Configuring Basic VPN Site-to-site between two FortiGates

There are some requirements to create a VPN tunnel on a firewall:

  • the presence of a configured external interface that the devices will be connected through;
  • internal network;
  • access to the FortiGate web interface.

Learn more in the connection instruction.

Configuring Brunch

To configure Brunch:

  1. Go to the VPN → IPSec Wizard section. There are three steps to go through in the setup wizard: VPN Setup, Authentication и Policy & Routing.
  2. In the VPN Setup step, set Template Type to Site to Site.
  3. Set Remote Device Type to FortiGate
  4. Set NAT Configuration to No NAT between sites.
  5. Click Next to proceed with configuration.
  6. In the Authentication step, set Remote device to IP Address.
  7. Enter the external address of another site in the Remote IP Address field.
  8. In the Outgoing Interface field, select the external interface (wan(port1) is used in the example).
  9. Make sure that Authentication Method is set to Pre-shared key.
  10. Enter the key value in the Pre-shared Key field.
  11. Click Next to proceed with configuration.
  12. In the Policy & Routing step in the Local Interface field, select the internal interface (lan(port2) is used in the example).
  13. The local subnet address will automatically be added to the Local subnets field.
  14. Enter the local subnet address of another site in the Remote IP Address field.
  15. Set Internet Access to None.

After creating a VPN tunnel, a summary of the created objects will appear on the screen.

Configuring HQ

Apply the settings in the same way as in the previous section.

After applying the settings:

  • a new HQ to Brunch with the Up status will be displayed in the list of all IPsec VPN tunnels;
  • a new interface under the external one (through which the connection passes) will be displayed in the list of interfaces.

A user on either of the office networks should be able to connect to any address on the other office network transparently.

If you need to generate traffic to test the connection, ping the Branch FortiGate’s internal interface from the HQ’s internal network. To do this, set the internal interface for the ping operation in the CLI as the source:

HQ # exec ping-options source 192.168.200.2
 
HQ # exec ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: icmp_seq=0 ttl=255 time=0.6 ms
64 bytes from 192.168.100.2: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=4 ttl=255 time=0.6 ms
 
--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.6 ms