Chapter 4. VPN

4.1 IPsec VPN

Learning Objectives

  • Configure an IPsec VPN
  • Configure a site-to-site VPN
Scenario: We are going to have IPsec VPN from Windows to FortiGate Firewall. First, we are going to install FortiClient on Windows and then we will configure the firewall for FortiClient. The goal of this scenario is to have connectivity from Windows to PC1. You should be able to ping PC1 after you have established your VPN connection.

 

IPSEC VPN main scenario
Figure 4.1: Main scenario

Configuration

Table 4.1: Devices configuration
Device IP address Access
WebTerm2 192.168.0.2/24
VPC DHCP Client
Ethernet Switch1-2
FortiGate Port 1: DHCP Client

Port 2: 192.168.0.1/24

DHCP Server (192.168.0.10 to 192.168.0.20)

 ICMP

HTTP

HTTPS
Windows DHCP Client

Before you begin the configuration, please remember with VPC’s and Web terms this is how we edit their IP settings for static and or DHCP Addressing:

Before dragging in your web terms or other devices remember to always choose GNS3 VM:

Dragging a NAT under GNS3 VM
Figure 4.2: Dragging a NAT under GNS3 VM
Dragging a Switch under GNS3 VM
Figure 4.3: Dragging a switch under GNS3 VM
  1. Set a DHCP server on interface port2 (Range of IP address should be: 192.168.0.20 to 192.168.0.30, DNS: 4.2.2.4).
    Set a DHCP server on interface port2 (Range of IP address should be: 192.168.0.20- 192.168.0.30, DNS: 4.2.2.4)
    Figure 4.4: Set DHCP IP address
    Enable DHCP client
    Figure 4.5: Enable DHCP client
    Configure a static IP address
    Figure 4.6: Configure a static IP address
  2. Go to User & Authentication > User Group > Create New:
    • Name: VPN_GRP_A0ID
    • TYPE: Firewall
    Create a User Groups
    Figure 4.7: Create a user group
    Create a group in the firewall
    Figure 4.8: Create a group in the firewall
  3. Go to User & Authentication > User Definition > Create a User:
    Create a new user
    Figure 4.9: Create a new user
    Create a Local User
    Figure 4.10: Create a local user
    Configure a login credentials for the user
    Figure 4.11: Configure login credentials for the user
    Enter Contact Info
    Figure 4.12: Contact info
  4. Assign User Group to your profile.
    Assign a user to the group
    Figure 4.13: Assign a user to the group
    Verify configuration
    Figure 4.14: Verify configuration
  5. Go to VPN > IPsec Wizard.
    1. First:
      • Select Name: A0ID- VPN(A0ID is a student ID)
      • Template Type: Remote Access
      • Remote Type Device: FortiClient
      Create a VPN connection
      Figure 4.15: Create a VPN connection
    2. Then:
      • Incoming Interface: Port1
      • Pre-shared Key: <Select a key like a password>
      • User Group: VPN_GRP_A0ID
      Configure Authentication
      Figure 4.16: Configure authentication
    3. Next:
      • Local Interface: Port 2
      • Local Address: Add your local range of IP address (192.168.0.0/24)
      • Client Range: 172.16.0.1 to 172.16.0.10
      • Subnet Mask: 255.255.255.0
      • Disable Split Tunneling
      Configure Policy & Routing
      Figure 4.17: Configure Policy & Routing
      Review Settings
      Figure 4.18: Review Settings
  6. On Windows machine, download FortiClient from Fortinet. Install the FortiClient and configure IPsec as set in the previous steps. Your remote Gateway IP should be the Port1 IP address.
    Download FortiClient from https://www.forticlient.com/downloads Install the Forti Client and configure IPSEC as set in the previous steps
    Figure 4.19: Install FortiClient on Windows
  7. Configure VPN in FortiClient
    Figure 4.20: Configure VPN in FortiClient
  8. Accept FortiClient Free License
    Figure 4.21: Accept FortiClient Free Licence
  9. Port1 IP Address
    Figure 4.22: Port1 IP Address
  10. Configure FortiClient Remote Gateway and Pre-shared key
    Figure 4.23: Configure FortiClient Remote Gateway and Pre-shared key
  11. You should be able to ping from Windows to VPC.
    You should be to ping from windows to VPC.
    Figure 4.24: Verify configuration

Site-to-Site VPN (IPsec VPN)

Scenario: We are going to have IPsec VPN from WebTerm1 to WebTerm2. First, we are going to configure both firewalls through IPsec VPN Wizards and then we will verify connectivity from WebTerm1 to WebTerm2.
main scenario
Figure 4.25: Main scenario

To validate Firewalls licences, we are going to connect them to the Internet.

Validate firewall licenses
Figure 4.26: Validate firewall licences
Table 4.2: Devices configuration
Device IP address Access
Fortigate1 10.10.10.1/24 ICMP-HTTP-HTTPS
Fortigate2 10.10.10.2/24 ICMP-HTTP-HTTPS
WebTerm1 192.168.20.2/24
WebTerm2 192.168.10.2/24
  1. On the FG1, go to VPN > IPsec Wizard and select Site to Site – FortiGate.
    Figure 4.27: VPN Setup
  2. Select Site2Site/ FortiGate /No Nat. Enter Remote IP: 10.10.10.2/24, outgoing interface: port3.
    Select Site2Site/ FortiGate /No Nat
    Figure 4.28: Authentication
  3. Local Interface: port2, IP: 192.168.20.0/24, Remote subnet: 192.168.10.0/24. Through the wizard, FortiGate creates two policies and two static routes in the firewall.
    Local Interface: port2   IP: 192.168.20.0/24, Remote subnet: 192.168.10.0/24
    Figure 4.29: Policy & Routing
  4. On the FG2, go to VPN > IPsec Wizard and select Site-to-Site – FortiGate.
    Figure 4.30: Set up FG2
  5. Do the same configuration for FG2 (remote IP is 10.10.10.1/24 and local IP is 192.168.10.0/24).
    (remote IP is 10.10.10.1/24 and local IP is 192.168.10.0/24)
    Figure 4.31: Authentication in FG2
  6. Step 6- Policy & Routing in FG2
    Figure 4.32: Policy & Routing in FG2
  7. Configure IPsec Tunnels
    Figure 4.33: Configure IPsec Tunnels

    Then, go to your IPsec Tunnels and double click on Inactive.

    On the next windows, right click on the tunnel > Bring UP > All Phase 2 selectors. Then, your tunnel should be up!

    Bring up IPsec Tunnel
    Figure 4.34: Bring up IPsec Tunnel
    Verify the status of the tunnel
    Figure 4.35: Verify the status of the tunnel
  8. Go to Logs & Reports > Event > VPN Event and verify your configuration.
    Figure 4.36: Verify configuration

    You should be able to ping from WebTerm1 to WebTerm2.

    You should be able to ping from WebTerm 1 to WebTerm 2
    Figure 4.37: Verify configuration

License

Icon for the Creative Commons Attribution 4.0 International License

FortiGate Firewall Copyright © 2023 by Hamid Talebi is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.

Share This Book