This is an automated archive.
The original was posted on /r/sysadmin by /u/middlemangv on 2024-01-24 06:56:06+00:00.
first time posting here, as I just started with my Firewall journey and bought Fortinet 40F Fortiguard.
Basically I'm a noob, didn't work too much with Firewalls but I'm learning and trying.
I have two sites. 1st site: Fortinet 2nd site: Watchguard
I need to connect those two sites.
NO Public Static IPs:
1st site: Fortinet is using its build in DDNS. There is an ISP router before it. I configured the DMZ to 192.168.1.254 to point it to Fortinet. Fortinet uses other subnet 10.11.1.0/24
2nd site: There is no ISP router before it but the IP is not static. It changes from time to time and ISP won't do anything about it. I created DDNS with free public DDNS provider. Watchguard is using subnet 192.168.88.0/24
What I did:
Went to "IPsec Tunnels" and created new "Custom" tunnel
Remote Gateway was set to be a Dynamic DNS. I figured out, after reading documentation, that this is DDNS for the other site so I typed it in
Interface that I'm using is wan1. wan1 is basically, as the name says, my go out to the internet port
The rest for "Network" in Edit VPN tunnel settings is left on default
Regarding authentication I just set Pre-Shared key with and typed simple password.
On IKE Version I choose 2.
Phase 1 Proposal:
I left only AES256 for Encryption and SHA256 for Authentication. I removed any other encryption and authentication choices. Diffie-Helman group is 14
Phase 2 Selectors:
I basically just typed in my local IP for Fortinet on "Local Address" and I typed in local Watchguard IP on "Remote address" with their subnets which are /24.
So basically, after I was done with this, I went to Policy & Objects > Firewall Policy
I added two Policies - first one:
name: VPN remote site
Incoming interface: internal - this is my lan
Outgoing interface: I choose the tunnel interface that I created on IPSec tunnel option.
Source: 4 all
Destination: I created an address. I went to Network/Addresses and addes an address or a subnet with IP and its Netmask and I named it accordingly.
Service: ALL
Action: Accept
NAT: I switched it off
Everything else is left on default and I clicked OK.
Then, on the same menu - Firewall Policy I just clicked on newly created policy and "Created reverse policy".
After that I went to "Network > Static Routes>Create New"
Destination: Subnet, I just typed in subnet of the remote Watchguard
Interface: I choose that Tunnel Interface that was created on "IP Sec Tunnel" in the first steps.
So this should be it for Fortiguard, right? Hopefully I didn't make any mistakes. Or maybe I did, or maybe there is some practice that I am not aware of.
After that I logged in to Watchguard Firebox, and I may have some noobish problems but:
VPN > Branch Office VPN and on "Gateways" I clicked "Add". Added a name to my Gateway and on
Credential Method I selected "Use Pre-Shared Key" and typed in the same key as I did on Fortiguard.
On "Phase 1 Settings" I selected IKEv2 version and left everything else on default.
I went back and clicked "add" on "Gateway Endpoint" > Local Gateway
External interface: External
Interface IP Address: Primary interface IPv4 Address
Specify the gateway ID for tunnel authentication > By Domain Name and I typed in domain name or DDNS of the local gateway aka Watchguard. I don't know if this is correct, but to me, its logical that Local Gateway ID is local gateway for Watchguard.
On "Remote Gateway" I selected Dynamic IP address for "Specify the remote gateway IP address for a tunnel"
and I selected "By Domain Name" on "Specify the remote gateway ID for tunnel authentication" and I typed in Fortiguard DDNS that I created when I bought Fortiguard. Everything else was left on default.
After that I went on creating Tunnel in "Branch Office VPN"
Added, named it, and on "Addresses" I added Local IP (Watchguard) and Remote IP (Fortiguard) and for the type I choose Network IPv4.
Direction: bidirectional
For Phase 2 Settings:
I enabled perfect Forward Secrecy and Choose Diffie-Hellman Group 14
On IPSec Proposals I choose ESP-AES256-SHA256, as I did on my fortiguard AES256 and SHA256.
Clicked save, and the rest of the settings are on default.
What now? What are my next steps? Do I have to add some policy in Watchguard or what, because I think that some policies are already added after creating BoVPN? I tried to be as much as detailed as possible.
Any answer is highly appreciated.
Btw it is worth nothing that there is already one site to site connection on fortinet to another remote destination. I don't know if it means something but maybe you should know. Thanks!
TUNNEL STATE from Fortinet: I typed this command in CLI: get vpn ipsec tunnel summary
Output: 'MZ RemoteVPN' IP address:0 selectors(total,up): 1/0 rx(pkt,err): 0/0 tx(pkt,err): 0/0
#diagnose vpn tunnel list
list all ipsec tunnel in vd 0
name=MZ RemoteVPN ver=2 serial=7 192.168.1.254:0->IP address:0 tun_id=10.0.0.7 tun_id6=::10.0.0.7 dst_mtu=0 dpd-link=off weight=1
bound_if=5 lgwy=static/1 tun=intf mode=auto/1 encap=none/552 options[0228]=npu frag-rfc run_state=0 role=primary accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=3 ilast=43646953 olast=43646953 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=0 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
fec: egress=0 ingress=0
proxyid=Deponija remote proto=0 sa=0 ref=1 serial=2
src: 0:10.11.0.0-10.11.0.255:0
dst: 0:192.168.88.0-192.168.88.255:0
On Firebox using WSM I clicked on Branch office VPN Tunnels and on Gateway there is red X and the message from Endpoint: 1 - No response for IKE_SA_INIT request message. Check connection between the local and remote gateway endpoitns Local 192.168.88.0 Remote 10.11.0.0 (inacti