FortiGate IPsec VPN Site to Site Configuration

FortiGate IPsec VPN Site to Site provides a secure and reliable connection between two networks located in different locations. This is a crucial feature for businesses with remote offices and a requirement for remote workers. In this blog post, we’ll discuss how to configure FortiGate IPsec VPN Site to Site and provide training on its usage.

Prerequisites:

  • Two FortiGate devices (FortiGate A and FortiGate B) with administrative access.
  • A dedicated public IP address for each FortiGate device.
  • Proper network routing configured on both FortiGate devices.

Step 1: Log in to the FortiGate Web Interface

  1. Open a web browser and enter the IP address of FortiGate A in the address bar.
  2. Log in with administrative credentials.

Step 2: Create Phase 1 Configuration on FortiGate A: Phase 1 sets up the initial connection between the two VPN peers.

  1. Go to “VPN” > “IPsec Wizard” on FortiGate A.
  2. Select “Custom” for the VPN Template.
  3. Configure the following Phase 1 settings:
    • Name: Give the VPN connection a name.
    • Remote Gateway: Enter the public IP address of FortiGate B.
    • Authentication Method: Pre-shared Key (PSK).
    • Pre-shared Key: Enter a strong, secret key.
    • Local Interface: Select the local interface connected to the internet.
    • Mode: Main Mode.
    • IKE Version: IKEv2 or IKEv1, depending on your requirements.
    • Phase 1 Proposal: Define encryption and authentication algorithms.
  4. Click “Next” to save the Phase 1 settings.

Step 3: Create Phase 2 Configuration on FortiGate A: Phase 2 defines the parameters for the actual data encryption.

  1. After saving Phase 1 settings, click “Next” to configure Phase 2.
  2. Configure the following Phase 2 settings:
    • Phase 2 Name: Give it a name.
    • Local Subnet: Enter the local network subnet behind FortiGate A.
    • Remote Subnet: Enter the remote network subnet behind FortiGate B.
    • P2 Proposal: Define encryption and authentication algorithms.
  3. Click “Next” to save the Phase 2 settings.

Step 4: Create Phase 1 and Phase 2 Configuration on FortiGate B: Repeat Steps 2 and 3 on FortiGate B with the corresponding settings, but make sure to reverse the “Remote Gateway” and the “Local Subnet” and “Remote Subnet” settings.

Step 5: Establish the Connection:

  1. After configuring both FortiGate devices, return to FortiGate A.
  2. Go to “VPN” > “IPsec Tunnels” and click the “Create New” button.
  3. Select the Phase 1 and Phase 2 configurations you created for FortiGate B.
  4. Click “OK” to create the VPN tunnel.
  5. Repeat the same steps on FortiGate B, using the Phase 1 and Phase 2 configurations for FortiGate A.

Step 6: Monitor and Troubleshoot:

  1. You can monitor the VPN connection status under “VPN” > “Monitor” > “IPsec Monitor.”
  2. If there are any issues, check the logs and firewall policies for any blocking rules.

That’s it! You should now have a functioning FortiGate IPsec VPN site-to-site connection between the two locations. Ensure that your firewall policies allow traffic to flow over the VPN tunnel, and test the connectivity between the remote networks.

FortiGate Remote Access IPSec VPN Configuration

In today’s digital era, remote access is becoming a fundamental requirement for businesses to ensure continuous productivity. But with remote access comes the risk of cyber threats, making VPN security a top priority.


1. Access the FortiGate Web Interface:
Connect to your FortiGate firewall’s web interface using a web browser. Enter the IP address of the FortiGate in the address bar and log in with administrator credentials.
2. Create a VPN User Group:
Navigate to “User & Device” > “User Groups.”
Click on “Create New.”
Name the group (e.g., “VPN_Users”).
Add the remote users who will be connecting to this group.
3. Configure the VPN Tunnel:
Navigate to “VPN” > “IPsec Wizard.”
Select “Custom” and click “Next.”
Enter a name for the VPN tunnel.
Select “Remote Access” as the type of VPN.
Choose “Pre-shared Key” for authentication.
Create a Pre-shared Key (PSK) and make note of it. This will be used by remote clients to authenticate.
Select the appropriate interface for the VPN (usually the WAN interface).
Configure the Local Interface and Local IP Address settings.
Under Authentication/Phase 1, select the appropriate encryption and authentication settings.
Under Authentication/Phase 2, select the appropriate encryption and authentication settings.
Click “Next” and review your settings.
Click “Finish” to create the VPN tunnel.
4. Configure the Firewall Policies:
Navigate to “Policy & Objects” > “IPv4 Policy.”
Create a new policy for traffic from the VPN to the internal network.Set the source interface to the VPN interface.
Set the destination interface to the internal network.
Specify the appropriate source and destination addresses and services.
Allow the traffic.
5. Configure DNS Settings (optional):
If you want remote users to resolve internal hostnames, configure DNS settings for the VPN users. Navigate to “Network” > “DNS.”
Add internal DNS servers to the list and enable DNS settings for the VPN tunnel.
6. Configure NAT (optional):
If your internal network uses NAT, configure NAT settings for the VPN users. Navigate to “Policy & Objects” > “NAT.”
Create a new NAT policy to translate VPN user traffic to the internal network.
7. Configure User Authentication:
Navigate to “System” > “Administrators” and create a user account for remote authentication.
Ensure the user has permissions to connect via VPN.
8. Configure VPN Client:
On the remote client side, configure the VPN client software (e.g., FortiClient) with the FortiGate’s public IP address and the Pre-shared Key you created earlier.
9. Test the Connection:
Connect the remote client to the FortiGate using the configured VPN settings.
Verify that the connection is established successfully.
These are the basic steps for configuring a FortiGate Remote Access IPSec VPN. Depending on your specific network requirements and security policies, you may need to make additional configurations or adjustments. Always refer to the FortiGate documentation for the most up-to-date and specific instructions for your device.