The following procedure demonstrates how to configure a VPN tunnel on the FortiGate devices using the management interface. Please follow the steps below:
2. Locate the desired gateway, select the three-dotted menu (...).
3. Select Add Tunnel and then IPSec Site-2-Site Tunnel.
The following window will display:
4. In the General Settings section fill in the following information:
- Name: Choose whatever name you find suitable for the tunnel
- Shared Secret: Insert a string of your own or use Generate
- Public IP: Insert the public IP of the firewall (you can copy it from the Fireware Web UI URL)
- Remote IP: Insert the public IP of the firewall (same address as above)
- Perimeter 81 Gateway Proposal Subnets: by default, this should be set to 10.255.0.0/16
- Remote Gateway Proposal Subnets: 0.0.0.0/0 or specify according to your customized settings
In the Advanced Settings section fill in the following information:
- Diffie-Hellman Groups (Phase 1): 2
- Diffie-Hellman Groups (Phase 2): 2
Leave the rest of the fields with the default values (as shown in the attached screenshot).
Configure the Tunnel at the WatchGuard Management Interface (Fireware Web UI)
1. Open Fireware Web UI.
2. In the left panel, select VPN, then Branch Office VPN.
3. Under Gateways select ADD. The following window will open (make sure that you're in the General Settings tab):
4. Under Gateway Name fill in an indicative name of your own choice.
5. Select Use Pre-Shared Key and insert the Shared Secret you selected or generated while defining the tunnel in the Perimeter 81 management platform.
6. Under Gateway Endpoint select ADD.
7. Fill in the following information:
- Local Gateway
- External Interface: External
- Interface IP Address: Primary Interface IP Address
- Remote Gateway
- Static IP Address and enter your gateway IP.
- Select By IP Address and enter your gateway IP.
- Select Specify a different pre-shared key for each gateway endpoint and enter the Shared Secret.
Leave the rest of the fields with the default values.
8. Go to the Phase 1 Settings tab and fill in the following information:
- Version: IKEv1
- Mode: Main
- NAT Traversal: Tick; Keep-alive Interval: 20 seconds
- IKE Keep-alive: Tick; Message Interval: 30 seconds; Max failures: 5
- Dead Peer Detection (RFC3706): Tick; Traffic idle timeout: 20 seconds; Max retries: 5
9. Go to the Transform Settings and select ADD. Fill in the following information:
- Authentication: SHA2-256
- Encryption: AES(256-bit)
- SA Life: 24 hours
- Key Group: Diffie-Hellman Group 2
10. Go back to the Branch Office VPN page. Under Tunnel select ADD.
- Name: Fill in an indicative name of your choice.
- Gateway: Choose the gateway that you have just created.
11. Go to the Addresses tab and select ADD.
- Local IP: Any (0.0.0.0/0)
- Remote IP: Network IPv4; 10.255.0.0/16 (or the customized subnet you entered while creating your Perimeter 81 network).
- Direction: bi-directional
Leave the rest of the fields with default values (including the NAT tab)
12. Go to the Phase 2 Settings:
13. Check Enable Perfect Forward Secrecy and select Diffie-Hellman Group 2.
14. Under IPSec Proposals choose ESP-AES256-SHA256 then select ADD.
15. Select Save (no need to customize the settings in the Multicast Settings tab).
Make sure the Tunnel is Up
If you experience a different result, make sure you carefully went through all the steps; however, in case the issue persists please contact our support team.