The following procedure demonstrates how to configure a VPN tunnel on the FortiGate devices using the management interface.
Step 1: Configure an IPSec Tunnel at the Perimeter 81 Management Portal
- Under the Network tab in the left menu, click on name of the network in which you'd like to set the tunnel. Locate the desired gateway, click the three dotted icon and press Add Tunnel and then IPSec Site-2-Site Tunnel.b. The following window will pop:At the General Settings section fill in according to the following:
- Name: Choose whatever name you find suitable for the tunnel.
- Shared Secret: Insert a string of your own or use the Generate button.
- Public IP: Insert the public IP of the firewall (you can copy it from the Fireware Web UI URL).
- Remote IP: Insert the public IP of the firewall (same address as above).
- Perimeter 81 Gateway Proposal Subnets: by default this should be set to 10.255.0.0/16
- Remote Gateway Proposal Subnets: 0.0.0.0/0 or specify according to your customised settings.At the Advanced Settings section fill in:
- Diffie-Hellman Groups (Phase 1): 2
- Diffie-Hellman Groups (Phase 2): 2
- Leave the rest of the fields with the default values (as shown in the attached screenshot).
Step 2: Configure the Tunnel at the WatchGuard Management Interface (Fireware Web UI)
- Open Fireware Web UI.
- In the left panel, choose VPN, then Branch Office VPN.
Under Gateways click ADD. The following window will open (make sure that you're in the General Settings tab):
- Under Gateway Name fill in an indicative name of your own choice.
- Select Use Pre-Shared Key and insert the Shared Secret you selected or generated while defining the tunnel in the Perimeter 81 management platform.
- Under Gateway Endpoint click ADD.
- Fill in according to the following:
- Local Gateway
- External Interface: External
- Interface IP Address: Primary Interface IP Address
- Remote Gateway
- Static IP Address and enter your gateway IP.
- Choose By IP Address and enter your gateway IP.
- Tick Specify a different pre-shared key for each gateway endpoint and enter the Shared Secret.
- Leave the rest of the fields with the default values.
- Local Gateway
- Go to the Phase 1 Settings tab and fill in according to the following:
- Version: IKEv1
- Mode: Main
- NAT Traversal: Tick; Keep-alive Interval: 20 seconds
- IKE Keep-alive: Tick; Message Interval: 30 seconds; Max failures: 5
- Dead Peer Detection (RFC3706): Tick; Traffic idle timeout: 20 seconds; Max retries: 5
- Go to the Transform Settings and click ADD. Fill in according to the following:
- Authentication: SHA2-256
- Encryption: AES(256-bit)
- SA Life: 24 hours
- Key Group: Diffie-Hellman Group 2
- Go back to the Branch Office VPN page. Under Tunnel press ADD.
- Name: Fill in an indicative name of your choice.
- Gateway: Choose the gateway that you have just created.
- Go to the Addresses tab and press ADD.
- Local IP: Any (0.0.0.0/0)
- Remote IP: Network IPv4; 10.255.0.0/16 (or the customised subnet you entered while creating your Perimeter 81 network).
- Direction: bi-directional
- Leave the rest of the fields with default values (including the NAT tab)
- Go to the Phase 2 Settings:
- Tick Enable Perfect Forward Secrecy and choose Diffie-Hellman Group 2.
- Under IPSec Proposals choose ESP-AES256-SHA256 then press ADD.
- Click Save (no need to customise the settings in the Multicast Settings tab).
Step 3: Make Sure the Tunnel is Up
If you experience differently, make sure you meticulously went through all the steps, however in case the issue persist please contact our support team.