FortiGate IPsec VPN Site to Site Configuration

FortiGate IPsec VPN Site to Site provides a secure and reliable connection between two networks located in different locations. This is a crucial feature for businesses with remote offices and a requirement for remote workers. In this blog post, we’ll discuss how to configure FortiGate IPsec VPN Site to Site and provide training on its usage.

Prerequisites:

  • Two FortiGate devices (FortiGate A and FortiGate B) with administrative access.
  • A dedicated public IP address for each FortiGate device.
  • Proper network routing configured on both FortiGate devices.

Step 1: Log in to the FortiGate Web Interface

  1. Open a web browser and enter the IP address of FortiGate A in the address bar.
  2. Log in with administrative credentials.

Step 2: Create Phase 1 Configuration on FortiGate A: Phase 1 sets up the initial connection between the two VPN peers.

  1. Go to “VPN” > “IPsec Wizard” on FortiGate A.
  2. Select “Custom” for the VPN Template.
  3. Configure the following Phase 1 settings:
    • Name: Give the VPN connection a name.
    • Remote Gateway: Enter the public IP address of FortiGate B.
    • Authentication Method: Pre-shared Key (PSK).
    • Pre-shared Key: Enter a strong, secret key.
    • Local Interface: Select the local interface connected to the internet.
    • Mode: Main Mode.
    • IKE Version: IKEv2 or IKEv1, depending on your requirements.
    • Phase 1 Proposal: Define encryption and authentication algorithms.
  4. Click “Next” to save the Phase 1 settings.

Step 3: Create Phase 2 Configuration on FortiGate A: Phase 2 defines the parameters for the actual data encryption.

  1. After saving Phase 1 settings, click “Next” to configure Phase 2.
  2. Configure the following Phase 2 settings:
    • Phase 2 Name: Give it a name.
    • Local Subnet: Enter the local network subnet behind FortiGate A.
    • Remote Subnet: Enter the remote network subnet behind FortiGate B.
    • P2 Proposal: Define encryption and authentication algorithms.
  3. Click “Next” to save the Phase 2 settings.

Step 4: Create Phase 1 and Phase 2 Configuration on FortiGate B: Repeat Steps 2 and 3 on FortiGate B with the corresponding settings, but make sure to reverse the “Remote Gateway” and the “Local Subnet” and “Remote Subnet” settings.

Step 5: Establish the Connection:

  1. After configuring both FortiGate devices, return to FortiGate A.
  2. Go to “VPN” > “IPsec Tunnels” and click the “Create New” button.
  3. Select the Phase 1 and Phase 2 configurations you created for FortiGate B.
  4. Click “OK” to create the VPN tunnel.
  5. Repeat the same steps on FortiGate B, using the Phase 1 and Phase 2 configurations for FortiGate A.

Step 6: Monitor and Troubleshoot:

  1. You can monitor the VPN connection status under “VPN” > “Monitor” > “IPsec Monitor.”
  2. If there are any issues, check the logs and firewall policies for any blocking rules.

That’s it! You should now have a functioning FortiGate IPsec VPN site-to-site connection between the two locations. Ensure that your firewall policies allow traffic to flow over the VPN tunnel, and test the connectivity between the remote networks.