Fortigate Configuration
1. Build a New VPN Tunnel using Custom VPN Tunnel (No Template)
2. Under Network, point to the Public Side IP of the USG (Public IP, not WAN interface)
3. Leave everything else default (NAT-T Enabled, DPD Disabled..ect)
4. Authentication, use PSK and IKEv1 with Main
5. Phase 1 Purposal, set algorithms to AES128 and SHA1, with DH 14.
6. Phase 2 Purposal, set Local Address and Remote address to 0.0.0.0/0.0.0.0 and 0.0.0.0/0.0.0.0 respectively.
7. Set Encryption to AES128/Sha1, Replay Detection and PFS enabled, along with DH14. Enable Autokey Keep Alive, and Auto-Negotiate, and save changes.
8. Build a Static Route pointing to the Far-End Destination/Segment you want to reach.
9. Build a Policy Stating which Segments can hit the Far-End Destination/B2B
USG Configuration
1. This is assuming that USG is already registered to the Unifi Controller.
2. Go to Settings -> Networks -> Create New Network
3. Select Site-to-Site VPN; VPN Type is IPSec VPN.
4. Select Checkbox that says “Enable this Site-to-Site VPN”
5. Remote Subnets is the Segment that you want to be able have accessible to the Unifi
6. Peer IP is the Public Side IP of the Fortigate
7. Local WAN IP is the local side WAN Port of the USG
8. Pre-Shared Key is the same as entered above in Fortigate configuration
9. Hit Save.
10. Go to Routing and Firewall -> Static Routes -> Add Route
11. Select it to be associated to the B2B and then add in the Network Subnet to the Route Entry for the remote site.
Troubleshooting
1. For the Fortinet, check the Logs on the device + the SA associations. Ran into an issue where if it wasn’t set for 0.0.0.0/0.0.0.0 the tunnel wouldn’t come up as the USG was passing all segments, instead of the one defined above, even though it was mentioned. [Unifi Instructions, Step 5]
2. For the USG, there is a way through the CLI to see the SA Associations/statuses, you can use “show vpn ipsec sa” eventually (release 5.5 of the controller) there will be a graphical notification within the controller to show about it.
Comments
Post a Comment