Configuring FortiGate_2
The configuration for FortiGate_2 is very similar to that of FortiGate_1. You must:
• Configure the interfaces involved in the VPN.
• Define the Phase 1 configuration for each of the four possible paths, creating a virtual IPsec interface for each one.
• Define the Phase 2 configuration for each of the four possible paths.
• Configure routes for the four IPsec interfaces, assigning the appropriate priorities.
• Configure incoming and outgoing security policies between the internal interface and each of the virtual IPsec interfaces.
To configure the network interfaces
1. Go to System > Network > Interfaces.
2. Select the Internal interface and then select Edit. Enter the following information and then select OK:
Addressing mode | Manual |
IP/Netmask | 10.31.101.0/255.255.255.0 |
3. Select the WAN1 interface and then select Edit. Enter the following information and then select OK:
Addressing mode | Manual |
IP/Netmask | 192.168.20.2/255.255.255.0 |
4. Select the WAN2 interface and then select Edit. Enter the following information and then select OK:
Addressing mode | Manual |
IP/Netmask | 172.16.30.2/255.255.255.0 |
To configure the IPsec interfaces (Phase 1 configurations)
1. Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
3. Enter the following information, and select OK:
Name | Site_2_A |
Remote Gateway | Static IP Address |
IP Address | 192.168.10.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Any peer ID |
Advanced | |
Dead Peer Detection | Select |
4. Create a new tunnel and enter the following Phase 1 information:
Name | Site_2_B |
Remote Gateway | Static IP Address |
IP Address | 172.16.20.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Any peer ID |
Advanced | |
Dead Peer Detection | Select |
5. Create a new tunnel and enter the following Phase 1 information:
Name | Site_2_C |
Remote Gateway | Static IP Address |
IP Address | 192.168.10.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Any peer ID |
Advanced | |
Dead Peer Detection | Select |
6. Create a new tunnel and enter the following Phase 1 information:
Name | Site_2_D |
Remote Gateway | Static IP Address |
IP Address | 172.16.20.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Any peer ID |
Advanced | |
Dead Peer Detection | Select |
To define the Phase 2 configurations for the four VPNs
1. On the first VPN route, open the Phase 2 Selectors panel.
2. Enter the following information and select OK:
Name | Route_A |
Phase 1 | Site_2_A |
3. Enter the following Phase 2 information for the subsequent route:
Name | Route_B |
Phase 1 | Site_2_B |
4. Enter the following Phase 2 information for the subsequent route:
Name | Route_C |
Phase 1 | Site_2_C |
5. Enter the following Phase 2 information for the subsequent route:
Name | Route_D |
Phase 1 | Site_2_D |
To configure routes
1. Go to Router > Static > Static Routes.
For low-end FortiGate units, go to System > Network > Routing.
2. Select Create New, enter the following default gateway information and then select OK:
Destination IP/Mask | 0.0.0.0/0.0.0.0 |
Device | WAN1 |
Gateway | 192.168.10.1 |
Distance (Advanced) | 10 |
3. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_A |
Distance (Advanced) | 1 |
4. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_B |
Distance (Advanced) | 2 |
5. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_C |
Distance (Advanced) | 3 |
6. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_D |
Distance (Advanced) | 4 |
To configure security policies
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_A |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK:
Incoming Interface | Site_2_A |
Source Address | All |
Outgoing Interface | Internal |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
7. Select Create New.
8. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
9. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_B |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
10. Select Create New.
11. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
12. Enter the following information, and select OK:
Incoming Interface | Site_2_B |
Source Address | All |
Outgoing Interface | Internal |
Destination Address Name | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
13. Select Create New.
14. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
15. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_C |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
16. Select Create New.
17. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
18. Enter the following information, and select OK:
Incoming Interface | Site_2_C |
Source Address | All |
Outgoing Interface | Internal |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
19. Select Create New.
20. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
21. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_D |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
22. Select Create New.
23. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
24. Enter the following information, and select OK:
Incoming Interface | Site_2_D |
Source Address | All |
Outgoing Interface | Internal |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |