Security: FortiGate to SonicWall VPN Tunnel setup

 Today I am going to talk about the VPN tunnel configuration between Fortinet and SonicWall security devices. I am not going to talk about the specific models of Fortinet and SonicWall. So it may happen that some of the configurations varies on both Fortinet and SonicWall devices.

As we discuss about the VPN tunnel between Fortinet and SonicWall  It should have the recommended software version. You should have FortiGate running the software version of FortiOS 3.0 and higher and for SonicWall it should be SonicOS Enhanced software version 3.1.x.x. As both of these devices having the GUI interfaces. We will do GUI configuration between both Fortinet and SonicWall devices.

Fig 1.1- Fortigate to SonicWall VPN tunnel

Let’s take Fortinet Fortigate Device first. For the configuration, you need to configure the Phase 1 and Phase 2 settings for VPN in Fortinet Fortigate device. Below is the Fortinet Fortigate phase 1 VPN settings or configurations

Phase 1 Fortinet FortiGate VPN Settings
Go to VPN > IPSec > Phase 1.
Select Create New and enter the following:
(default values shown can be changed by admin)
Gateway Name: SonicWall
Remote Gateway: Static IP
IP Address: ip address
Mode: Main
Authentication Method: Preshared Key
Pre-shared Key: Preshared key

Select Advanced and enter the following:
Encryption: 3DES
Authentication: SHA1
DH Group: 2
Key-life: 28800
Leave all other settings as their default.
Select OK.

Phase 2 Fortinet FortiGate VPN Settings
Go to VPN > IPSec > Phase 2.
Select Create New and enter the following:
Tunnel Name: SonicWall
Remote Gateway: Select SonicWall

Select Advanced and enter the following:
(default values shown can be changed by admin)
Encryption: 3DES
Authentication: SHA1
DH group: 2
Key-life: 28800

**Quick Mode Identities: add source and destination networks as SonicWall will require this in building the Security Associations

Select OK.

Now as you configure both Phase 1 and Phase 2 VPN settings, Its time to add the Firewall policy

Add a firewall policy
For adding a firewall policy, we need to add an source and destination addresses and add internal to external policy that comprises these source and destination addresses to allow the traffic flow.

To add the addresses
Go to Firewall > Address.
Select Create New.

Enter a name for the address, for example FortiGate_network.
Enter the FortiGate IP address and subnet.
Select OK.

Select Create New.

Enter the name for the address, for example SonicWall_network.
Enter the SonicWall IP address and subnet.

Select OK.

To create a firewall policy for the VPN traffic going from the Fortinet FortiGate unit to the SonicWall device

Go to Firewall > Policy.
Select Create New and set the following:
Source Interface: Internal
Source Address: FortiGate_network
Destination Interface: SonicWall_network
Destination Address: WAN1 (or External)
Schedule: always
Service: ANY
Action: Encrypt
VPN Tunnel: SonicWall
Select Allow inbound
Select Allow outbound
Select OK.

To create a firewall policy for the VNP traffic going from the SonicWall device to the Fortinet   FortiGate unit.

Go to Firewall > Policy.
Select Create New and set the following:
Source Interface: WAN1 (or external)
Source IP address: SonicWall_network
Destination Interface: Internal
Destination Address Name: FortiGate_network
Schedule: always
Service: ANY
Action: Encrypt
VPN Tunnel: SonicWall
Select Allow inbound
Select Allow outbound
Select OK.

Configure the SonicWall Device
Create the address object for the Fortinet FortiGate unit to identify the Fortinet FortiGate unit's IP address for the VPN Security Association (SA).

To create an address entry
Go to Network > Address Objects.
Select Add and enter the following:
Name: FortiGate_network
Zone Assignment: VPN
Type: Network
Network: FortiGate IP address
Netmask: FortiGate netmask
Select OK.

Configure the VPN settings for the VPN tunnel connection.
To configure the VPN, go to VPN.
Ensure Enable VPN is selected in the VPN Global Settings section.
Select Add in the VPN Policies area.
Select the General tab and configure the following:
IPSec Keying Mode: IKE using Preshared Secret.
Name: FortiGate_network
IPSec primary Gateway Name or Address: IPSec gateway IP address
Shared Secret: Preshared
Local IKE ID: IP Address (address left empty)
Peer IKE ID: IP Address (address left empty)

Select the Network tab and configure the following:
For the Local Networks, select Choose local network from list and select LAN Primary Subnet.

For the Destination Networks, select Choose destination network from list and select Fortinet  FortiGate_network.

Select the Proposals tab and configure the following:
IKE (Phase1) Proposal
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800
IKE (Phase2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
DH Group: Group 2
Life Time: 28800

Select the Advanced tab and select Enable Keep Alive.
Select OK.