Fortinet FortiGate Policy-Based BOVPN Integration Guide

This integration guide describes how to configure a policy-based Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Fortinet FortiGate 60E. This integration establishes two separate subnets under each firewall device. We require dedicated one-to-one connectivity between paired subnets, not one-to-many access.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11 or higher
  • Fortinet FortiGate 60E with FortiOS v7.4.7 or higher

Integration Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Fortinet FortiGate 60E.

WatchGuard Firebox and Fortinet topology diagram

Before You Begin

Before you begin these procedures, make sure that:

  • If you want to use a cloud-managed Firebox, you have a WatchGuard Cloud account and have added the Firebox to WatchGuard Cloud as a cloud-managed device. You also have configured an external network with the external (public) IP address of the Firebox and two different internal subnets on the Firebox
  • If you want to use a locally-managed Firebox, you have configured an external interface with the external (public) IP address of the Firebox and two different internal interfaces on the Firebox.
  • You have configured the external interface (wan1) and the internal interfaces (internal2 and internal4) on the FortiGate 60E. For more information about how to configure interfaces, go to the Fortinet User Guide.

Configure the Firebox

You can configure your Firebox for a policy-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Configure > VPNs.
    The BOVPN page opens.

    4. Screenshot of the BOVPN page in WatchGuard Cloud

  4. Click Add BOVPN.
    The Add BOVPN page opens.

    5. Screenshot of the Add BOVPN page in WatchGuard Cloud

  5. In the Name text box, type a descriptive name for the BOVPN. In this example, we type policy-based vpn.
  6. From the VPN Connection Typedrop-down list, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  7. From the Address Family drop-down list, select IPv4 Addresses.
  8. In the Endpoint A section, select your cloud-managed firebox.
  9. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type Fortinet.
  10. Click Next.
    The VPN Gateways settings page opens.

    11. Screenshot of the Add BOVPN page VPN Gateway settings in WatchGuard Cloud

  11. For the cloud-managed Firebox, from theIP or Domain Name or User on Domain drop-down list, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  12. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the public IP address of the FortiGate 60E WAN interface.
  13. To encrypt and decrypt the data that goes through the VPN tunnel, in the Pre-Shared Key text box, type a shared secret.
  14. Click Next.
    The Traffic settings page opens.

    15. Screenshot of the Add BOVPN page Traffic settings in WatchGuard Cloud

  15. For your cloud-managed Firebox, select the internal networks that you want to be accessible through the VPN tunnel.
  16. For the Fortinet VPN endpoint, click Add Network Resource.
  17. Type the IP address of the private network protected by the Fortinet firewall, then click Add.
  18. If you have multiple private networks protected by the Fortinet firewall, repeat Steps 16–17 to add them.
  19. Click Next.
    The Tunnel Routes page opens.

    20. Screenshot of the Add BOVPN page Tunnel Routes settings in WatchGuard Cloud

  20. If there are tunnel routes you do not want to use in your BOVPN tunnel, use the toggles to disable them.
  21. Click Next.
    The settings page opens.

    22. Screenshot of the Add BOVPN wizard Phase 1 and 2 Settings and Key Expiration settings in WatchGuard Cloud

  22. Keep the default values for all security settings.
  23. Click Add.
  24. Click Finish.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
    The Add Branch Office VPN page opens.

    4. Screenshot of the Branch Office VPN - Add page in Fireware Web UI

  4. In the Gateway Name text box, type a name to identify this BOVPN gateway. In this example, we type gateway.1.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section:
    1. Select Use Pre-Shared Key.
    2. In the Use Pre-Shared Key text box, type the pre-shared key.
    3. From the drop-down list, select String-Based.
  7. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

    8. Screenshot of the Local Gateway tab in the Gateway Endpoint Settings dialog box in Fireware Web UI

  8. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Firebox.
  9. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  10. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  11. In the adjacent text box, type the primary IP address of the Firebox external interface. In this example, we type 203.0.113.2.
  12. Select the Remote Gateway tab.
    The Remote Gateway page opens.

    13. Screenshot of the Remote Gateway tab in the Gateway Endpoint Settings dialog box in Fireware Web UI

  13. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  14. In the adjacent text box, type the IP address of your Fortinet WAN connection. In this example, we type 198.51.100.2.
  15. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  16. In the adjacent text box, type the IP address of your Fortinet WAN connection. In this example, we type 198.51.100.2
  17. Keep the default values for all other settings.
  18. Click OK.
    The gateway you added appears in the Gateway Endpoint section.

    19. Screenshot of the Branch Office VPN - Add page in Fireware Web UI with new gateway endpoint

  19. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.
  20. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.

    21. Screenshot of the Branch Office VPN - Add page Phase 1 settings in Fireware Web UI

  21. From the Version drop-down list, select IKEv2.
  22. Keep all default values for all other Phase 1 settings.
  23. Click Save.
    The gateway you added appears on the Branch Office VPN page.

    24. Screenshot of the Branch Office VPN page in Fireware Web UI with new gateway

  24. In the Tunnels section, click Add.
    The tunnel settings page opens.

    25. Screenshot of the Addresses tab on the Branch Office VPN - Add page in Fireware Web UI

  25. In the Name text box, type a name to identify this tunnel. In this example, we type tunnel.1.
  26. From the Gateway drop-down list, select the gateway you just created. In this example, we select gateway.1.
  27. In the Addresses section, click Add.
    The Tunnel Route Settings dialog box opens.

    28. Screenshot of the Tunnel Route Settings dialog box in Fireware Web UI

  28. In the Local IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the local IP address. This IP address is the internal network that the Firebox protects. In this example, we type 192.168.10.0.
  29. In the Remote IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the remote IP address. This IP address is the internal network that the Fortigate protects. In this example, we type 10.0.10.0.
  30. Click OK.
  31. To add other internal networks to the VPN, repeat Steps 25–29.

    32. Screenshot of the Addresses tab on the Branch Office VPN - Add page in Fireware Web UI with addresses added

  32. Keep the default values for all Phase 2 settings.

    33. Screenshot of the Phase 2 Settings tab on the Branch Office VPN - Add page in Fireware Web UI

  33. Click Save.

    34. Screenshot of the Branch Office VPN page in Fireware Web UI with new tunnel

Configure the FortiGate 60E

To configure FortiGate 60E, follow these steps:

  1. Enable Policy-Based VPN
  2. Configure an IPSec VPN Tunnel
  3. Configure a BOVPN Policy
  4. Configure a BOVPN Route (Optional)

Enable Policy-Based VPN

To enable policy-based VPN, from the FortiGate 60E Web UI:

  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>. The default IP address is 192.168.1.99.
  2. From the navigation menu, select System > Feature Visibility.
    The Feature Visibility page opens.

    3. Screenshot of the Feature Visibility page with the Policy-Based IPsec VPN setting in the FortiGate Web UI

  3. In the Additional Features list, enable Policy-Based IPsec VPN.
  4. Click Apply.

Configure an IPSec VPN Tunnel

To configure an IPSec VPN tunnel, from the FortiGate 60E Web UI:

  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>.
  2. Select VPN > IPsec Tunnels.
    The list of existing tunnels appears.

    3. Screenshot of the IPsec Tunnels page in the FortiGate Web UI

  3. Click Create New > IPsec Tunnel.The VPN Creation Wizard page opens.

    4. Screenshot of the IPsec Wizard page in the FortiGate Web UI

  4. In the Name text box, type a name for the IPSec VPN tunnel. In this example, we type To WG.
  5. To continue without a template, for Template Type, select Custom.
  6. Click Next.
    The New VPN Tunnel page opens.

    7. Screenshot of the New VPN Tunnel page in the FortiGate Web UI

  7. Clear the Enable IPsec Interface Mode check box.
  8. In the Network section:
    1. From the Remote Gateway drop-down list, select Static IP Address.
    2. In the IP Address text box, type the public IP address of the Firebox. In our example, the IP address is 203.0.113.2.
    3. From the Interface drop-down list, select wan1. Leave the default value for all other settings in the Network section.
  9. In the Authentication section:
    1. From the Method drop-down list, select Pre-Shared Key.
    2. In the Pre-Shared Key text box, type the pre-shared key.
    3. In the IKE section, for Version, select 2.
  10. In the Phase 1 Proposal section:
    1. Remove all proposals except AES256 for encryption and SHA256 for authentication.
    2. For Diffie-Hellman Group, select 14. Clear all other check boxes.
  11. Keep the default values for all other Phase 1 settings.
  12. In the Phase 2 Selectors > New Phase 2 section:
    1. From the Local Address drop-down list, select Subnet.
    2. Type the local IP segment. This IP address is the internal network that the VPN protects.
    3. From the Remote Address drop-down list, select Subnet.
    4. Type the remote IP segment. This IP address is the internal network that the VPN protects.
  13. Click Advanced.
    The Phase 2 Proposal settings appear.

    14. Screenshot of the New VPN Tunnel page with Phase 2 Proposal settings in the FortiGate Web UI

  14. Remove all proposals except AES256 for encryption and SHA256 for authentication.
  15. Select the Enable Replay Detection check box.
  16. Select the Enable Perfect Forward Secrecy (PFS) check box.
  17. For Diffie-Hellman Group, select 14and clear all other check boxes.
  18. Leave the default value for all other Phase 2 settings.
  19. Click OK.
    The tunnel you added appears in the list of existing tunnels.

    20. Screenshot of the IPsec Tunnels page with new tunnel in the FortiGate Web UI

  20. To edit the IPSec tunnel you added, select the tunnel and click Edit.
    The Edit VPN Tunnel page opens.

    21. Screenshot of the Edit VPN Tunnel page with new tunnel in the FortiGate Web UI

  21. In the Phase 2 Selectors section, click Add.
  22. To create a new Phase 2 for another subnet, repeat Steps 14–18.

    23. Screenshot of the Edit VPN Tunnel page with Phase 2 settings in the FortiGate Web UI

  23. Click OK.

    24. Screenshot of the IPsec Tunnels page with edited tunnel in the FortiGate Web UI

Configure a BOVPN Policy

To configure a BOVPN policy, from FortiGate 60E Web UI:

  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>.
  2. Select Policy & Objects > Addresses.
    The Address page opens.

    3. Screenshot of the Addresses page in the FortiGate Web UI

  3. Click Create New.
    The New Address page opens.

    4. Screenshot of the New Address page in the FortiGate Web UI

  4. In the Name text box, type a name for the subnet behind the Firebox. In this example, we type WG_INT.
  5. From the Type drop-down list, select Subnet.
  6. In the IP/Netmask text box, type the IP address of the subnet behind the Firebox. In this example, we type 192.168.10.0/24.
  7. Keep the default values for all other settings.
  8. Click OK.
  9. To add more subnets in the policy, repeat Steps 3–8.

    10. Screenshot of the Addresses page in the FortiGate Web UI with new addresses

  10. From the navigation menu, select Policy & Objects > Firewall Policy.
    The list of firewall policies opens.

    11. Screenshot of the Firewall Policy page in the FortiGate Web UI

  11. Click Create New.
    The Create New Policy page opens.

    12. Screenshot of the Create New Policy page in the FortiGate Web UI

  12. In the Name textbook, type a name for this policy. In this example, we type Policy to WG.
  13. From the Incoming Interface drop-down list, select internal2.
  14. From the Outgoing Interface drop-down list, select wan1.
  15. From the Source drop-down list, select FG_INT.
  16. From the Destination drop-down list, select the address name you typed in Step 4. In this example, we select WG_INT.
  17. From the Schedule drop-down list, select Always.
  18. From the Service drop-down list, select All.
  19. For Action, select IPsec.
  20. From the VPN Tunnel drop-down list, select the VPN Tunnel you created inConfigure an IPSec VPN Tunnel. In this example, we select To WG.
  21. Enable Allow Traffic to Be Initiated From the Remote Site.
  22. Keep the default values for all other settings.
  23. Click OK.
    The policy you created appears in the list of policies.

    24. Screenshot of the Firewall Policy page in the FortiGate Web UI with new policy

  24. To create another policy for another subnet, repeat Steps 11–23.

    25. Screenshot of the Create New Polict page in the FortiGate Web UI with a new policy for a different subnet

Configure a BOVPN Route (Optional)

If you have not configured a gateway for the wan1 interface, you must add a route manually.

To configure a route, from the FortiGate 60E Web UI:

  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>
  2. From the navigation menu, select Network > Static Routes.
    The list of static routes opens.

    3. Screenshot of the Static Routes page in the FortiGate Web UI

  3. Click Create New.
    The Edit Static Route page opens.

    4. Screenshot of the Edit Static Route page in the FortiGate Web UI

  4. In the Destination > Subnet text box, type 0.0.0.0/0.0.0.0.
  5. In the Gateway Address text box, type the IP address for your wan1 gateway.
  6. From the Interface drop-down list, select wan1.
  7. Keep the default values for all other settings.
  8. Click OK.

Test the Integration

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Monitor > Live Status > VPN.
    The VPN page opens.

    4. Screenshot of the Live Status VPN page with Branch Office VPN tab in WatchGuard Cloud

  4. Click the BOVPN you configured.
  5. Verify that the two VPN tunnels are active.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.
    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.
    The Branch Office VPN page opens.

    4. Screenshot of the VPN Statistics - Branch Office VPN page in Fireware Web UI

  4. In the Tunnels section, verify that the two VPN tunnels are active.
  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>.
  2. Select Dashboard > Network > IPsec.
    The IPsec page opens.

    3. Screenshot of the IPsec page in the FortiGate Web UI

  3. Verify that the two VPN tunnels you configured are active.
  4. Verify that Host 1 (behind the Firebox) and Host 2 (behind the FortiGate 60E) can ping each other.