Configuring FortiGate_2
The configuration for FortiGate_2 is very similar that of FortiGate_1. You must
• configure the interfaces involved in the VPN
• define the phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one
• define the phase 2 configuration for each of the four possible paths
• configure routes for the four IPsec interfaces, assigning the appropriate priorities
• configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces
To configure the network interfaces
1. Go to System > Network > Interfaces.
2. Select the Internal interface and then select Edit. Enter the following information and then select OK:
Addressing mode | Manual |
IP/Netmask | 10.31.101.0/255.255.255.0 |
3. Select the WAN1 interface and then select Edit. Enter the following information and then select OK:
Addressing mode | Manual |
IP/Netmask | 192.168.20.2/255.255.255.0 |
4. Select the WAN2 interface and then select Edit. Enter the following information and then select OK:
Addressing mode | Manual |
IP/Netmask | 172.16.30.2/255.255.255.0 |
To configure the IPsec interfaces (phase 1 configurations)
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 1, enter the following information, and select OK:
Name | Site_2_A |
Remote Gateway | Static IP Address |
IP Address | 192.168.10.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Accept any peer ID |
Advanced | |
Enable IPsec Interface Mode | Select |
Dead Peer Detection | Select |
3. Select Create Phase 1, enter the following information, and select OK:
Name | Site_2_B |
Remote Gateway | Static IP Address |
IP Address | 172.16.20.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Accept any peer ID |
Advanced | |
Enable IPsec Interface Mode | Select |
Dead Peer Detection | Select |
4. Select Create Phase 1, enter the following information, and select OK:
Name | Site_2_C |
Remote Gateway | Static IP Address |
IP Address | 192.168.10.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Accept any peer ID |
Advanced | |
Enable IPsec Interface Mode | Select |
Dead Peer Detection | Select |
5. Select Create Phase 1, enter the following information, and select OK:
Name | Site_2_D |
Remote Gateway | Static IP Address |
IP Address | 172.16.20.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Accept any peer ID |
Advanced | |
Enable IPsec Interface Mode | Select |
Dead Peer Detection | Select |
To define the phase 2 configurations for the four VPNs
1. Go to VPN > IPsec > Auto Key (IKE).
2. Select Create Phase 2, enter the following information and select OK:
Name | Route_A |
Phase 1 | Site_2_A |
3. Select Create Phase 2, enter the following information and select OK:
Name | Route_B |
Phase 1 | Site_2_B |
4. Select Create Phase 2, enter the following information and select OK:
Name | Route_C |
Phase 1 | Site_2_C |
5. Select Create Phase 2, enter the following information and select OK:
Name | Route_D |
Phase 1 | Site_2_D |
To configure routes
1. Go to Router > Static > Static Routes.
For low-end FortiGate units, go to System > Network > Routing.
2. Select Create New, enter the following default gateway information and then select OK:
Destination IP/Mask | 0.0.0.0/0.0.0.0 |
Device | WAN1 |
Gateway | 192.168.10.1 |
Distance (Advanced) | 10 |
3. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_A |
Distance (Advanced) | 1 |
4. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_B |
Distance (Advanced) | 2 |
5. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_C |
Distance (Advanced) | 3 |
6. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_D |
Distance (Advanced) | 4 |
To configure security policies
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_A |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK:
Incoming Interface | Site_2_A |
Source Address | All |
Outgoing Interface | Internal |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
7. Select Create New.
8. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
9. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_B |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
10. Select Create New.
11. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
12. Enter the following information, and select OK:
Incoming Interface | Site_2_B |
Source Address | All |
Outgoing Interface | Internal |
Destination Address Name | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
13. Select Create New.
14. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
15. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_C |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
16. Select Create New.
17. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
18. Enter the following information, and select OK:
Incoming Interface | Site_2_C |
Source Address | All |
Outgoing Interface | Internal |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
19. Select Create New.
20. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
21. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_D |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
22. Select Create New.
23. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
24. Enter the following information, and select OK:
Incoming Interface | Site_2_D |
Source Address | All |
Outgoing Interface | Internal |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |