Contents

Related Topics

Set up a VPN from a Firebox to a Fortinet FortiGate Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic tells you how to define a manual BOVPN tunnel between a WatchGuard Firebox and a Fortinet FortiGate (OS v4.0) device. Before you create a BOVPN tunnel, you must collect the IP addresses from each endpoint and agree on the common tunnel settings to use.

This topic does not give detailed information about the different BOVPN settings or how they affect an existing tunnel. If you want to know more about a particular setting, see:

To configure a VPN from a Firebox Cloud instance to a Fortinet FortiGate device, see Configure a VPN between Firebox Cloud and a FortiNet FortiGate device in the WatchGuard Knowledge Base.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

VPN Configuration Summary

For reference purposes, here is a summary of the VPN configuration defaults for the Fortinet FortiGate device, with emphasis on any settings that do not match the default VPN configuration settings in Fireware XTM.

VPN Settings WatchGuard Device Default Fortinet Device Default Matched?
Phase 1 Settings
IKE Exchange Mode Main Main Y
Authentication SHA1 SHA1 Y
Encryption 3DES 3DES*

Y

Diffie-Hellman Group 2 5 N
Phase 2 Settings
Perfect Forward Secrecy No Yes (DH5) N
Protocol ESP ESP Y
Authentication SHA1 SHA1 Y
Encryption AES (256-bit) AES (128-bit)* N

WatchGuard and Fortinet devices have different default settings for Phase 1 and 2 encryption. For the VPN tunnel to build successfully, you must specify the same Phase 1 and 2 settings on your Firebox and Fortinet devices. For the strongest security, WatchGuard recommends that you specify an AES variant for encryption.

Collect IP Address and Tunnel Settings

Before you can configure a branch office VPN, you must collect the public IP addresses of each device, and the IP addresses of the private networks you want to connect. You must also agree upon Phase 1 and Phase 2 settings to use for the VPN. This procedure describes how to configure a Firebox with the Phase 1 and Phase 2 settings that match the default settings on a Fortinet device.

For example, the IP address settings you collect could look like this:

WatchGuard Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 10.0.1.0/24

Fortinet device:

External interface IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Configure the Firebox

On the Firebox, you must add a VPN Gateway, and add a VPN tunnel that uses that gateway. The Phase 1 settings on the Firebox must match the Phase 1 settings on the Fortinet device.

Add the VPN Gateway

First you must add a gateway and configure the Phase 1 settings.

Add the VPN Tunnel

After you define the gateway, you can add a tunnel and configure the Phase 2 settings.

Configure the FortiGate device

This procedure describes how to manually configure the VPN settings for the Fortinet device.

Create address objects for the Fortinet and WatchGuard subnets.

The Fortinet device makes use of address objects for policy and VPN configuration. These address objects are similar to aliases on a Firebox.

  1. In the Fortinet web-based management interface, select Firewall Objects > Address > Address.
  2. Click Create New.
    The New Address page appears.

Screen shot of the New Address page with settings for the local network

  1. In the Address Name text box, type a meaningful name for the local network.
  2. In the Subnet / IP Range text box, type the network IP and subnet mask for the local network.
  3. Click OK.
  4. Click Create New.
    The New Address page appears.

Screen shot of the New Address page with settings for the remote network

  1. In the Address Name text box, type a meaningful name for the remote network.
  2. In the Subnet / IP Range text box, type the network IP and subnet mask for the remote network.
  3. Click OK.

Create the Phase 1 Configuration

  1. In the Fortinet web-based management interface, select VPN > IPsec > Auto Key (IKE).
  2. Click Create Phase 1.
    The New Phase 1 page appears.

Screen shot of the New Phase 1 page with the settings to connect to the WatchGuard device

  1. In the Name text box, type a meaningful name for the VPN connection.
  2. In the IP Address text box, type the public IP address of the Firebox.
  3. From the Local Interface drop-down list, select the external interface which you want the VPN to use. By default, the local ID is the primary IP address for this interface.
  4. In the Pre-shared Key text box, type the same pre-shared key you chose for the Firebox VPN configuration.
  5. Click OK to confirm the Phase 1 configuration.

Create the Phase 2 Configuration

  1. In the Fortinet web-based management interface, select VPN > IPsec > Auto Key (IKE).
  2. Click Create Phase 2.
    The New Phase 2 page appears.

Screen shot of the New Phase 2 page with the configured settings

  1. In the Name text box, type a meaningful name for the Phase 2 VPN configuration.
  2. From the Phase 1 drop-down list, select the Phase 1 VPN configuration you created.
  3. Click Advanced.
    All page content seen below the Advanced button appears.
  4. Adjacent to Source Address in the Quick Mode Selector section, select the Select radio button.
  5. From the Select drop-down list, choose the address group you created for the local network.
  6. Adjacent to Destination Address in the Quick Mode Selector section, select the Select radio button.
  7. From the Select drop-down list, choose the address group you created for the remote network.
  8. Click OK to complete the phase 2 configuration.

Create a Policy to Allow VPN Traffic

You must create a policy on the Fortinet device to allow VPN traffic to pass.

  1. In the Fortinet web-based management interface, select Policy > Policy > Policy.
  2. Click Create New.
    The New Policy page appears.

Screen shot of the New Policy page

  1. Click the Source Interface/Zone text box and select the local interface used for the local network.
  2. Click the Source Address text box and select the address object you created for the local network.
  3. Click the Destination Interface/Zone text box and select the external interface which you chose for the VPN endpoint.
  4. Click the Destination Address text box and select the address object you created for the remote network.
  5. Click the Service text box and select ANY to allow any port and protocol to traverse the VPN tunnel.
  6. Click the Action text box, and select IPSEC.
    The VPN Tunnel text box and associated options appear.
  7. Click the VPN Tunnel text box, and select the Phase 1 configuration you created for this VPN.
  8. Confirm that Allow inbound and Allow outbound are selected.

After you complete the VPN configuration on the WatchGuard and Fortinet devices, a device on either network must send traffic to the remote network to initiate the VPN tunnel.

See Also

Troubleshoot Branch Office VPN Tunnels

Configure a VPN between Firebox Cloud and a FortiNet FortiGate device in the WatchGuard Knowledge Base

Give Us Feedback     Get Support     All Product Documentation     Technical Search