FortiGate
- 15 Aug 2023
- 3 Minutes to read
- Contributors
FortiGate
- Updated on 15 Aug 2023
- 3 Minutes to read
- Contributors
Article Summary
Share feedback
Thanks for sharing your feedback!
Introduction
This guide will help you establish a Site-to-Site VPN tunnel between your Perimeter 81 network and your FortiGate Devices environment.
Breakdown of topics
- Pre-requisites
- Configuration Steps
- Verifying the Setup
- Troubleshooting
- Support Contacts
Pre-requisites
To successfully follow this guide, ensure that:
- You have an active Perimeter 81 account and network.
- The Perimeter 81 app is installed on your devices.
- You have access to an active FortiGate Devices account with the necessary administrative permissions.
Configuration Steps
- Under Network in the Management Platform on the left side, select the name of the network in which you'd like to set the tunnel.
- Locate the desired gateway, and select the three-dotted menu (...).
- Select Add Tunnel and then IPSec Site-2-Site Tunnel.
- The following window displays:
- The following window displays:
- In the General Settingssection fill in the following information:
- Name: Choose whatever name you find suitable for the tunnel.
- Shared Secret: Insert a string of your own or use Generate.
- Public IP: Insert the public IP of the FortiGate device.
- Remote ID: Insert the remote ID of the FortiGate device.
- Perimeter 81 Gateway Proposal Subnets: by default, this should be set to 10.XXX.0.0/16 (do not set to any).
- Remote Gateway Proposal Subnets: click "Specified Subnets" and specify according to your local LAN Subnets.
- At the Advanced Settingssection complete the following information:
- IKE Version: V2
- Diffie-Hellman Groups (Phase 1): 21
- Diffie-Hellman Groups (Phase 2): 21
Leave the rest of the fields with the default values (as shown in the attached image).
Configuring the tunnel in the FortiGate Management Interface
- Open the FortiGate Management Interface.
- In the left panel, select VPN, then IPsec Tunnels, and select Create New.
- In the VPN Creation Wizard window set the Name to Perimeter 81 (or any other name you desire), the Template Type to Custom tab, and select Next.
- Fill in the following information:
Network Section:
- IP Version: IPv4
- Remote Gateway: Static IP Address
- IP Address: Insert the public IP of the location server
- Interface: select your WAN interface
- Mode Config: unchecked
- NAT Traversal: Disable
- Dead Peer Detection: On-Demand
Note about NAT Traversal
In rare cases the tunnel stops responding while still displaying itself as up and running on both sides - we found that changing NAT Traversal to Enabled can resolve it.
Authentication section:
- Method: Pre-shared Key
- Pre-shared Key: Insert the Shared Key you chose in Step 1
- IKE Version: 2
- Mode: Main (ID protection)
Phase 1 Proposal section:
- Encryption: AES256
- Authentication: SHA256
- Diffie-Hellman Group: 21
- Key Lifetime (seconds): 28800
- Local ID: leave blank
- XAUTH Section: leave disabled
Phase 2 Selectors (+Advanced) section:
- Name: Perimeter 81
- Local Address: Your Local network Subnet
- Remote Address: Perimeter 81 network Subnet, Usually: 10.255.0.0/255.255.0.0
- Enable Replay Detection: Checked
- Enable Perfect Forward Secrecy (PFS): Checked
- Diffie-Hellman Group:21
- Encryption: AES256
- Authentication: SHA256
- Local Port: Checked
- Remote Port: Checked
- Protocol: Checked
- Key Lifetime: Seconds
- Seconds: 3600
Configuring firewall and static routing
It is necessary to add static routes from the Perimeter 81 subnet (10.XXX.0.0/16) to the local network and from the local network to the Perimeter 81 subnet (10.XXX.0.0/16) to the local network through the VPN tunnel gateway.
1. Go to Network -> Routing -> Static Routes -> Create new -> Route.
2. Set Destination to 10.XXX.0.0/16 and the Device: Perimeter 81 (or any other name you chose for the tunnel).
- Select OK.
- It is necessary to add firewall rules to allow traffic from the Perimeter 81 subnet (10.255.0.0/16) to your local network or services you desire.
Go to Policy & Objects -> IPv4 Policy and select Create New. - Fill in the following information:
- Name: Perimeter 81
- Incoming Interface: Perimeter 81
- Outgoing Interface: Your local network object
- Source: All
- Destination: All
- Schedule: Always
- Service: All
- NAT: Disabled
If any additional settings appear, leave them in their default status.
3. Select OK.
Verifying the Setup
- In the FortiGate Management Interface, go to VPN -> IPSec Tunnels. If the tunnel is up, the line will appear in the table:
After following the above steps, your tunnel should be active.
To verify, go to your Perimeter 81 dashboard, locate the tunnel you just created, and check the tunnel status.
It should indicate that the tunnel is "Up", signifying a successful connection.
Next, connect to your network using the Perimeter 81 agent and attempt to access one of the resources in your environment.
Troubleshooting
If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
Support Contacts
If you have any difficulties or questions, don't hesitate to contact Perimeter 81's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at support@perimeter81.com. We're here to assist you and ensure your VPN tunnel setup is a success
Was this article helpful?