Tuesday, March 25, 2008

Fortinet to non-Fortinet site-to-site VPNs

When configuring site-to-site VPNs between a FortiGate unit and another vendor's VPN gateway, you should only configure one non-contiguous subnet per Phase 2 tunnel. Although the FortiGate can associate multiple subnets (aka "proxy IDs") with a single phase 2 SA, most other vendors do not support this. Also, some vendors will not support an IP range as a selector/proxyID. Be sure to define your firewall address as a subnet not a range.

Example: IPsec VPN between Fortigate and Cisco PIX
  • Several subnets are hosted behind the PIX and the FortiGate (eg. 10.1.1.0/24 and 10.1.2.0/24 behind the FortiGate, and 192.168.1.0/24 and 192.168.2.0/24 behind the PIX).
  • Remote subnets (or hosts) are defined in the Fortigate as an Address Group (192.168.1.0/24 and 192.168.2.0/24).
As the PIX firewall creates one SA (security association) per access-list entry and the FortiGate unit creates one SA per phase-2, the FortiGate unit must have a separate phase-2 entry for each access-list line in the PIX config (see below).

access-list ipsec_vpn permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ipsec_vpn permit ip 192.168.2.0 255.255.255.0 10.1.2.0 255.255.255.0


Using VPN in policy mode on the Fortinet:
  • Create two address groups, one containing your local networks and one containing the remote networks.
  • Add a policy with your local group as the source, the remote network group as the destination and the action set to IPSEC. Select the corresponding remote firewall from the drop down list.
  • In FortiOS 3.0 you point the firewall policies to a specific firewall rather than towards a phase 2 SA. This allows you to define a single policy and the firewall will automatically determine the appropriate SA to use.

5 comments:

OutRight (CAlvareza) said...

Thanks for your information... =)
It was very useful for my configuration.!!

Blue Crescentmoon said...

We have something similair to this setup. Only, instead of one end device (ASA), we have one ip segment going to one device (cisco 1841) and the other segment to the cisco ASA 5505. This setup is based on PBR, which seems the fortigate has difficulty with it. In place, we have had to create static routes using different gateways. Unfortunately, when trying to ping and/or telnet the second phase 2 segment's network, fortigate cannot find the policy needed to assess what the activity can or cannot do even though there is a policy. For this particular situation, there are two static routes to this asa device with different routing costs. Any ideas?

Sebastian said...

Sounds like a question for the support forums:
http://support.fortinet.com/forum

Dave said...

Great information. Thanks!
It works in your setup but you still have to create 2 phase-2 on the Fortigate if source interfaces are different
eg Internal and wifi in my setup

Unknown said...

Your guide gave me some ideas to prepare a complete guide with latest FortiOS and SonicOS, the guide is here, http://www.sysprobs.com/guide-to-setup-vpn-between-sonicwall-and-fortigate-ipsec-site-to-site-vpn