Chapter 4. VPN
4.1 IPsec VPN
Learning Objectives
- Configure an IPsec VPN
- Configure a site-to-site VPN
Configuration
| Device | IP address | Access |
|---|---|---|
| WebTerm2 | 192.168.0.2/24 | – |
| VPC | DHCP Client | – |
| Ethernet Switch1-2 | – | – |
| FortiGate | Port 1: DHCP Client
Port 2: 192.168.0.1/24 DHCP Server (192.168.0.10 to 192.168.0.20) |
ICMP
HTTP HTTPS |
| Windows | DHCP Client | – |
Before you begin the configuration, please remember with VPC’s and Web terms this is how we edit their IP settings for static and or DHCP Addressing:
Before dragging in your web terms or other devices remember to always choose GNS3 VM:
- Set a DHCP server on interface port2 (Range of IP address should be: 192.168.0.20 to 192.168.0.30, DNS: 4.2.2.4).
- Go to User & Authentication > User Group > Create New:
- Name: VPN_GRP_A0ID
- TYPE: Firewall
- Go to User & Authentication > User Definition > Create a User:
- Assign User Group to your profile.
- Go to VPN > IPsec Wizard.
- First:
- Select Name: A0ID- VPN(A0ID is a student ID)
- Template Type: Remote Access
- Remote Type Device: FortiClient
- Then:
- Incoming Interface: Port1
- Pre-shared Key: <Select a key like a password>
- User Group: VPN_GRP_A0ID
- Next:
- Local Interface: Port 2
- Local Address: Add your local range of IP address (192.168.0.0/24)
- Client Range: 172.16.0.1 to 172.16.0.10
- Subnet Mask: 255.255.255.0
- Disable Split Tunneling
- First:
- On Windows machine, download FortiClient from Fortinet. Install the FortiClient and configure IPsec as set in the previous steps. Your remote Gateway IP should be the Port1 IP address.
- You should be able to ping from Windows to VPC.
Site-to-Site VPN (IPsec VPN)
To validate Firewalls licences, we are going to connect them to the Internet.
| Device | IP address | Access |
|---|---|---|
| Fortigate1 | 10.10.10.1/24 | ICMP-HTTP-HTTPS |
| Fortigate2 | 10.10.10.2/24 | ICMP-HTTP-HTTPS |
| WebTerm1 | 192.168.20.2/24 | – |
| WebTerm2 | 192.168.10.2/24 | – |
- On the FG1, go to VPN > IPsec Wizard and select Site to Site – FortiGate.
- Select Site2Site/ FortiGate /No Nat. Enter Remote IP: 10.10.10.2/24, outgoing interface: port3.
- Local Interface: port2, IP: 192.168.20.0/24, Remote subnet: 192.168.10.0/24. Through the wizard, FortiGate creates two policies and two static routes in the firewall.
- On the FG2, go to VPN > IPsec Wizard and select Site-to-Site – FortiGate.
- Do the same configuration for FG2 (remote IP is 10.10.10.1/24 and local IP is 192.168.10.0/24).
-
Then, go to your IPsec Tunnels and double click on Inactive.
On the next windows, right click on the tunnel > Bring UP > All Phase 2 selectors. Then, your tunnel should be up!
- Go to Logs & Reports > Event > VPN Event and verify your configuration.
You should be able to ping from WebTerm1 to WebTerm2.