Chapter 4- VPN

4-1 IPSEC VPN

Learning Objectives

  • Configure an IPSEC VPN
  • Configure a site-to-site VPN
Scenario: We are going to have IPSEC VPN from Windows to FortiGate Firewall. First, we are going to install FortiClient on Windows and then we will configure the firewall for FortiClient. The goal of this scenario is to have connectivity from Windows to PC1. You should be able to ping PC1 after you have established your VPN connection.

 

IPSEC VPN main scenario
Figure 4-1: main scenario
Table 4-1: Devices configuration
Device IP address Access
WebTerm2 192.168.0.2/24
VPC DHCP Client
Ethernet Switch1-2
FortiGate Port 1: DHCP Client

Port 2: 192.168.0.1/24

DHCP Server (192.168.0.10-192.168.0.20)

 ICMP

HTTP

HTTPS
Windows DHCP Client

Before you begin the configuration, please remember with VPC’s and Web terms this is how we edit their IP settings for static and or DHCP Addressing:

Before dragging in your web terms or other devices remember to always choose GNS3VM:

Dragging a NAT under GNS3 VM
Figure 4-2: Dragging a NAT under GNS3 VM
Dragging a Switch under GNS3 VM
Figure 4-3: Dragging a switch under GNS3 VM
  1. Set a DHCP server on interface port2 (Range of IP address should be: 192.168.0.20- 192.168.0.30, DNS: 4.2.2.4)
Set a DHCP server on interface port2 (Range of IP address should be: 192.168.0.20- 192.168.0.30, DNS: 4.2.2.4)
Figure 4-4: Set DHCP IP address
Enable DHCP client
Figure 4-5: Enable DHCP client
Configure a static IP address
Figure 4-6: Configure a static IP address

2. Go to User & Authentication> User Group> Create New:

  • Name: VPN_GRP_A0ID
  • TYPE: Firewall
Create a User Groups
Figure 4-7: Create a User Groups
Create a group in the firewall
Figure 4-8: Create a group in the firewall

3. Go to User & Authentication > User Definition> Create a User:

Create a new user
Figure 4-9: Step1-Create a new user
Create a Local User
Figure 4-10: Step2- Create a Local User
Configure a login credentials for the user
Figure 4-11: Step3- Configure a login credentials for the user
Enter Contact Info
Figure 4-12: Step4- Contact Info

4. Assign User Group to your profile

Assign a user to the group
Figure 4-13: Step5-Assign a user to the group
Verify configuration
Figure 4-14: Step6 -Verify configuration

5. Go to VPN> IPSEC Wizard

Step 1

  •  Select Name: A0ID- VPN(A0ID is a student ID)
  • Template Type: Remote Access
  • Remote Type Device: FortiClient
Create a VPN connection
Figure 4-15: Step 1- Create a VPN connection

Step 2

  • Incoming Interface: Port1
  • Pre-shared Key: <Select a key like a password>
  • User Group: VPN_GRP_A0ID
Configure Authentication
Figure 4-16: Step2- Configure Authentication

Step 3

  • Local Interface: Port 2
  • Local Address: Add your local range of IP address (192.168.0.0/24)
  • Client Range: 172.16.0.1- 172.16.0.10
  • Subnet Mask: 255.255.255.0
  • Disable Split Tunneling
Configure Policy & Routing
Figure 4-17: Step3- Configure Policy & Routing

 

Review Settings
Figure 4-18: Step4- Review Settings

6. On Windows machine, Download FortiClient from https://www.forticlient.com/downloads Install the FortiClient and configure IPSEC as set in the previous steps. Your remote Gateway IP should be the Port1 IP address.

Download FortiClient from https://www.forticlient.com/downloads Install the Forti Client and configure IPSEC as set in the previous steps
Figure 4-19: Install FortiClient on Windows
Configure VPN in FortiClient
Figure 4-20: Configure VPN in FortiClient
Accept FortiClient Free License
Figure 4-21: Accept FortiClient Free License
Port1 IP Address
Figure 4-22: Port1 IP Address
Configure FortiClient Remote Gateway and Pre-shared key
Figure 4-23: Configure FortiClient Remote Gateway and Pre-shared key

10-  You should be to ping from windows to VPC.

You should be to ping from windows to VPC.
Figure 4-24: Verify configuration

Site-to-Site VPN ( IPSEC VPN)

Scenario: We are going to have IPSEC VPN from webterm-1 to webterm-2. First, we are going to configure both firewalls through IPSEC VPN Wizards and then we will verify connectivity from webterm-1 to webterm-2.

 

main scenario
Figure 4-25: main scenario

To Validate Firewalls Licenses, We are going to connect them to the Internet.

Validate firewall licenses
Figure 4-26: Validate firewall licenses

 

Table 4-2: Devices configuration
Device IP address Access
Fortigate1 10.10.10.1/24 ICMP-HTTP-HTTPS
Fortigate2 10.10.10.2/24 ICMP-HTTP-HTTPS
WebTerm1 192.168.20.2/24
WebTerm2 192.168.10.2/24

Step1 

On the FG1, go to VPN > IPsec Wizard and select Site to Site – FortiGate.

image

Step2

1.Select Site2Site/ FortiGate /No Nat

2. Enter Remote IP: 10.10.10.2/24     outgoing interface: port3

Select Site2Site/ FortiGate /No Nat
Figure 4-28: Step 2- Authentication

Step3

3. Local Interface: port2   IP: 192.168.20.0/24, Remote subnet: 192.168.10.0/24

Local Interface: port2   IP: 192.168.20.0/24, Remote subnet: 192.168.10.0/24
Figure 4-29: Step 3- Policy & Routing

Through the wizard, FortiGate creates two policies and two static routes in the firewall.

Step4

On the FG2, go to VPN > IPsec Wizard and select Site-to-Site – FortiGate.

image

Step 5

Do the same configuration for FG2 (remote IP is 10.10.10.1/24 and local IP is 192.168.10.0/24)

(remote IP is 10.10.10.1/24 and local IP is 192.168.10.0/24)
Figure 4-31: Step 5- Authentication in FG2

Step 6

Step 6- Policy & Routing in FG2
Figure 4-32: Step 6- Policy & Routing in FG2

Step 7

Configure IPsec Tunnels
Figure 4-33: Step 7- Configure IPsec Tunnels

Then, Go to your IPSec Tunnels and double click on Inactive.

On the next windows, right click on the tunnel > Bring UP> All Phase 2 selectors. Then, your tunnel should be up!

Bring up IPsec Tunnel
Figure 4-34: Bring up IPsec Tunnel
Verify the status of the tunnel
Figure 4-35: Verify the status of the tunnel

Step 8

Go to Logs & Reports > Event> VPN Event and verify your configuration.

image

You should be able to ping from WebTerm1 to WebTerm2.

You should be able to ping from WebTerm 1 to WebTerm 2
Figure 4-37: Verify configuration

 

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall: Practical Guidance and Hands-On Labs by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book