Fortinet FortiGate BOVPN Virtual Interface Integration Guide

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This integration guide describes how to configure a BOVPN virtual interface tunnel between a WatchGuard Firebox and a Fortinet FortiGate 60E.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox
    • Fireware v12.10 or higher
  • Fortinet FortiGate 60E
    • FortiOS v7.4.1 or higher

Topology

This diagram shows the topology for a BOVPN virtual interface connection between a Firebox and a Fortinet FortiGate 60E.

WatchGuard Firebox and Fortinet topology diagram

Configure the Firebox

To configure a BOVPN virtual interface on your Firebox, from Fireware Web UI:

  1. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  2. Click Add.
  3. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  4. From Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  5. Keep the default Gateway Address Family setting, which is IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key. Keep the default String-Based setting.

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. On the Local Gateway tab, from the Physical drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  4. Select By IP Address.
  5. In the adjacent text box, type the public (external) IP address of your Firebox.

Screenshot of the Firebox local gateway settings

  1. On the Remote Gateway tab, select Static IP Address.
  2. In the adjacent text box, type the public IP address of the FortiGate 60E wan1 interface.
  3. Select By IP Address.
  4. In the adjacent text box, type the public IP address of the FortiGate 60E wan1 interface.

Screenshot of the Firebox remote gateway settings

  1. Click OK.
  2. In the Gateway Endpoint section, select Start Phase 1 tunnel when it is inactive.
  3. Select Add this tunnel to the BOVPN-Allow policies.
  4. Click Save.

  1. Select the BOVPN virtual interface that you created.
  2. Click Edit.
  3. Click the VPN Routes tab.
  4. Click Add.
  5. From the Choose Type drop-down list, select Network IPv4.
  6. In the Route To text box, type the IP segment of a route that will use this virtual interface.

Screenshot of the Firebox VPN route settings

  1. Click OK.

Screenshot of the Firebox VPN routes

  1. Repeat the previous step to add another VPN Route to another subnet.

Screenshot of the Firebox VPN route settings

Screenshot of the Firebox VPN routes

  1. Click the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screenshot of the Firebox Phase 1 settings

  1. Keep Phase 2 Settings as the default values.

Screenshot of the Fortinet Phase 2 settings

  1. Click Save.

Configure the FortiGate 60E

Follow these steps to configure the interfaces, VPN settings, policies, and routes on your FortiGate device.

Interface Settings

  1. Log in to the FortiGate 60E Web UI at https://<IP address of FortiGate 60E>. The default IP address is 192.168.1.99.
  2. Select Network > Interfaces.
  3. Configure the external interface (wan1) and the internal interface (internal2 and internal3). For information about how to configure interfaces, go to the Fortinet User Guide.

interface settings

IPSec VPN Tunnels Settings

  1. Select VPN > IPsec Tunnels.

  1. Click Create New > IPsec Tunnel.
  2. In the Name text box, type the object name. In our example, the name is To WG.
  3. From the Template Type options, select Custom to continue without a template.

  1. Click Next.
  2. In the Network section, for IP Version, select IPv4.
  3. From the Remote Gateway drop-down list, select Static IP Address.
  4. In the IP Address text box, type the WatchGuard Firebox public IP address. In our example, the IP address is 203.0.113.2.
  5. From the Interface drop-down list, select wan1. Leave the default value for all other settings in the Network section.
  6. In the Authentication section, from the Method drop-down list, select Pre-shared Key.
  7. In the Pre-shared Key text box, type the pre-shared key.
  8. In the IKE section, for Version, select 2.
  9. In the Phase 1 Proposal section, remove all proposals except AES256 for encryption and SHA256 for authentication.
  10. For the Diffie-Hellman Groups, select 14. Clear all other check boxes.
  11. Leave the default value for all other Phase 1 settings.

  1. In the Phase 2 Selectors section, expand Advanced.
  2. Remove all proposals except AES256 for encryption and SHA256 for authentication.
  3. Select the Enable Replay Detection check box.
  4. Select the Enable Perfect Forward Secrecy (PFS) check box.
  5. For the Diffie-Hellman Groups, select 14. Clear all other check boxes.
  6. Leave the default value for all other Phase 2 selectors.

  1. Click OK.

Policy Settings

  1. Select Policy & Objects > Addresses.

address page

  1. Click Create New > Address.
  2. In the Name text box, type a name for the IP address. In our example, the name is WG_INT.
  3. From the Type drop-down list, select Subnet.
  4. In the IP/Netmask text box, type the IP segment.
  5. Leave the default value for all other settings.

add watchguard int

  1. Click OK.
  2. Repeat the previous step to create more IP segments.

addresses saved

  1. Select Policy & Objects > Firewall Policy.

policy page

  1. Click Create New.
  2. In the Name text book, type the object name. In our example, the name is Policy to WG.
  3. From the Incoming Interface drop-down list, select internal2.
  4. From the Outgoing Interface drop-down list, select To WG.
  5. From the Source Address list, select FG_INT.
  6. From the Destination Address list, select WG_NT.
  7. From the Schedule drop-down list, select Always.
  8. From the Service list, select All.
  9. In the Action list, select Accept.
  10. Disable NAT under Firewall/Network Options.
  11. Leave the default value for all other settings.

  1. Click OK.
  2. Repeat these steps to create another policy.

  1. Repeat these steps to create two additional policies for another subnet.

The policies that you created appear on this page.

Route Settings

  1. From the navigation menu, select Network > Static Routes.

static routes page

  1. Click Create New.
  2. In the Destination section select Subnet.
  3. Type the IP segment of the VPN remote tunnel.
  4. From the Interface drop-down list, select To WG.
  5. Leave the default value for all other settings.

  1. Click OK.
  2. Repeat these steps to create another route for another subnet.

  1. Click OK.

  1. (Optional) If you did not add a gateway for the wan1 interface, you must repeat these steps to configure wan1.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Verify that the VPN tunnel is active.

To test the integration, from the FortiGate Web UI:

  1. Select Dashboard > Network > IPsec.
  2. Verify that the VPN tunnels is active.

Finally, verify that the hosts successfully ping.