Fortinet FortiGate Route-Based BOVPN Integration Guide

This integration guide describes how to configure a route-based Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Fortinet FortiGate 60E.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11 or higher
  • Fortinet FortiGate 60E with FortiOS v7.4.7 or higher

Integration Topology

This diagram shows the topology for a route-based BOVPN connection between a Firebox and a Fortinet FortiGate 60E.

Diagram of WatchGuard Firebox and Fortinet topology

Before You Begin

Before you begin these procedures, make sure that:

  • If you want to use a cloud-managed Firebox, you have a WatchGuard Cloud account and have added the Firebox to WatchGuard Cloud as a cloud-managed device. You also have configured an external network with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • If you want to use a locally-managed Firebox, you have configured an external interface with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • You have configured the external interface (wan2) and the internal interfaces (internal2 and internal4) on the FortiGate 60E. For more information about how to configure interfaces, go to the Fortinet User Guide.

Configure the Firebox

You can configure your Firebox for a route-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of endpoint definition in WatchGuard Cloud Add BOVPN page

  4. In the Name text box, type a descriptive name for the BOVPN. In this example, we type route-based vpn.
  5. From the VPN Connection Type drop down-list, select Route-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop down-list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type Fortinet.
  9. Click Next.
    The VPN Gateways settings page opens.

    10. Screenshot of WatchGuard Cloud Add BOVPN > VPN Gateways page

  10. For your cloud-managed Firebox:
    1. Select External.
    2. In the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  11. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your FortiGate 60E interface.
  12. To encrypt and decrypt the data that goes through the VPN tunnel, in the Pre-Shared Key text box, type a shared secret. This pre-shared key matches the pre-shared key you will configure for the IKE Gateway on the FortiGate 60E.
  13. Click Next.
    The Traffic settings page opens.

    14. Screenshot of WatchGuard Cloud Add BOVPN > Traffic page

  14. From the cloud-managed Firebox section, select the internal networks that you want to be accessible through the VPN tunnel.
  15. For the Fortinet endpoint, click Add Network Resource.
  16. In the Network Resource text box, type the IP address of the private network protected by the Fortinet firewall.
  17. Click Add.
  18. To add additional subnets for the Fortinet endpoint, repeat Steps 15-17.
  19. Keep the default values for all other settings.
  20. Click Next.
    The Security settings page opens.

    21. Screenshot of WatchGuard Cloud Add BOVPN > Security page

  21. Keep the default values for all authentication settings.
  22. Click Add.
  23. Click Finish.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
    The Add page opens.

    4. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page

  4. In the Interface Name text box, type a name for this BOVPN virtual interface. In this example, we type BovpnVif.1.
  5. From Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key and in the adjacent text box, type the pre-shared key.
  8. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

    9. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page > Gateway Endpoint Settings dialog box with local gateway settings

  9. For Interface, select Physical, and from the adjacent drop-down list, select the interface that has the external (public) IP address of the Firebox.
  10. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  11. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  12. In the adjacent text box, type the primary IP address of the external Firebox interface. In this example, we type 203.0.113.2.
  13. Select the Remote Gateway tab.
    The Remote Gateway page opens.

    14. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page > Gateway Endpoint Settings dialog box with remote gateway settings

  14. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  15. In the adjacent text box, type the IP address of the FortiGate 60E WAN interface. In this example, we type 198.51.100.2.
  16. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  17. In the adjacent text box, type the IP address of the FortiGate 60E WAN interface. In this example, we type 198.51.100.2.
  18. Click OK.
    The gateway endpoint you added appears in the Gateway Endpoint section.

    19. Screenshot of Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with new gateway endpoint

  19. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When It Is Inactive check box.
  20. Select the Add This Tunnel to the BOVPN-Allow Policies check box.
  21. Select the VPN Routes tab.
    The VPN Routes page opens.
  22. Click Add.
    The VPN Route Settings dialog box opens.

    23. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with VPN Route Settings dialog box

  23. From the Choose Type drop-down list, select Network IPv4.
  24. In the Route To text box, type the network IP address of a route that will use this virtual interface. In this example, we type 10.0.10.0.
  25. Click OK.
    The VPN route settings are added.

    26. Screenshot of Fireware Web UI, BOVPN Virtual Interface > VPN Routes tab

  26. To add another VPN Route to another subnet, repeat Steps 21-25.
  27. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.

    28. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with Phase 1 settings

  28. From the Version drop-down list, select IKEv2.
  29. Keep the default values for all other Phase 1 settings.
  30. Keep the default values for all Phase 2 settings.

    31. Screenshot of Fireware Web UI, BOVPN Virtual Interface > Add page with Phase 2 settings

  31. Click Save.
    The BOVPN virtual interface you added appears on the BOVPN Virtual Interfaces page.

For more information about BOVPN virtual interface configuration on a locally-managed Firebox, go to BOVPN Virtual Interfaces in Help Center.

Configure the FortiGate 60E

To configure the FortiGate, complete these steps:

  1. Configure an IPSec VPN Tunnel
  2. Configure a BOVPN Policy
  3. Configure a BOVPN Route

Configure an IPSec VPN Tunnel

To configure an IPSec VPN tunnel, from the FortiGate 60E Web UI:

  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>. The default IP address is 192.168.1.99.
  2. Select VPN > IPsec Tunnels.
    The list of existing tunnels appears.

    3. Screenshot of the IPsec Tunnels page in the FortiGate Web UI

  3. Click Create New > IPsec Tunnel.
    The VPN Creation Wizard page opens.

    4. Screenshot of the IPsec Wizard page in the FortiGate Web UI

  4. In the Name text box, type a name for the IPSec VPN tunnel. In our example, we type To WG.
  5. To continue without a template, for Template Type, select Custom.
  6. Click Next.
    The New VPN Tunnel page opens.

    7. Screenshot of the New VPN Tunnel page in the FortiGate Web UI

  7. In the Network section:
    1. For IP Version, select IPv4.
    2. From the Remote Gateway drop-down list, select Static IP Address.
    3. In the IP Address text box, type the public IP address of the Firebox. In our example, the IP address is 203.0.113.2.
    4. From the Interface drop-down list, select wan2. Keep the default values for all other settings in the Network section.
  8. In the Authentication section:
    1. From the Method drop-down list, select Pre-Shared Key.
    2. In the Pre-shared Key text box, type the pre-shared key.
    3. In the IKE section, for Version, select 2.
  9. In the Phase 1 Proposal section:
    1. Remove all proposals except AES256 for encryption and SHA256 for authentication.
    2. For Diffie-Hellman Group, select 14. Clear all other check boxes.
  10. Keep the default values for all other Phase 1 settings.
  11. In the Phase 2 Selectors > New Phase 2 section, click Advanced.
    The Phase 2 Proposal settings appear.

    12. Screenshot of the New VPN Tunnel page with Phase 2 Proposal settings in the FortiGate Web UI

  12. Remove all proposals except AES256 for encryption and SHA256 for authentication.
  13. Select the Enable Replay Detection check box.
  14. Select the Enable Perfect Forward Secrecy (PFS) check box.
  15. For the Diffie-Hellman Groups, select 14. Clear all other check boxes.
  16. Keep the default values for all other Phase 2 settings.
  17. Click OK.
    The tunnel you added appears in the list of existing tunnels.

    18. Screenshot of the IPsec Tunnels page with new tunnel in the FortiGate Web UI

Configure a BOVPN Policy

To configure a BOVPN policy, from FortiGate 60E Web UI:

  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>.
  2. Select Policy & Objects > Addresses.
    The Address page opens.

    3. Screenshot of the Addresses page in the FortiGate Web UI

  3. Click Create New.
    The New Address page opens.

    4. Screenshot of the New Address page in the FortiGate Web UI

  4. In the Name text box, type a name for the subnet behind the Firebox. In this example, we type WG_INT.
  5. From the Type drop-down list, select Subnet.
  6. In the IP/Netmask text box, type the IP address of the subnet behind the Firebox. In this example, we type 192.168.10.0/24.
  7. Keep the default values for all other settings.
  8. Click OK.
  9. To add more subnets in the policy, repeat Steps 3-8.

    10. Screenshot of the Addresses page in the FortiGate Web UI with new addresses

  10. From the navigation menu, select Policy & Objects > Firewall Policy.
    The list of firewall policies opens.

    11. The default outgoing interface is wan1. In this example, we need to modify the outgoing interface to wan2.

    Screenshot of the Firewall Policy page in the FortiGate Web UI

  11. Click Create New.
    The Create New Policy page opens.

    12. Screenshot of the Create New Policy page in the FortiGate Web UI

  12. In the Name text box, type a name for this policy. In this example, we type Policy to WG 2.
  13. From the Incoming Interface drop-down list, select internal4.
  14. From the Outgoing Interface drop-down list, select To WG.
  15. From the Source drop-down list, select FG_INT.
  16. From the Destination drop-down list, select the address name you typed in Step 4. In this example, we select WG_INT.
  17. From the Schedule drop-down list, select Always.
  18. From the Service list, select All.
  19. For Action, select Accept.
  20. In the Firewall/Network Options section, disable NAT.
  21. Keep the default values for all other settings.
  22. Click OK.
    The policy you created appears in the list of policies.
  23. To create another policy with To WG as the incoming interface and Internal4 as the outgoing interface, repeat Steps 11-22.

    24. Screenshot of the Edit Policy page in the FortiGate Web UI

  24. To create another policy with Internal2 as the incoming interface and To WG as the outgoing interface, repeat Steps 11-22.

    25. Screenshot of the Edit Policy page for another policy in the FortiGate Web UI

  25. To create another policy with To WG as the incoming interface and Internal2 as the outgoing interface, repeat Steps 11-22.

    Screenshot of the Edit Policy page for another policy in the FortiGate Web UI

  26. All the policies you created appear in the list of policies.

    Screenshot of the Firewall Policies list with all the new policies

Configure a BOVPN Route

If you have not configured a gateway for the wan2 interface, you must add a route manually.

To configure a route, from the FortiGate 60E Web UI:

  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>.
  2. From the navigation menu, select Network > Static Routes.
    The list of static routes opens.

    3. Screenshot of the Static Routes page in the FortiGate Web UI

  3. Click Create New.
    The New Static Route page opens.

    4. Screenshot of the New Static Route page in the FortiGate Web UI

  4. For Destination, select Subnet, then type the subnet of the VPN remote tunnel. In this example, we type 192.168.10.0/24.
  5. From the Interface drop-down list, select To WG.
  6. Keep the default values for all other settings.
  7. Click OK.
  8. To create another route for another subnet, repeat Steps 3-7.
  9. Click OK.
    The route you created appears in the list of existing routes.

    10. Screenshot of the Static Routes page in the FortiGate Web UI with the new routes shown in the list

Test the Integration

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Monitor > Live Status > VPN.

    The VPN page opens.

    4. Screenshot of the Live Status VPN page with Branch Office VPN tab in WatchGuard Cloud

  4. Click the BOVPN you configured.
  5. Verify that the two VPN tunnels are active.
  1. Log in to Fireware Web UI at: https://<your Firebox IP address>:8080.
  2. Select System Status > VPN Statistics.

    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.

    The Branch Office VPN page opens.

    4. Screenshot of the VPN Statistics - Branch Office VPN page in Fireware Web UI

  4. In the Tunnels section, verify that the two VPN tunnels are active.
  1. Log in to the FortiGate 60E Web UI at: https://<IP address of FortiGate 60E>.
  2. Select Dashboard > Network > IPsec.
    The IPSec page opens.

    3. Screenshot of the IPsec page in the FortiGate Web UI

  3. Verify that the two VPN tunnels you configured are active.
  4. Verify that Host 1 (behind the Firebox) and Host 2 (behind the FortiGate 60E) can ping each other.