1. Purpose of Article
This article shows how to configure a site-to-site IPSec VPN between Palo Alto and Fortinet FG devices.
2. Diagram
Details.
Location A :
- We have an Internet connection connected via a media converter to port 1 of the Palo Alto PA-220 device with a static WAN IP of 113.161.93.x.
- Next, the LAN level 10.146.41.0/24 is configured on port 2 of the Palo Alto PA-220 device.
Location B:
- We have an Internet connection on WAN port 1 of the Fortinet FG 81E firewall with a static WAN IP 203.205.26.x through a media converter.
- Next, the LAN level of 192.168.2.0/24 is configured on port 1 of the Fortinet FG 81E.
3. Scenario
We will configure a site-to-site IPSec VPN between the Palo Alto PA-220 and the Fortinet FG 81E so that the LAN layer of both sites can connect to 10.146.41.0/24 and 192.168.2.0/24.
4. What to do
Fortinet FG 81E:
- Creating VPN Tunnels
- Create a static route
- Make a policy
Palo Alto-Pa-220:
- Create a zone
- Creating an addressable object
- Create an interface tunnel
- Create virtual routers
- Create a crypto IKE
- Create IPSec encryption
- Setting up IKE gateways
- Creating IPSec Tunnels
- Make a policy
Result
5. Configuration
5.1. Fortinet FG 81E
5.1.1. Creating VPN Tunnels
To create VPN tunnels, go to VPN> IPSec Tunnels> click Create New.
The VPN Wizard window appears and allows you to enter the following configuration information:
- Name: VPN_FG_2_PA
- Model type: Select Custom
- Click Next to continue.
We configure the Network table with the following parameters:
- IP Version : IPv4
- Remote Gateway : Static IP address
- IP Address : Enter the WAN IP address of the Palo Alto PA-220 appliance as 113.161.93.x.
- Interface: Select the WAN port on the Fortinet device through which to establish the VPN connection. Select the WAN1 port according to the diagram.
- Local gateway: disabled
- Setting the mode : Remove the checkmark
- Crossing the NAT: Select Disable
- Acknowledge deceased colleagues: Select Disable
Authentication field :
- Method: Select the preset button
- Front wrench: Enter the password to establish a VPN connection (note that this password must be the same on both Palo Alto and Fortinet devices).
- IKE version: 2
Sentence 1 Suggestion panel :
- Encryption: AES256
- Authentication : SHA256
- Diff-Hellman Group: Select 14
- Delete time key (seconds) : 5400
Bảng XAUTH:
Phrase 2 Control panel :
- Local Address : Select Subnet and enter the Fortinet LAN 192.168.2.0/24.
- Remote address: Select Subnet and enter LAN 10.146.41.0/24 Palo Alto.
- Click on the Advanced button… to display sentence suggestion 2.
Sentence 2 suggestion panel:
- Encryption: AES128
- Authentication : SHA256
- Activate Perfect Forward Secrecy: Uncheck the box
- The most important life: Select the seconds
- Second: 3600
Click OK in IPSec Tunnel.
5.1.2. Creating static routes
We need to create a static route to route the outbound route to the Palo Alto LAN layer through the VPN connection we just created for the Fortinet firewall appliance.
To create one, go to Network > Static Routes and click Create New.
Set according to the following parameters:
- Assignment: Enter the LAN of the Palo Alto PA-220 as 10.146.41.0/24.
- Interface: Select the newly created IPSec tunnels VPN_FG_2_PA.
- Status: Select Activate.
- Click OK to save.
5.1.3. Creating a policy
We need to create a policy to allow the VPN connection to access the Fortinet LAN and vice versa.
To create a policy, go to Policy and Objects> IPv4 Policy and click Create New.
Configure a policy that allows Fortinet LAN traffic to pass through the Sophos LAN according to the following settings:
- Name: VPN_FG_2_PA
- Incoming interface : Phase B (this is the LAN 1 interface)
- Outgoing interface : The VPN tunnel has just been created Select VPN_FG_2_PA
- Source: Select VLAN_Floor B
- Target: Select LAN_Palo Alto.
- Service: Select ALL
- Action: Select ACCEPT
- Recording of authorized traffic : Activate and select All Sessions
- Insert this policy: ON
- Press OK to save.
The policy configuration allows traffic from the Palo Alto LAN to pass through the Fortinet LAN according to the following parameters:
- Name: VPN_PA_2_FG
- Incoming interface : The VPN tunnel has just been created Select VPN_FG_2_PA
- Outgoing interface : Phase B (this is the LAN 1 interface)
- Source: Select LAN_Palo Alto
- Objective: Select VLAN_Floor B
- Service: Select ALL
- Action: Select ACCEPT
- Recording of authorized traffic : Activate and select All Sessions
- Insert this policy: ON
- Press OK to save.
5.2 Palo Alto PA-220
5.2.1. Create a zone
We need to create zones for VPN connections.
To create them, go to Network > Zones.
Click the Add button and create the following information:
- Name: VPN
- Type: Layer 3
- Press OK to save.
Press Commit and OK to save the configuration changes.
5.2.2. Creating an addressing object
We will create an address object for the 2 LAN layers of the Palo Alto and Fortinet devices.
To create, go to Object > Addresses.
Click the Add button and create according to the following parameters.
Palo Alto LAN:
- Name: PA_LAN
- Type: IP network mask – 10.146.41.0/24
- Click OK to save.
FG_LAN :
- Name: FG_LAN
- Type: IP network mask – 192.168.2.0/24
- Press OK to save.
5.2.3. Creating tunnel interface
To create, go to Network>Interface>Tunnel.
Click the Add button and create the following information:
- Interface name : Tunnel – 2
- Virtual Router : No
- Safety Zone: VPN
- Click OK to save.
5.2.4. Creating virtual routers
To create virtual routers, go to Network > Virtual Routers > click Add and configure the following information.
Router settings tab :
- Name: VR1
- General tab : Click Add and select the vlan (LAN port), ethernet1/1 (Internet port) and tunnel.2 (the tunnel used for the VPN connection) ports.
Static Routes tab > IPv4 :
Click the Add button to add static routes and enter the following information:
- Name: VPN_PA_2_FG
- Assignment: FG_LAN
- Interface: tunnel.2
- Press OK twice to save.
Press Commit and OK to save the configuration changes.
5.2.5. Create a crypto IKE
We will create a crypto IKE, i.e. phrase 1 for the VPN connection.
To create, click Add in Network > IKE Crypto and create the following information:
- Name: VPN_PA_2_FG
- PT Group : Group 14
- Encryption: aes-256-cbc
- Authentication : sha256
- Taste for life: Seconds – 5600
- Press OK to save
5.2.6 Creating an IPSec Crypto
To create IPSec Crypto, go to Network > IPSec Crypto and click Add.
Set according to the following parameters:
- Name: VPN_PA_2_FG
- IPSec protocol: ESP
- Encryption: aes-128-cbc
- Authentication : sha256
- PT Group: no-pfs
- For life: Seconds – 3600
- Click OK to save.
Press Commit and OK to save the configuration changes.
5.2.7. IKE gateways make
To create them, go to Network > IKE Gateways and click Add.
The setting is made according to the following parameters
General tab :
- Name: VPN_PA_2_FG
- Version: Single mode IKEv2
- Address type : IPv4
- Interface: Ethernet 1/1 (Palo Alto WAN connection)
- Local IP address : No
- Address colleague: 203.205.35.x
- Authentication: pre-shared key
- Pre-shared key : Enter the password for the connection (it must match the Fortinet password).
- Confirm the temporary key: Enter the password again to establish a connection.
Additional Settings Tab :
- IKE Crypto Profile: VPN_PA_2_FG
- Press OK to save.
Press Commit and OK to save the configuration changes.
5.2.8. Creating IPSec tunnels
We will now start setting up a VPN connection to the Fortinet device.
To create it, go to Network > IPSec Tunnel and click Add.
Create with the following information.
General tab :
- Name: VPN_PA_2_FG_Tunnel
- Tunnel interface: tunnel.2
- Type: Auto button
- Address type : IPv4
- IKE gateways : VPN_PA_2_FG
- Crypto IPSec profile: VPN_PA_2_FG
Proxy IDs tab :
Click the Add button and configure the following information:
- Trustee: Pear-1
- Local: 10.146.41.0/24
- Remote control: 192.168.2.0/24
- Protocol: Every person
- Press OK twice to save.
Press Commit and OK to save the configuration changes.
5.2.9 Creating policy
We need to create a policy that allows traffic from Palo Alto’s LAN to pass through Fortinet’s LAN and vice versa.
To create a policy, go to Policy > Security and click Add.
Create a policy that allows traffic from the Palo Alto LAN to pass through the Fortinet LAN with the following information:
General tab :
- Name: VPN_PA_2_FG
- Type of control: universal (standard)
Tab Source:
- Source area: Click Add and select Trust Layer 3 (This is a LAN level zone).
- Source address : Click Add and select PA_LAN (PA_LAN is the address object we created earlier).
Target tab :
- Target area: VPN
- Destination address : FG-LAN (this is the address object created at the beginning)
Action tab :
- Action: Select Allow.
- Click OK to save.
Next, we click the Add button and create a policy that allows traffic from the Fortinet LAN to the Palo Alto LAN with the following information:
General tab :
- Name: VPN_FG_2_PA
- Type of control: universal (standard)
Tab Source:
- Source area: Click on Add and select VPN
- Source address : Click Add and select FG_LAN (FG_LAN is the address object created earlier).
Target tab :
- Target area: Reliability level3 (LAN area)
- Destination address : PA-LAN (This is the address object created at the beginning)
Action tab :
- Action: Select Allow.
- Click OK to save.
5.3. Result
To check the results on the Palo Alto device, go to Network > IPSec Tunnels.
We see 2 status points for the green tunnel and the IKE gateways, which means the VPN connection is successful.
If you are upgrading to a Fortinet device, you can check if the VPN connection is successful under Monitor> IPSec Monitor.
You should see that a VPN connection has been established and that incoming and outgoing data traffic is possible.
YOU MAY ALSO BE INTERESTED IN
frequently asked questions
How do I configure an IPSec VPN on the Palo Alto firewall?
‘ pan-os-admin ‘ vpns
How do I configure a FortiGate IPSec tunnel?
How do I configure IPSec?
Kerio, Control, Content, Conf…
Related Tags:
site to site vpn configuration fortigate,fortigate site-to-site vpn troubleshooting,fortigate ipsec vpn configuration cli,fortigate aws vpn configuration,fortigate site-to-site ipsec vpn by using dynamic ip example,fortigate site to-site vpn configuration custom,Feedback,Privacy settings,How Search works,routing multiple subnets over a site-to-site vpn fortigate,palo alto site-to-site vpn configuration step by step