Configuring FortiGate_2
The configuration for FortiGate_2 is similar to that of FortiGate_1. You must
• configure the interface involved in the VPN
• define the Phase 1 configuration for the primary and redundant paths, creating a virtual IPsec interface for each one
• define the Phase 2 configurations for the primary and redundant paths, defining the internal network as the source address so that FortiGate_1 can automatically configure routing
• configure the routes for the two IPsec interfaces, assigning the appropriate priorities
• configure security policies between the internal interface and each of the virtual IPsec interfaces
To configure the network interfaces
1. Go to System > Network > Interfaces.
2. Select the Internal interface and select Edit. Enter the following information and select OK:
Addressing mode | Manual |
IP/Netmask | 10.31.101.2/255.255.255.0 |
3. Select the WAN1 interface and select Edit. Set the Addressing mode to DHCP.
To configure the two IPsec interfaces (Phase 1 configurations)
1. Go to VPN > IPsec > Tunnels and create the new custom tunnel or edit an existing tunnel.
2. Edit the Phase 1 Proposal (if it is not available, you may need to click the Convert to Custom Tunnel button).
3. Enter the following information, and select OK:
Name | Site_2_A |
Remote Gateway | Static IP Address |
IP Address | 192.168.10.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Any peer ID |
Advanced | |
Dead Peer Detection | Select |
4. Create a new tunnel and enter the following Phase 1 information:
Name | Site_2_B |
Remote Gateway | Static IP Address |
IP Address | 172.16.20.2 |
Local Interface | WAN1 |
Mode | Main |
Authentication Method | Preshared Key |
Pre-shared Key | Enter the preshared key. |
Peer Options | Any peer ID |
Advanced | |
Dead Peer Detection | Select |
To define the Phase 2 configurations for the two VPNs
1. Open the Phase 2 Selectors panel.
2. Enter the following information and select OK:
Name | Route_A |
Phase 1 | Site_2_A |
Advanced | |
Source Address | 10.31.101.0/24 |
3. Enter the following Phase 2 information for the subsequent route:
Name | Route_B |
Phase 1 | Site_2_B |
Advanced | |
Source Address | 10.31.101.0/24 |
To configure routes
1. Go to Router > Static > Static Routes.
For low-end FortiGate units, go to System > Network > Routing.
2. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_A |
Distance (Advanced) | 1 |
3. Select Create New, enter the following information and then select OK:
Destination IP/Mask | 10.21.101.0/255.255.255.0 |
Device | Site_2_B |
Distance (Advanced) | 2 |
To configure security policies
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_A |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |
4. Select Create New.
5. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
6. Enter the following information, and select OK:
Incoming Interface | Internal |
Source Address | All |
Outgoing Interface | Site_2_B |
Destination Address | All |
Schedule | Always |
Service | Any |
Action | ACCEPT |