Contents

Related Topics

Set up a VPN from a Firebox to a Fortinet FortiGate Device

A branch office virtual private network (BOVPN) tunnel is a secure way for networks, or for a host and a network, to exchange data across the Internet. This topic tells you how to define a manual BOVPN tunnel between a WatchGuard Firebox and a Fortinet FortiGate (OS v4.0) device. Before you create a BOVPN tunnel, you must collect the IP addresses from each endpoint and agree on the common tunnel settings to use.

This topic does not give detailed information about the different BOVPN settings or how they affect an existing tunnel. If you want to know more about a particular setting, see:

To configure a VPN from a Firebox Cloud instance to a Fortinet FortiGate device, see Configure a VPN between Firebox Cloud and a FortiNet FortiGate device in the WatchGuard Knowledge Base.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about configuring a non-WatchGuard product, see the documentation and support resources for that product.

VPN Configuration Summary

For reference purposes, here is a summary of the VPN configuration defaults for the Fortinet FortiGate device, with emphasis on any settings that do not match the default VPN configuration settings in Fireware v11.12.4.

In Fireware v12.0 and higher, the default BOVPN security settings are different. To determine whether those settings are compatible with your Fortinet device, see the documentation for your Fortinet device.

VPN Settings WatchGuard Device Default (v11.12.4) Fortinet Device Default (OS v4.0) Matched?
Phase 1 Settings
IKE Exchange Mode Main Main Y
Authentication SHA1 SHA1 Y
Encryption 3DES 3DES*

Y
Diffie-Hellman Group 2 5 N
Phase 2 Settings
Perfect Forward Secrecy No Yes (DH5) N
Protocol ESP ESP Y
Authentication SHA1 SHA1 Y
Encryption AES (256-bit) AES (128-bit)* N

WatchGuard and Fortinet devices have different default settings for Phase 1 and 2 encryption. For the VPN tunnel to build successfully, you must specify the same Phase 1 and 2 settings on your Firebox and Fortinet devices. For the strongest security, we recommend that you specify an AES variant for encryption.

Collect IP Address and Tunnel Settings

Before you can configure a branch office VPN, you must collect the public IP addresses of each device, and the IP addresses of the private networks you want to connect. You must also agree upon Phase 1 and Phase 2 settings to use for the VPN. This procedure describes how to configure a Firebox with the Phase 1 and Phase 2 settings that match the default settings on a Fortinet device.

For example, the IP address settings you collect could look like this:

WatchGuard Firebox:

External interface IP address: 203.0.113.2

Trusted network IP address: 10.0.1.0/24

Fortinet device:

External interface IP address: 198.51.100.2

Private network IP address: 10.50.1.0/24

Configure the Firebox

On the Firebox, you must add a VPN Gateway, and add a VPN tunnel that uses that gateway. The Phase 1 settings on the Firebox must match the Phase 1 settings on the Fortinet device.

Add the VPN Gateway

First you must add a gateway and configure the Phase 1 settings.

To add the VPN gateway, from Fireware Web UI:Closed
  1. Select VPN > Branch Office VPN.
  2. Below the Gateways list, click Add.
    The Gateway settings page appears.
  3. In the Gateway Name text box, type a name to identify this gateway.
  4. Select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters. It must match the key used on the FortiGate device.
  5. In the Gateway Endpoints section, click Add.
    The Gateway Endpoints Settings dialog box appears.

Screenshot of the Gateway Endpoint Settings dialog box

  1. From the External Interface drop-down list, select the external interface that has the public IP address.
  2. Select By IP Address. Type the external (public) IP address for the Firebox.
  3. Select the Remote Gateway tab.
  4. In the Specify the remote gateway IP address for a tunnel section, select Static IP Address. Type the external (public) IP address of the FortiGate device.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. Type the public IP address of the FortiGate device.
  6. Click OK to close the Gateway Endpoints Settings dialog box.
    The gateway pair you defined appears in the Gateway Endpoints list.
  7. Select the Phase 1 Settings tab.
  8. In the Transform Settings list, select the default Phase 1 Transform. Click Edit.
    The Transform Settings dialog box appears.

Screen shot of the Transform Settings dialog box with Diffie-Hellman Group 5 selected.

  1. From the Encryption drop-down list, select AES (128-bit) .
  2. From the Key Group drop-down list, select Diffie-Hellman Group 5.
    This matches the default key group on the FortiGate device.
  3. Click OK to close the Transform Settings dialog box.
  4. Click Save.
To add the VPN gateway, from Policy Manager:Closed
  1. Select VPN > Branch Office Gateways. Click Add.
    The New Gateway dialog box appears.
  2. In the Gateway Name text box, type a name to identify this gateway in Policy Manager.
  3. Select Use Pre-Shared Key. Type the shared key.
    The shared key must use only standard ASCII characters. It must match the key used on the FortiGate device.
  4. In the Gateway Endpoints section, click Add.
    The New Gateway Endpoints Settings dialog box appears.

Screen shot of the New Gateway Endpoint Settings dialog box with the two gateway IP addresses

  1. From the External Interface drop-down list, select the external interface of the Firebox that has the public IP address.
  2. Select By IP Address.
  3. In the IP Address drop-down list, select the external (public) IP address for the Firebox.
  4. In the Specify the remote gateway IP address for a tunnel section, select Static IP Address. Type the external (public) IP address of the FortiGate device.
  5. In the Specify the gateway ID for tunnel authentication section, select By IP Address. Type the public IP address of the FortiGate device.
  6. Click OK to close the New Gateway Endpoints Settings dialog box.

Screen shot of the New Gateway dialog box with the gateway endpoints added

  1. Select the Phase 1 Settings tab.
  2. In the Transform Settings list, select the default Phase 1 Transform. Click Edit.
    The Phase 1 Transform dialog box appears.
  3. From the Encryption drop-down list, select AES (128-bit).
  4. From the Key Group drop-down list, select Diffie-Hellman Group5
    This matches the default key group on the FortiGate device.

Screen shot of the Phase1 Transform dialog box for SHA1 3DES Diffie-Hellman Group5

  1. Click OK to confirm the change to the Phase 1 Transform.
  2. Click OK to add the new gateway.
  3. Click OK to close the Gateways dialog box.

Add the VPN Tunnel

After you define the gateway, you can add a tunnel and configure the Phase 2 settings.

To add the tunnel, from Fireware Web UI:Closed

Create a Phase 2 proposal with settings that match the default Phase 2 settings on the Fortinet device:

  1. Select VPN > Phase2 Proposals.
  2. Click Add.
    The Add Phase2 Proposal dialog appears.

Screen shot of the Phase2 Proposal page

  1. In the Name field, type a meaningful name for the new proposal.
  2. From the Encryption drop-down list, select AES (128-bit).
  3. Click OK to save the new proposal.

Create a VPN tunnel that uses the new Phase 2 proposal and the gateway you added.

  1. Select VPN > Branch Office VPN.
  2. Below the Tunnels list, click Add.
    The Tunnel page appears.
  3. In the Name text box, type a meaningful name for this tunnel.
  4. From the Gateway drop-down list, select the gateway you configured to the Fortinet device.
  5. In the Addresses tab, click Add to add a tunnel route.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box, with the two network IP addresses

  1. In the Local IP settings, from the Choose Type drop-down list, select Network IPv4. In the Network IP text box, type the network IP address for the local network that you want to use the VPN tunnel.
  2. In the Remote IP settings, select Network IPv4. In the Network IP text box, type the subnet IP address for the remote network on the FortiGate device that you want to use the VPN tunnel.
  3. Click OK to add the tunnel route.
    The tunnel route is added to the Addresses tab of the Tunnel page.
  4. Select the Phase 2 Settings tab.

Screen shot of the Phase 2 Proposals list

  1. Select the Enable Perfect Forward Secrecy check box.
  2. From the Enable Perfect Forward Secrecy drop-down list, select Diffie-Hellman Group 5.
    This matches the default Diffie-Hellman group for PFS on the FortiGate device.
  3. In the IPSec Proposals list, select the default ESP-AES-SHA1 proposal. Click Remove.
  4. From the IPSec Proposals drop-down list, select the new Phase 2 proposal you created earlier. Click Add.
  5. Click Save.
To add the tunnel, from Policy Manager:Closed
  1. Select VPN > Branch Office Tunnels.
    The Branch Office IPSec Tunnels dialog box appears.
  2. Click Add.
    The New Tunnel dialog box appears.
  3. In the Tunnel Name text box, type a meaningful name for this tunnel.
  4. From the Gateway drop-down list, select the gateway you configured to the Fortinet device.
  5. Click Add to add a tunnel route.
    The Tunnel Route Settings dialog box appears.

Screen shot of the Tunnel Route Settings dialog box with both networks specified

  1. In the Local text box, type subnet IP address for the local network on the Firebox that you want to use the VPN tunnel.
  2. In the Remote text box, type the subnet IP address for the remote network on the FortiGate device that you want to use the VPN tunnel.
  3. Click OK to add the tunnel route.
    The tunnel route is added to the Addresses tab of the New Tunnel dialog box.
  4. Select the Phase 2 Settings tab.
  5. Select the PFS check box. Select Diffie-Hellman Group5.
    This matches the default Diffie-Hellman group on the FortiGate device.

Screen shot of the New Tunnel dialog box with PFS set to Diffie-Hellman Group5

  1. In the IPSec Proposals section, Select the default ESP-AES-SHA1 entry.
  2. Click Remove, and click OK to confirm that you want to remove the proposal.
  3. Click Add to add an IPSec Proposal.
  4. Select Create a new Phase2 proposal.
  5. In the Name text box, type a meaningful name for this proposal.
  6. From the Encryption drop-down list, select AES (128-bit).

Screen shot of the New Phase2 Proposal dialog box

Leave all other settings at their default values.

  1. Click OK to add the New Phase2 Proposal.
  2. Click OK to add the new tunnel to the configuration.
  3. Click Close to close the Branch Office IPSec Tunnels dialog box.
  4. Save the configuration to the Firebox.

Configure the FortiGate device

This procedure describes how to manually configure the VPN settings for the Fortinet device.

Create address objects for the Fortinet and WatchGuard subnets.

The Fortinet device makes use of address objects for policy and VPN configuration. These address objects are similar to aliases on a Firebox.

  1. In the Fortinet web-based management interface, select Firewall Objects > Address > Address.
  2. Click Create New.
    The New Address page appears.

Screen shot of the New Address page with settings for the local network

  1. In the Address Name text box, type a meaningful name for the local network.
  2. In the Subnet / IP Range text box, type the network IP and subnet mask for the local network.
  3. Click OK.
  4. Click Create New.
    The New Address page appears.

Screen shot of the New Address page with settings for the remote network

  1. In the Address Name text box, type a meaningful name for the remote network.
  2. In the Subnet / IP Range text box, type the network IP and subnet mask for the remote network.
  3. Click OK.

Create the Phase 1 Configuration

  1. In the Fortinet web-based management interface, select VPN > IPsec > Auto Key (IKE).
  2. Click Create Phase 1.
    The New Phase 1 page appears.

Screen shot of the New Phase 1 page with the settings to connect to the WatchGuard device

  1. In the Name text box, type a meaningful name for the VPN connection.
  2. In the IP Address text box, type the public IP address of the Firebox.
  3. From the Local Interface drop-down list, select the external interface which you want the VPN to use. By default, the local ID is the primary IP address for this interface.
  4. In the Pre-shared Key text box, type the same pre-shared key you chose for the Firebox VPN configuration.
  5. Click OK to confirm the Phase 1 configuration.

Create the Phase 2 Configuration

  1. In the Fortinet web-based management interface, select VPN > IPsec > Auto Key (IKE).
  2. Click Create Phase 2.
    The New Phase 2 page appears.

Screen shot of the New Phase 2 page with the configured settings

  1. In the Name text box, type a meaningful name for the Phase 2 VPN configuration.
  2. From the Phase 1 drop-down list, select the Phase 1 VPN configuration you created.
  3. Click Advanced.
    All page content seen below the Advanced button appears.
  4. Adjacent to Source Address in the Quick Mode Selector section, select the Select radio button.
  5. From the Select drop-down list, choose the address group you created for the local network.
  6. Adjacent to Destination Address in the Quick Mode Selector section, select the Select radio button.
  7. From the Select drop-down list, choose the address group you created for the remote network.
  8. Click OK to complete the phase 2 configuration.

Create a Policy to Allow VPN Traffic

You must create a policy on the Fortinet device to allow VPN traffic to pass.

  1. In the Fortinet web-based management interface, select Policy > Policy > Policy.
  2. Click Create New.
    The New Policy page appears.

Screen shot of the New Policy page

  1. Click the Source Interface/Zone text box and select the local interface used for the local network.
  2. Click the Source Address text box and select the address object you created for the local network.
  3. Click the Destination Interface/Zone text box and select the external interface which you chose for the VPN endpoint.
  4. Click the Destination Address text box and select the address object you created for the remote network.
  5. Click the Service text box and select ANY to allow any port and protocol to traverse the VPN tunnel.
  6. Click the Action text box, and select IPSEC.
    The VPN Tunnel text box and associated options appear.
  7. Click the VPN Tunnel text box, and select the Phase 1 configuration you created for this VPN.
  8. Confirm that Allow inbound and Allow outbound are selected.

After you complete the VPN configuration on the WatchGuard and Fortinet devices, a device on either network must send traffic to the remote network to initiate the VPN tunnel.

See Also

Troubleshoot Branch Office VPN Tunnels

Configure a VPN between Firebox Cloud and a FortiNet FortiGate device in the WatchGuard Knowledge Base

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.