31 1 521KB
Site-to-site IPSec VPN by using dynamic IP example Technical Note
Site-to-site IPSec VPN by using dynamic IP example Technical Note Document Version:
Version 2
Publication Date:
24 August 2012
Description:
This technical note features a detailed configuration example that demonstrates how to set up a basic site-to-site IPSec VPN that uses preshared keys to authenticate the two VPN peers.
Product:
FortiGate v4.00 MR3
Document Number: 09-28006-0119-20100605
Fortinet Inc.
09-28006-0119-20100605
Page 1 of 15
© Copyright 2012 Fortinet Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet Inc. Site-to-site IPSec VPN by using dynamic IP example Technical Note FortiGate v4.00 MR3 24 August 2012 09-28006-0119-20100605
Trademarks Products mentioned in this document are trademarks or registered trademarks of their respective holders.
Fortinet Inc.
09-28006-0119-20100605
Page 2 of 15
Contents
Table of Contents Network topology ... .................................................................................................................... 4 Infrastructure requirements .................................................................................................4 Setup Firewall-Address on FortiGate_1... .................................................................................. 5 Define the IP/Netmask or FQDN... ......................................................................................... 5 Setup Firewall-Address on FortiGate_2... .................................................................................. 6 Define the IP/Netmask or FQDN... ......................................................................................... 6 Configuring IPSEC VPN on FortiGate_1... ................................................................................ 7 Define the phase 1 parameters... ........................................................................................... 7 Define the phase 2 parameters... ........................................................................................... 8 Configuring IPSEC VPN on FortiGate_2... ................................................................................ 9 Define the phase 1 parameters... ........................................................................................... 9 Define the phase 2 parameters... ........................................................................................... 10 Define Policy and Router on FortiGate_1... ............................................................................... 11 Define Policy and Router on FortiGate_2... ............................................................................... 13 Finalize Policy and VPN... .......................................................................................................... 15
Fortinet Inc.
09-28006-0119-20100605
Page 3 of 15
Site-to-site IPSec VPN by using dynamic IP example This technical note features a detailed configuration example that demonstrates how to set up a basic site-to-site IPSec VPN that uses preshared keys to authenticate the two VPN peers. The following sections are included: • Network topology • Setup Firewall-Address on FortiGate_1 • Setup Firewall-Address on FortiGate_2 • Configuring FortiGate_1 • Configuring FortiGate_2 • Define Policy and Router on FortiGate_1 • Define Policy and Router on FortiGate_2 • Finalize
Network topology In a site-to-site configuration, two FortiGate units create an IPSec tunnel between two separate private networks. All traffic between the two networks is encrypted and protected by FortiGate firewall policies. See Figure 1. Figure 1: Example Site-to-site configuration Site_1
Site_2 FortiGate_1
FortiGate_2 Internet
111.111.111.111 us.dyndns.org (WAN1)
222.222.222.222 tw.dyndns.org (WAN1)
US Network 192.168.11.0/24 (Internal)
TW Network 192.168.22.0/24 (Internal)
In the examples throughout this technical bulletin, the network devices are assigned IP addresses as shown in Figure 1.
Infrastructure requirements • The FortiGate units at both ends of the tunnel must be operating in NAT mode and have public IP addresses by static or dynamic with www.dyndns.org as service.
Fortinet Inc.
09-28006-0119-20100605
Page 4 of 15
Site-to-site IPSec VPN by using dynamic IP Example
Setup Firewall-Address on FortiGate_1 Define the IP/netmask or FQDN To define the IP/netmask 1
Go to Firewall > Address > Address.
2-1 Select (Create New), enter the following information, and select OK: Address Name
Type a name for the local network (e.g., US_Network)
Type
Subnet / IP Range
Subnet / IP Range
192.168.11.0/255.255.255.0
Interface
Internal
2-2 Select (Create New), enter the following information, and select OK: Address Name
Type a name for the local network (e.g., TW_Network)
Type
Subnet / IP Range
Subnet / IP Range
192.168.22.0/255.255.255.0
Interface
WAN1(ADSL)
To define the FQDN 1
Go to Firewall > Address > Address.
2
Select (Create New), enter the following information, and select OK:
Fortinet Inc.
Address Name
Type a name for the local network (e.g., TW_Network)
Type
FQDN
FQDN
tw.dyndns.org
Interface
WAN1(ADSL)
09-28006-0119-20100605
Page 5 of 15
Site-to-site IPSec VPN by using dynamic IP Example
Setup Firewall-Address on FortiGate_2 Define the IP/netmask or FQDN To define the IP/netmask 1
Go to Firewall > Address > Address.
2-1 Select (Create New), enter the following information, and select OK: Address Name
Type a name for the local network (e.g., TW_Network)
Type
Subnet / IP Range
Subnet / IP Range
192.168.22.0/255.255.255.0
Interface
Internal
2-2 Select (Create New), enter the following information, and select OK: Address Name
Type a name for the local network (e.g., US_Network)
Type
Subnet / IP Range
Subnet / IP Range
192.168.11.0/255.255.255.0
Interface
WAN1(ADSL)
To define the FQDN 1
Go to Firewall > Address > Address.
2
Select (Create New), enter the following information, and select OK:
Fortinet Inc.
Address Name
Type a name for the local network (e.g., US_Network)
Type
FQDN
FQDN
us.dyndns.org
Interface
WAN1(ADSL)
09-28006-0119-20100605
Page 6 of 15
Site-to-site IPSec VPN by using dynamic IP Example
Configuring FortiGate_1 Define the phase 1 parameters Before you define the phase 1 parameters, you need to: • Reserve a name for the remote gateway. • Obtain the IP address of the public interface to the remote peer. • Reserve a unique value for the preshared key (e.g. passkey1$). The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. To define the phase 1 parameters 1
Go to VPN > IPsec > Auto Key (IKE).
2-1 Select (Create Phase 1), enter the following information, and select OK: Gateway Name
Type a name for the remote gateway (e.g., ToFortiGate2).
Remote Gateway
Dynamic DNS
Dynamic DNS
tw.dyndns.org
Local Interface
WAN1(ADSL)
Mode
Main (ID protection)
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key (e.g., passkey$).
Peer Options
Accept any peer ID
2-2 Select (Advanced…), enter the following information, and select OK:
Fortinet Inc.
Local Gateway IP
Main Interface IP
P1 Proposal
1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5
DH Group
5
Keylife
28800
XAUTH
Disable
NAT Traversal
Enable
Keepalive Frequency
10
Dead Peer Detection
Enable
09-28006-0119-20100605
Page 7 of 15
Site-to-site IPSec VPN by using dynamic IP example
Configuring FortiGate_1 (continue…) Define the phase 2 parameters The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. To define the phase 2 parameters 1
Go to VPN > IPSEC > Auto Key (IKE).
2-1 Select (Create Phase 2), enter the following information and select OK: Name
Enter a name for the tunnel (e.g., ToFortigate2-ph2).
Phase 1
Select the gateway that you defined previously (e.g., ToFortigate2).
2-2 Select (Advanced…), enter the following information and select OK:
Fortinet Inc.
P2 Proposal
1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5
Keylife
Seconds 1800
Autokey Keep Alive
Enable
Quick Mode Selector
Source address: (*)select: 192.168.11.0/24 or US_NETWORK Source port:0 Destination port: (*)select: 192.168.22.0/24 or TW_NETWORK Destination port: 0 Protocol: 0
09-28006-0119-20100605
Page 8 of 15
Site-to-site IPSec VPN by using dynamic IP example
Configuring FortiGate_2 Define the phase 1 parameters Before you define the phase 1 parameters, you need to: • Reserve a name for the remote gateway. • Obtain the IP address of the public interface to the remote peer. • Reserve a unique value for the preshared key (e.g. passkey1$). The key must contain at least 6 printable characters and should only be known by network administrators. For optimum protection against currently known attacks, the key should consist of a minimum of 16 randomly chosen alphanumeric characters. To define the phase 1 parameters 1
Go to VPN > IPSEC > Auto Key (IKE).
2-1 Select (Create Phase 1), enter the following information, and select OK: Gateway Name
Type a name for the remote gateway (e.g., ToFortiGate1).
Remote Gateway
Dynamic DNS
Dynamic DNS
us.dyndns.org
Local Interface
WAN1(ADSL)
Mode
Main (ID protection)
Authentication Method
Preshared Key
Pre-shared Key
Enter the preshared key (e.g., passkey$).
Peer Options
Accept any peer ID
2-2 Select (Advanced…), enter the following information, and select OK:
Fortinet Inc.
Local Gateway IP
Main Interface IP
P1 Proposal
1- Encryption: 3DES Authentication: SHA1 2- Encryption: 3DES Authentication: MD5
DH Group
5
Keylife
28800
XAUTH
Disable
NAT Traversal
Enable
Keepalive Frequency
10
Dead Peer Detection
Enable
09-28006-0119-20100605
Page 9 of 15
Site-to-site IPSec VPN by using dynamic IP example
Configuring FortiGate_2 (continue…) Define the phase 2 parameters The basic phase 2 settings associate IPSec phase 2 parameters with the phase 1 configuration and specify the remote end point of the VPN tunnel. Before you define the phase 2 parameters, you need to reserve a name for the tunnel. To define the phase 2 parameters 1
Go to VPN > IPSEC > Auto Key (IKE).
2-1 Select (Create Phase 2), enter the following information and select OK: Name
Enter a name for the tunnel (e.g., ToFortigate1-ph2).
Phase 1
Select the gateway that you defined previously (e.g., ToFortigate1).
2-2 Select (Advanced…), enter the following information and select OK:
Fortinet Inc.
P2 Proposal
1-Encryption: 3DES Authentication: SHA1 1-Encryption: 3DES Authentication: MD5 [v] Enable replay detection [v] Enable perfect forward secrecy (PFS) DH Group: 5
Keylife:
Seconds 1800
Autokey Keep Alive
Enable
Quick Mode Selector
Source address: (*)select: 192.168.22.0/24 or TW_NETWORK Source port:0 Destination port: (*)select: 192.168.11.0/24 or US_NETWORK Destination port: 0 Protocol: 0
09-28006-0119-20100605
Page 10 of 15
Site-to-site IPSec VPN by using dynamic IP example
Define Policy and Router on FortiGate_1 Define the firewall encryption policy Firewall policies control all IP traffic passing between a source address and a destination address. A firewall encryption policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single encryption policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Before you define the policy, you must first specify the IP source and destination addresses. In a Site-to-site configuration: • The source IP address corresponds to the private network behind the local FortiGate unit. • The destination IP address refers to the private network behind the remote VPN peer. To define the firewall encryption policy for a policy-based VPN 1
Go to Firewall > Policy > Policy.
2
Select (Create New), enter the following information, and select OK:
3
Fortinet Inc.
Source Interface/Zone
Internal
Source Address
US_Network or 192.168.11.0/24
Destination Interface/Zone
WAN1 (ADSL)
Destination Address
TW_Network or 192.168.22.0/24
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
2Fortigate2
Allow inbound
[v]
Allow outbound
[v]
Inbound NAT
Disable
Outbound NAT
Disable
Place the policy in the policy list above any other policies having similar source and destination addresses.
09-28006-0119-20100605
Page 11 of 15
Site-to-site IPSec VPN by using dynamic IP example
Define Policy and Router on FortiGate_1 (continue…) To define the firewall encryption policy for a route-based VPN 1
Go to Firewall > Policy > Policy.
2
Select (Create New), enter the following information, and select OK:
3
Fortinet Inc.
Source Interface/Zone
Internal
Source Address
US_Network or 192.168.11.0/24
Destination Interface/Zone
2Fortigate2
Destination Address
TW_Network or 192.168.22.0/24
Schedule
Always
Service
ANY
Action
ACCEPT
Inbound NAT
Disable
Select (Create New), enter the following information, and select OK: Source Interface/Zone
2Fortigate2
Source Address
TW_Network or 192.168.22.0/24
Destination Interface/Zone
Internal
Destination Address
US_Network or 192.168.11.0/24
Schedule
Always
Service
ANY
Action
ACCEPT
Inbound NAT
Disable
4
Place the policy in the policy list above any other policies having similar source and destination addresses.
5
Go to Router > Static.
6
Select (Create New), enter the following information, and select OK: Destination IP / Mask
192.168.22.0/24
Service
2Fortigate2
Gateway
Leave as default: 0.0.0.0
Distance
Leave this as its default
09-28006-0119-20100605
Page 12 of 15
Site-to-site IPSec VPN by using dynamic IP example
Define Policy and Router on FortiGate_2 Define the firewall encryption policy Firewall policies control all IP traffic passing between a source address and a destination address. A firewall encryption policy is needed to allow the transmission of encrypted packets, specify the permitted direction of VPN traffic, and select the VPN tunnel that will be subject to the policy. A single encryption policy is needed to control both inbound and outbound IP traffic through a VPN tunnel. Before you define the policy, you must first specify the IP source and destination addresses. In a Site-to-site configuration: • The source IP address corresponds to the private network behind the local FortiGate unit. • The destination IP address refers to the private network behind the remote VPN peer. To define the firewall encryption policy 1
Go to Firewall > Policy > Policy.
2
Select (Create New), enter the following information, and select OK:
3
Fortinet Inc.
Source Interface/Zone
Internal
Source Address
TW_Network or 192.168.22.0/24
Destination Interface/Zone
WAN1 (ADSL)
Destination Address
US_Network or 192.168.11.0/24
Schedule
Always
Service
ANY
Action
IPSEC
VPN Tunnel
2Fortigate1
Allow inbound
[v]
Allow outbound
[v]
Inbound NAT
Disable
Outbound NAT
Disable
Place the policy in the policy list above any other policies having similar source and destination addresses.
09-28006-0119-20100605
Page 13 of 15
Site-to-site IPSec VPN by using dynamic IP example
Define Policy and Router on FortiGate_2 (continue…) To define the firewall encryption policy for a route-based VPN 1
Go to Firewall > Policy > Policy.
2
Select (Create New), enter the following information, and select OK:
3
Fortinet Inc.
Source Interface/Zone
Internal
Source Address
TW_Network or 192.168.22.0/24
Destination Interface/Zone
2Fortigate1
Destination Address
US_Network or 192.168.11.0/24
Schedule
Always
Service
ANY
Action
ACCEPT
Inbound NAT
Disable
Select (Create New), enter the following information, and select OK: Source Interface/Zone
2Fortigate1
Source Address
US_Network or 192.168.11.0/24
Destination Interface/Zone
Internal
Destination Address
TW_Network or 192.168.22.0/24
Schedule
Always
Service
ANY
Action
ACCEPT
Inbound NAT
Disable
4
Place the policy in the policy list above any other policies having similar source and destination addresses.
5
Go to Router > Static.
6
Select (Create New), enter the following information, and select OK: Destination IP / Mask
192.168.11.0/24
Service
2Fortigate1
Gateway
Leave as default: 0.0.0.0
Distance
Leave this as its default
09-28006-0119-20100605
Page 14 of 15
Site-to-site IPSec VPN by using dynamic IP example
Finalize Policy and VPN To Move up the firewall encryption policy on top 1
Go to Firewall > Policy > select internal -> wan1 policy.
2
Click the Move To and move the policy to the very top. (If you don’t put it on top, you are unable to ping site’s IP from the other site’s client PC)
To Bring Up the site-to-site VPN 1
Go to VPN > IPSEC > Monitor Click on Bring Up under Status.
SOURCE: http://docs.fortinet.com/fgt/handbook/40mr3/fortigate-ipsec-40-mr3.pdf http://docs.fortinet.com/cookbook.html
Fortinet Inc.
09-28006-0119-20100605
Page 15 of 15