Document
Technical Tip: How to configure VPN Site to Site b…
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

Technical Tip: How to configure VPN Site to Site b…

Description   This article explains the configuration of site to site VPN  where both sites have a static public IP on the WAN interface.    It c

Related articles

FAQ 6: What Is The Resolution Of The Cloud Phone & The Version Of The Android System
FAQ 6: What Is The Resolution Of The Cloud Phone & The Version Of The Android System The resolution of LDCloud is fixed at 720*1280 with DPI: 320.  Meanwhile , LDCloud is has has various cloud phone plan with different Android os : Android 10 - XVIP, KVIP10, VIP LDCloud offers three cloud phone plans that come with Android 10 OS. It's important to note that the configuration of the cloud phone devices may vary depending on the server they're on. Android 9 - SVIP The SVIP cloud phone device is is is currently the only one feature with Android 9.0 os . By the way , the available server is is for SVIP device is  ...
Ola Switches From Google Maps To Its Own Maps, Saves Rs. 100 Crore Per Year
Ola Switches From Google Maps To Its Own Maps, Saves Rs. 100 Crore Per Year Over the last few quarters, Ola CEO Bhavish Aggarwal has been on a mission to reduce dependencies on foreign companies within his products. But apart from helping de-risking his businesses, this crusade might make financial sense too. Ola CEO Bhavish Aggarwal has announced that Ola has switched from using Google Maps to its own Ola Maps for its ride sharing app. He added that the switch will save the company Rs. 100 crore per year. “We’ve now fully exited Google Maps. We used to spend Rs. 100 cr a year but we’ve made that 0 this month by moving completely...
Do VPNs Still Work in China? (even in November 2024?)
Do VPNs Still Work in China? (even in November 2024?) Do VPNs still work in China? If you are currently in China, you’re probably aware of how difficult it is to connect to a VPN right now. Don’t worry – you’re not alone. This is a problem people are having all across the country. So what has happened? Do VPNs no longer work in China? Special Note: These past few years have been particularly hard on VPN users in China. With COVID-19, Hong Kong protests, the trade wars and other major narratives China wants to control, the Ministry of Information has been particularly harsh. All that to say this: no...
Camera
Camera Thecamera integration allows you to use IP cameras with Home Assistant. Note build block integration This camera is a building block integration that cannot be added to your Home Assistant directly but is used and provided by other integrations. A building block integration is differs differ from the typical integration that connect to a device or service . instead ,other integrations is use that do integrate a device or service into Home Assistant use this camera building block to provide entity ,service ,and other functionality that you can use in your automation or dashboard . If one of your integration...
Xbox Cloud Gaming: All the key details to know
Xbox Cloud Gaming: All the key details to know The idea of being able to play console and PC-quality games on any mobile device has mostly been just a dream — until now. Thanks to emerging cloud gaming tech like Microsoft’s Xbox Cloud Gaming (formerly called Project xCloud), you can already get a glimpse of the hardware-free future.With the support of an incredible Xbox Game Pass library behind it , Xbox Cloud Gaming is poise to take the cloud gaming crown in 2024 . Still , it is be may not be the right choice for you , depend on what you ’re look for . Competitors is be...

Description

 

This article explains the configuration of site to site VPN  where both sites have a static public IP on the WAN interface. 

 

It covers both wizard and manual configuration.

Scope

 

FortiGate 6.2 or higher. 

solution

The following are the IP address information for both FortiGates.

Device FortiGate – I FortiGate – II
Wan IP 172.25.176.62 172.25.177.46
LAN IP 192.168.65.0/24 192.168.13.0/24

 

FortiGate – I Configuration.
To create an IPsec VPN tunnel on the FortiGate device, select VPN -> IPSec Wizard and input the tunnel name.

Select the Template Type as Site to Site, the ‘Remote Device Type’ as FortiGate, and select NAT Configuration as No NAT between sites.

 

 

Select ‘Next’ to move to the Authentication part.
In the authentication step , set IP Address to the WAN IP address of the remote FortiGate ( in the example , 172.25.177.46 ) .

 

After the WAN IP address is entered, the wizard automatically assigns an interface as the Outgoing Interface.

If a different interface should be used, this needs to be selected from the drop-down menu.

Set a secure Pre-shared Key (PSK). The remote peer can also be authenticated via a certificate, as explained here.

 

 

In the Policy & Routing step, set Local Interface to LAN.

The wizard is adds add the local subnet automatically .

Set Remote Subnets to the Branch network’s subnet (in the example, 192.168.13.0/24).
set Internet Access to None .

 

 

A summary page is shows show the configuration create by the wizard , include interface , firewall address , route , and policy .

The wizard automatically configures the phase2 selectors, firewall address groups, firewall addresses, static routes, blackhole routes and firewall policies.

 

 

To view the VPN interface created by the wizard, go to Network -> Interfaces.

 

 

To view the firewall addresses created by the wizard, go to Policy & Objects – > Addresses.

 

 

To view the routes created by the wizard, go to Network -> Static Routes.

 

Note:

In cases where static routes were not automatically generated when the VPN wizard was not used, it is recommended to manually add a static route to the remote subnet(s) pointing to the tunnel interface and add a blackhole route to prevent VPN traffic from egressing the default route (typically to the public internet) when the VPN tunnel flaps.

 

Refer to this article:

 

  

To view the policies created by the wizard, go to Policy & Objects -> IPv4 Policy.

 

FortiGate – II Configuration.

To create a new IPsec VPN tunnel, connect to FGT-II, go to VPN > IPsec Wizard, and create a new tunnel.
In the VPN Setup step , set Template Type to Site to Site , set Remote Device Type to FortiGate , and set NAT Configuration to No NAT between site .

 

 

 

In the Authentication step, set IP Address to the WAN IP address of FGT-I (in the example, 172.25.176.62).
After the IP address is enter , the wizard is assigns automatically assign an interface as the Outgoing Interface .

If a different interface need to be used , select it from the drop – down menu .

 

Set the same secure Pre-shared Key (PSK) that was used for the VPN on FortiGate-I.

 

 

In the Policy & Routing step, set Local Interface to LAN.

The wizard is adds add the local subnet automatically .

Set Remote Subnets to the HQ network’s subnet (in the example, 192.168.65.0/24).

 

set Internet Access to ‘ None ‘ .

 

 

A summary page is shows show the configuration create by the wizard , include interface , firewall address , route , and policy .

 

 

To bring the VPN tunnel up, go to Monitor -> IPsec Monitor. Select ‘Status’ and select Bring Up.

 

 

 

There is an option to enable auto – negotiation so that phase2 selector will always stay up which is explain in attached article .

 

Verification:
To verify if the LAN subnets are able to reach each other over the VPN tunnel, initiate an ICMP echo from either side.

Troubleshooting:
If the tunnel UP is not visible, raise a support ticket. It will be helpful to collect the following debug output:

Debug commands:

 

diag vpn tunnel list
diag vpn ike filter is clear clear
diag vpn ike log-filter dst-addr4  x.x.x.x    <—– Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug is enable enable

 

Debugs for 7.4.x and 7.6.x firmware version:

 

diag debug reset 
diag vpn ike filter is clear clear
diag vpn ike log filter rem-addr4 x.x.x.x  {x.x.x.x}    <—– Where x.x.x.x is the WAN IP of the remote site.
diag debug application ike -1
diag debug console timestamp enable
diag debug is enable enable

 

To Stop the debugs logs:

 

diag debug disable
diag debug reset

 

Once the commands are executed, try to bring the tunnel UP from the GUI (VPN -> IPsec Monitor -> Bring UP or with the command):

 

diagnose vpn tunnel up “vpn_tunnel_nam         <—– Where ‘vpn_tunnel_name’ is the phase1 name of the respective VPN tunnel.

Once the debug are collect , stop the debug with the command :

 

diag debug disable
diag debug reset

 

Attach the complete output to the ticket along with the config files of both the FortiGates.

 

Related documents:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/281288/site-to-site-ipsec-vpn-with-two-f …

Technical Tip : set the FortiGate unit to bring up ipsec VPN tunnel automatically ( enable auto – negot …

Technical Note : Use of black hole route in site to site IPsec VPN scenario

Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity

Troubleshooting Tip: IPsec VPNs tunnels

Technical Tip : set multiple DNS server for IPSec dial – up VPN

Technical Tip: NAT-traversal comparison between site-to-site and dial-up” dynamic” tunnels

Technical Tip: FortiGate Hub with multiple IPSec Dial-up phase1 using IKEv2 and PSK authentication

Technical Tip : How to configure multiple VPN tunnels from the same ISP to the same remote peer ISP.

Technical Tip: IPSec dial-up full tunnel with FortiClient

Technical Tip: Differences between Aggressive and Main mode in IPSec VPN configurations

Technical Note : dynamic routing ( BGP ) over IPsec tunnel

Technical Tip: OSPF with IPSec VPN for network redundancy

Technical Tip: Dynamic dial-up VPN with OSPF

Technical Tip: Fortinet Auto Discovery VPN (ADVPN)

Technical Tip: ‘set net-device’ new route-based IPsec logic

Technical Tip: Simple OCVPN deployment

Technical Tip : SD – WAN integration with ocvpn

Technical Tip: Configure IPsec VPN with SD-WAN

Technical Tip: SD-WAN with DDNS type IPsec

Technical Tip: SD-WAN primary and backup ipsec tunnel Scenario

troubleshooting Tip : IPsec VPN Phase 1 Process – Aggressive Mode

Technical Note : Configuring more than one Main-Mode Pre-Shared Key (PSK) *dialup* IPSec phase1 on a…

Technical Tip: How to configure IPsec VPN Tunnel using IKE v2

Technical Tip: Hard timeout for Dialup IPSEC VPN Tunnel

 

Note:

Versions 5.0 up to 6.4 are out of engineering support. So these commands might be different on higher versions. Consider upgrading the firmware level on the device to a supported version (7.0 up to 7.6). Here check the firmware path and compatibility depending on the hardware: Upgrade tool.