Configuring the IPsec VPN
A route-based VPN is required. In this chapter, preshared key authentication is shown. Certificate authentication is also possible. Both FortiGate units need this configuration.
To configure Phase 1
1 Define the phase 1 configuration needed to establish a secure connection with the other FortiGate unit. For more information, see “Auto Key phase 1 parameters”. Enter these settings in particular:
Name | Enter a name to identify the VPN tunnel, tunnel_wan1 for example. This becomes the name of the virtual IPsec interface. |
Remote Gateway | Select Static IP Address. |
IP Address | Enter the IP address of the other FortiGate unit’s public (Port 2) interface. |
Local Interface | Select this FortiGate unit’s public (Port 2) interface. |
Mode | Select Main (ID Protection). |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. It must match the preshared key on the other FortiGate unit. |
Advanced | Select Advanced. |
Enable IPsec Interface Mode | Enable |
To assign the tunnel end IP addresses
1. Go to System > Network > Interfaces, select the virtual IPsec interface that you just created on Port 2 and select Edit.
2. In the IP and Remote IP fields, enter the following tunnel end addresses:
| FortiGate_1 | FortiGate_2 |
IP | 10.1.1.1 | 10.1.1.2 |
Remote_IP | 10.1.1.2 | 10.1.1.1 |
These addresses are from a network that is not used for anything else.
To configure Phase 2
1. Enter a name to identify this phase 2 configuration, twan1_p2, for example.
2. Select the name of the phase 1 configuration that you defined in Step
1, tunnel_wan1 for example.