Chapter 4. VPN
- Configure an IPsec VPN
- Configure a site-to-site VPN
|FortiGate||Port 1: DHCP Client
Port 2: 192.168.0.1/24
DHCP Server (192.168.0.10 to 192.168.0.20)
Before you begin the configuration, please remember with VPC’s and Web terms this is how we edit their IP settings for static and or DHCP Addressing:
Before dragging in your web terms or other devices remember to always choose GNS3 VM:
- Set a DHCP server on interface port2 (Range of IP address should be: 192.168.0.20 to 192.168.0.30, DNS: 18.104.22.168).
- Go to User & Authentication > User Group > Create New:
- Name: VPN_GRP_A0ID
- TYPE: Firewall
- Go to User & Authentication > User Definition > Create a User:
- Assign User Group to your profile.
- Go to VPN > IPsec Wizard.
- Select Name: A0ID- VPN(A0ID is a student ID)
- Template Type: Remote Access
- Remote Type Device: FortiClient
- Incoming Interface: Port1
- Pre-shared Key: <Select a key like a password>
- User Group: VPN_GRP_A0ID
- Local Interface: Port 2
- Local Address: Add your local range of IP address (192.168.0.0/24)
- Client Range: 172.16.0.1 to 172.16.0.10
- Subnet Mask: 255.255.255.0
- Disable Split Tunneling
- On Windows machine, download FortiClient from Fortinet. Install the FortiClient and configure IPsec as set in the previous steps. Your remote Gateway IP should be the Port1 IP address.
- You should be able to ping from Windows to VPC.
Site-to-Site VPN (IPsec VPN)
To validate Firewalls licences, we are going to connect them to the Internet.
- On the FG1, go to VPN > IPsec Wizard and select Site to Site – FortiGate.
- Select Site2Site/ FortiGate /No Nat. Enter Remote IP: 10.10.10.2/24, outgoing interface: port3.
- Local Interface: port2, IP: 192.168.20.0/24, Remote subnet: 192.168.10.0/24. Through the wizard, FortiGate creates two policies and two static routes in the firewall.
- On the FG2, go to VPN > IPsec Wizard and select Site-to-Site – FortiGate.
- Do the same configuration for FG2 (remote IP is 10.10.10.1/24 and local IP is 192.168.10.0/24).
Then, go to your IPsec Tunnels and double click on Inactive.
On the next windows, right click on the tunnel > Bring UP > All Phase 2 selectors. Then, your tunnel should be up!
- Go to Logs & Reports > Event > VPN Event and verify your configuration.
You should be able to ping from WebTerm1 to WebTerm2.