 (filter) # end

1.9 VPN Configuration

1.9.1 Phase 1.

myfirewall3 # config vpn ipsec phase1-interface
myfirewall3 (phase1-interface) # edit fortigw-311b
myfirewall3 (fortigw-311b) # set interface “wan1”
myfirewall3 (fortigw-311b) # set proposal 3des-sha1 aes128-sha1
myfirewall3 (fortigw-311b) # set remote-gw 2.2.2.1
myfirewall3 (fortigw-311b) # set psksecret YourSecret
myfirewall3 (fortigw-311b) # next
myfirewall3 (phase1-interface) # end

1.9.2 Phase 2.

myfirewall3 # config vpn ipsec phase2-interface
myfirewall3 (phase2-interface) # edit “fortigw-311b-ph2”
myfirewall3 (fortigw-311b-ph2) # set phase1name “fortigw-311b”
myfirewall3 (fortigw-311b-ph2) # set proposal 3des-sha1 aes128-sha1
myfirewall3 (fortigw-311b-ph2) # set src-subnet 192.168.1.0 255.255.255.0
myfirewall3 (fortigw-311b-ph2) # next
myfirewall3 (phase2-interface) # end

1.10. Firewall Policy

If the VPN tunnel is up the following policy should be implemented to the tunnel interface:

myfirewall3 # config firewall policy
myfirewall3 # edit 1
myfirewall3 # set srcintf “internal”
myfirewall3 # set dstintf “fortigw-311b”
myfirewall3 # set srcaddr “all”
myfirewall3 # set dstaddr “all”
myfirewall3 # set action accept
myfirewall3 # set schedule “always”
myfirewall3 # set service “ANY”
myfirewall3 # set nat disable
myfirewall3 # next
myfirewall3 # end

The same configuration is required on the other side, on the other Fortigate Firewall.

Advertisements
Tagged: ,