Fortinet FortiGate BOVPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Fortinet FortiGate 60E.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard T80
    • Fireware v12.7 or higher
  • Fortinet FortiGate 60E
    • FortiOS v7.0.0 or higher

Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Fortinet FortiGate 60E.

WatchGuard Firebox and Fortinet topology diagram

Configure the Firebox

On the Firebox, configure a BOVPN connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key. Keep the String-Based option.

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of the Local Gateway tab

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Fortinet WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Fortinet WAN connection.
  6. Keep the default settings for all other options.

Screen shot of the Remote Gateway tab

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when Firebox starts check box.

add gateway for bovpn

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screen shot of the Phase 1 settings

  1. Click Save.
  2. In the Tunnels section, click Add.

add tunnel

  1. From the Gateway drop-down list, select gateway.1.
  2. In the Addresses section, click Add.

Screen shot of the Addresses tab

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This IP address is the internal network that the VPN protects.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This IP address is the internal network that the VPN protects.

add tunnel route

  1. Click OK.
  2. Keep the default Phase 2 Settings.

Scren shot of the Phase 2 settings

  1. Click Save.

Configure the FortiGate 60E

Follow these steps to configure the interfaces, VPN settings, policies, and routes on your FortiGate device.

Interface Settings

  1. Log in to the FortiGate 60E Web UI at https://<IP address of FortiGate 60E>. The default IP address is 192.168.1.99.
  2. Select Network > Interfaces.
  3. Configure the external interface (wan1) and the internal interface (internal2). For information about how to configure interfaces, see the Fortinet User Guide.

fortinet interfaces

Enable Policy-based VPN

  1. Select System > Feature Visibility.
  2. Enable Policy-based IPsec VPN under Additional Features.
  3. Click Apply.

enable policy based vpn

IPSec VPN Tunnels Settings

  1. Select VPN > IPsec Tunnels.

ipsec tunnel page

  1. Click Create New.
  2. In the Name text box, type the object name. In our example, the name is peer.
  3. From the Template type options, select Customto continue without a template.

create vpn tunnel

  1. Click Next.
  2. Clear the Enable IPsec Interface Modecheck box.
  3. From the Remote Gateway drop-down list, select Static IP Address.
  4. In the IP Address text box, type the public IP address of the Firebox. In our example, the IP address is 203.0.113.2.
  5. From the Interface drop-down list, select wan1. Leave the default value for all other settings in the Network section.
  1. In the Authentication section, from the Method drop-down list, select Pre-shared Key.
  2. In the Pre-shared Key text box, type the pre-shared key.
  3. In the IKE section, for Version, select 2.

configure network for tunnel

  1. In the Phase 1 Proposal section, remove all proposals except AES256 for encryption and SHA256 for authentication.
  2. For the Diffie-Hellman Groups, select 14. Clear all other check boxes.
  3. Leave the default value for all other Phase 1 settings.
  1. In the Phase 2 Selectors section, from the Local Address drop-down list, select Subnet.
  2. Type the local IP segment. This IP address is the internal network that the VPN protects.
  3. From the Remote Address drop-down list, select Subnet.
  4. Type the remote IP segment. This IP address is the internal network that the VPN protects.

phase2 settings

  1. Expand Advanced.
  2. Remove all proposals except AES256 for encryption and SHA256 for authentication.
  3. Enable Enable Replay Detection.
  4. Enable Enable Perfect Forward Secrecy (PFS)
  5. For the Diffie-Hellman Groups, check 14. Clear all other check boxes.
  6. Leave the default value for all other Phase 2 settings.

phase2 advanced settings

  1. Click OK.

tunnel saved

Policy Settings

  1. Select Policy & Objects > Addresses.

address page

  1. Click Create New > Address.
  2. In the Name text box, type a name for the IP address. In our example, the name is WatchGuard_INT.
  3. From the Type drop-down list, select Subnet.
  4. In the IP/Netmask text box, type the IP segment.
  5. Leave the default value for all other settings.

add watchguard int

  1. Click OK.
  2. Repeat steps 1–7 to create another IP segment.

addresses saved

  1. Select Policy & Objects > Firewall Policy.

policy page

  1. Click Create New.
  2. In the Name text book, type the object name. In our example, the name is policy1.
  3. From the Incoming Interface drop-down list, select internal2.
  4. From the Outgoing Interface drop-down list, select wan1.
  5. From the Source Address drop-down list, select FortiGate 60E_INT.
  6. From the Destination Address drop-down list, select WatchGuard_INT.
  7. From the Schedule drop-down list, select always.
  8. From the Service drop-down list, select All.
  9. In the Action list, select IPsec.
  10. From the VPN Tunnel drop-down list, select peer.
  11. Enable Allow traffic to be initiated from the remote site.
  12. Leave the default value for all other settings.

add policy

  1. Click OK.
    The polices that you created appear on this page.

policy saved

Route Settings (Optional)

If you did not configure a gateway for the wan1 interface, you must add a route manually.

  1. From the navigation menu, select Network > Static Routes.

static routes page

  1. Click Create New.
  2. In the Destination > Subnet text box, type 0.0.0.0/0.0.0.0.
  3. From the Interface drop-down list, select wan1.
  4. In the Gateway Address text box, type the IP address for your wan1 gateway.
  5. Leave the default value for all other settings.

add route

  1. Click OK.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Verify that the VPN tunnel is active.

To test the integration, from the FortiGate Web UI:

  1. Select Dashboard > IPsec Monitor. If IPsec Monitor is invisible, click + to add this monitor.
  2. Verify that the VPN tunnel is active.

Finally, verify that the servers at Host1 and Host2 can successfully ping each other.