VPN configurations interact with the firewall component of the FortiGate unit. There must be a security policy in place to permit traffic to pass between the private network and the VPN tunnel.
Security policies for VPNs specify:
- the FortiGate interface that provides the physical connection to the remote VPN gateway, usually an interface connected to the Internet
- the FortiGate interface that connects to the private network
- IP addresses associated with data that has to be encrypted and decrypted
- optionally, a schedule that restricts when the VPN can operate
- optionally, the services (types of data) that can be sent
When the first packet of data that meets all of the conditions of the security policy arrives at the FortiGate unit, a VPN tunnel may be initiated and the encryption or decryption of data is performed automatically afterward.
FortiGate unit VPNs can be policy-based or route-based. There is little difference between the two types. In both cases, you specify phase 1 and phase 2 settings. However there is a difference in implementation. A route-based VPN creates a virtual IPsec network interface that applies encryption or decryption as needed to any traffic that it carries. That is why route-based VPNs are also known as interface-based VPNs. A policy-based VPN is implemented through a special security policy that applies the encryption you specified in the phase 1 and phase 2 settings. (FortiOS™ Handbook, IPsec VPN for FortiOS 5.0)
As shown in above diagram I have FortiGate 600C unit (with a Static IP) at Head Office, FortiGate 40C (with an ADSL connection) at Site Office.
Let’s start with the site office first.
Assume you have ADSL connection at site office, so configure the WAN interface as PPPoE addressing mode. Enter Username and Password details and save the configuration.
You will see the public ip address which has taken from the interface. If you need detailed steps about configuring ADSL Connection with PPPoE mode refer this article (Configure FortiGate DDNS with ADSL Connection).
Go to System -> Network -> DNS
Enable FortiGuard DDNS. Select your external interface and specify a unique name with selected DDNS server.
Verify the name resolution.
Now go to VPN -> IPsec -> Auto Key (IKE), and click Create Phase 1. (If VPN menu isn’t available go to System -> Config -> Features and enable the feature)
Enter a Name, Select Static IP Address as Remote Gateway, specify static IP Address of the head office. Choose interface, mode as aggressive. specify a Pre-shared key and save the configuration.
Let’s create Phase 2
Give Phase 2 a name and select previously created Phase 1 object.
Remove Retrieve default gateway from server setting.
Then configure dynamic gateway settings.
config router static
set dst 0.0.0.0 0.0.0.0
set dynamic-gateway enable
set device wan1
Now create a static route. Enter Destination IP/Mask and select IPSec phase 1 object as Device.
Now go to Firewall Objects -> Address -> Addresses and create two address objects to Head Office server subnet and Site Office LAN subnet.
Create firewall policies.
Select LAN interface as a Incoming interface, select source address | Select IPsec Phase 1 object as outgoing interface, select destination address.
Enable NAT option.
If you need access to both sides create two firewall rules.
Its time to configure Head Office Firewall. Go to VPN -> IPsec -> Auto Key (IKE), create Phase 1. Select remote gateway (Dynamic DNS), specify DDNS FQDN (doitfixit-kandy.fortiddns.com), select Internet interface. Enter same Pre-shared key specified in branch office firewall.
Create a Firewall object to branch office subnet.
Now do the Phase 2 configuration.
Create firewall policies. Create two firewall policies if you want access to both sides.
Create a static route. Specify Destination IP/Mask choose Phase 1 object as Device.
Now log on to one of branch office computer and try to ping head office server.
Now follow the path VPN -> Monitor -> IPsec Monitor, and you will see the status of the VPN.