Site-to-site IPsec VPN with two FortiGates
Share this post:
In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard s Site to Site FortiGate template.
In this example, one office will be referred to as HQ and the other will be referred to as Branch.
1. Configuring the HQ IPsec VPN
On the HQ FortiGate, go to VPN IPsec Wizard and select Site to Site FortiGate .
In the Authentication step, set the Branch FortiGate s IP as the Remote Gateway (in the example, 172.20.120.142 ). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select Change .
In the Policy Routing section, set Local Interface to your lan interface. The Local Subnet will be added automatically. Set Remote Subnets to the Branch FortiGate s local subnet (in the example, 192.168.50.0/24 ).
A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route. and security policies.
2. Configuring the Branch IPsec VPN
On the Branch FortiGate, go to VPN IPsec Wizard and select Site to Site FortiGate .
In the Authentication step, set the HQ FortiGate s IP as the Remote Gateway (in the example, 172.20.120.123 ). After you enter the gateway, an available interface will be assigned as the Outgoing Interface. If you wish to use a different interface, select Change .
Set the same Pre-shared Key that was used for HQ s VPN.
In the Policy Routing section, set Local Interface to your lan interface. The Local Subnet will be added automatically. Set Remote Subnets to the HQ FortiGate s local subnet (in the example, 192.168.100.0/24 ).
A summary page shows the configuration created by the wizard, including firewall addresses, firewall address groups, a static route, and security policies.
A user on either of the office networks should be able to connect to any address on the other office network transparently.
If you need to generate traffic to test the connection, ping the Branch FortiGate s internal interface from the HQ s internal network.
Go to VPN Monitor IPsec Monitor to verify the status of the VPN tunnel. Ensure that its Status is Up and that traffic is flowing.
Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor’s degree from Mount Allison University, after which she attended Humber College’s book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Latest posts by Victoria Martin (see all )
Is there any benefit to using the fortigate template vs custom templates between two fortigates? Is it just ease of deployment ?
I am having trouble setting up a site-to-site IPsec VPN between a Checkpoint and a Fortinet Fortigate 110C. The challenge is on the Fortigate 110C end. Is there any help resources you can refer me to?
I found one resource in the Knowledge Base that talks about setting up a VPN between a FortiGate and a Checkpoint NGX appliance. It s quite old but it might be still be useful in helping you figure out network settings. You can find it at http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC docType=kc externalId=12091 sliceId=1 docTypeID=DT_KCARTICLE_1_1 dialogID=102601047 stateId=0%200%20102599339
Otherwise, I d suggest contacting Fortinet Support.
Can create redundant tunnel if we have two different ISP connections?
Hi, I m having trouble pinging from HQ to Branch Office on VPN IPSEC DialUp tunnel. Why is happening this? I can ping from the Branch to the HQ but no HQ to Branch. I have traffic up/down on the VPN.
Thank you for your help!
P.S. HQ Fortigate is 300B last update and Branch Fortigate is 60B 4.0 MR3 Patch 18
sounds like a firewall policy issue
Hi sir. I m new in firewall. I have 2 fortinet 30E configuring site to site VPN using a broadband wireless connection does it work? What IP i will set in the remote gateway? The broadband giving me a dhcp address for interface w/c is private ip. Thank you all.
In order to configure a site-to-site IPsec, the FortiGates will need to be able to connect to each other using public IPs. It sounds like you need to contact your ISP in order to get this set up.
what if i have multiple remote subnets. How will i add them?
Hi Marzooq, for each subnet you would need a different phase2. Each phase2 is bound to a single/global phase1. Here s some example CLI: http://kb.fortinet.com/kb/documentLink.do?externalID=FD33873
Hi there, How can i create a site to site vpn using CLI? Do you have predefined examples that you can send me?
Hi Bibek, here s some example CLI for phase1 and phase2 IPsec configuration (on one endpoint; the other endpoint confniguration would be quite similar, with source and destination subnets reversed, most likely):
config vpn ipsec phase1-interface
set interface wan1
set peertype any
set dpd on-idle
set wizard-type static-fortigate
set psksecret ENC [hash]
set dpd-retryinterval 5
config vpn ipsec phase2-interface
set src-subnet 192.168.1.0 255.255.255.0
set dst-subnet 22.214.171.124 255.255.255.0
You then add your policies as required.