IPsec site-to-site VPN tunnel between Palo Alto Firewall & FortiGate Firewall
Setting up an IPsec S2S VPN tunnel
Palo Alto & FortiGate Firewall
We are going to talk about the IPsec VPN tunnel between Palo Alto Firewall and Fortinet firewall where one site is protected by a FortiGate, while another is protected by a Palo Alto Firewall.
We are configuring the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel may be formed with the required security profiles applied.
Fig 1.1- IPSec Site2Site Tunnel |
IPsec Tunnel Palo Alto Firewall
For the VPN connections, we must build zones.
Step 1: To create Zones, Navigate to Network > Zones
Provide the details like Name, Log Setting, Type and save.
Fig 1.2- Panorama Zones |
Step 2: For Palo Alto and Fortinet devices with two LAN layers, we will generate the Address Object. To create Object, Navigate Object> Addresses
Provide the details like Name, Type and save
Fig 1.3- Panorama Objects |
Step 3: Now as you created the object, we need to create the interface tunnel. To create Navigate to Network> Interface> Tunnel.
Provide the details like interface Name, Virtual Router, Security Zone and save.
Fig 1.4- Panorama Tunnel Interface |
Step 4: Now create virtual routers .To create Navigate to Network > Virtual Routers> click ADD
Fig 1.5- Panorama Virtual router |
Add Static Routes > IPv4
Fig 1.6- Panorama Static Route IPv4 |
Step 5: Create IKE Crypto Phrase 1 for the VPN connection.
Navigate to Network> IKE Crypto Profile
Fig 1.7- Panorama Crypto Profile |
Step 6: Similarly, create IPsec Crypto
Navigate to Network > IPSec Crypto and click Add.
Step 7: Create IKE Gateways
Navigate to Network> IKE Gateways and click Add.
Fig 1.8- Panorama IKE Gateway |
Step 8: Create IPsec Tunnels
Navigate to Network> IPSec Tunnels and press Add.
You can also add the proxy ID with the Local and Remote Network address
Fig 1.9- Panorama IPSec Tunnel |
Step 9: Create Policy. Navigate to Policies > Security and click Add.
Configure the multiple tabs here like General, Source, Destination and Action
IPsec Tunnel FortiGate Firewall
Step 1: In the FortiOS GUI, navigate to VPN >IPsec > Auto Key (IKE) and select Create Phase 1.
Step 2: Name the tunnel, statically assign the IP Address of the remote gateway, and set the Local Interface to wan1.
Fig 2.0- Fortigate Firewall |
Step 3: Select Preshared Key for Authentication method and enter the same Preshared key you chose when configuring the Palo Alto IPsec VPN Wizard. Configure this phase to match the encryption settings configured on the Cisco device and click OK.
Step 4: Select Create Phase 2.Identify Phase 1, which you just configured, and ensure that the encryption settings match the Phase 2 encryption settings configured on the Palo Alto device. Optionally, provide the Source address and Destination address at the tunnel's ends under Quick Mode Selector.
Fig 2.1- Fortigate Firewall |
Configuring the FortiGate policies
Step 1: Navigate to Policy > Policy > Policy and create firewall policies that allow inbound and outbound traffic over the tunnel.
Step 2: In the first (outbound) policy, set the Incoming Interface to lan and set the source Address to all.
Step3: Set the Outgoing Interface to the tunnel interface and set the Destination Address to all. Configure the Schedule and Service as desired.
Step 4: Create the second (inbound) policy to allow traffic to flow in the opposite direction, and configure the Schedule and Service as desired.
Fig 2.2- Fortigate Firewall |
Configuring the static route in the FortiGate
Step1: Navigate to Router > Static > Static Routes and select Create New
Step 2: Create a static route with the Destination IP/Mask matching the address of the Cisco local network (by default, 192.168.1.0).Under Device, select the site-to-site tunnel, and click OK. On Fortigate side, now the tunnel configuration is finished.
Continue Reading..
++++++++++++++++++++++++++++++++++++++++++++++++++++IPsec site-to-site VPN tunnel between Cisco ASA & FortiGate Firewall - The Network DNA
Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router - The Network DNA
Site-to-Site IPsec VPN Tunnel with two FortiGate Firewalls - The Network DNA
Security: FortiGate to SonicWall VPN Tunnel setup - The Network DNA
The Network DNA : Security
++++++++++++++++++++++++++++++++++++++++++++++++++++