How to create a Site to Site IPSec VPN from an OpnSense to a Fortigate behind a NAT Router.

Hi all,

This is a step by step guide to create a site to site VPN from a Fortigate which sits behind a NAT router to an OpnSense Firewall.

1. Create a firewall rule to allow IPSEC traffic to the WAN interface or interface to where the VPN will terminate.

This is configured under the Firewall / Rules

2. Add new phase 1 entry

Configured under VPN /IPSEC / Tunnel Settings. Please note the phase 1 and phase 2 settings needs to be mirrored on both the local and remote device.

2.1 Click add

2.2 General Information

2.3 Phase 1 proposal (Authentication)

Make sure you put the Peer identifier as the Private IP address of the WAN interface of the Fortigate behind the NAT router.

The Pre-Shared key or shared secret needs to match on both sides. You can choose your own.

2.4 Phase 1 proposal (Algorithms)

2.5 Advanced options

(Important) NAT Traversal – Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, which can help with clients that are behind restrictive firewalls.

3. Enable IPSEC

Check the tick box enable IPsec.

4. Add new phase 2 entry

4.1 Click the Show phase 2 entries and click the plus button on the left.

I have highlighted where you enable IPsec, edit phase 1, edit phase 2 and add a phase 2.

4.2 General information, local and remote network.

Your local network is the private network that will be reachable from the remote private network.

The remote network is the network that will be reachable from the local network.

You create one phase 2 entry per private network. So if you have 3 networks you will create 3 phase 2 entries. Alternatively, you can summerise your networks to have less phase 2’s.

It is important that the networks are an exact match on both ends of the VPN.

4.3 Phase 2 proposal (SA/Key Exchange)

4.4 Lifetime and advance options

Set the Automatically ping host to your private IP address of the remote Fortigate WAN interface.

5. Create Pre-Shared key

Set the identifier as the Private IP address of WAN interface of the remote Fortigates WAN interface.

6. Create Firewall rules

6.1 Click add

6.2 Define rules – source, destination protocol

The following screen shot shows the IPSEC rules allowing all traffic. But you can define more stricter rules allowing only specific sources, destinations and protocols etc.

7. Configure the remote Fortigate.

The purpose of this guide is directed more at the OpnSense configuration. In this step I will just give the CLI configuration of the remote Fortigate.

7.1 Phase 1

Please note: Change the following to the remote public IP in the script below – set remote-gw “remote public IP”

This is just a example of my configuration and you will need to enter your own values.

config vpn ipsec phase1-interface
edit "OPNSENSE_VPN"
set type static
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw 0.0.0.0
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes256-sha256
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd disable
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 14
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw "remote public IP" 
set monitor ''
set add-gw-route disable
set psksecret ENC YJYQCQkgBRfA4Ynqobur+iFEHHENqWxdlMu1xinpodo6QLayj46K40rCVdOiW6JWEFzwatMOVd1hmYwXFf3udgSJJNCec49BYINwom29fz9M+u0Q9TEhPF2xc0+k/GTnMNLqQTpdEkhk4Ab2EoyAb1GeGKLK4ft8u23YOeIOPQ2GJHseKiBCfR1O1/VllXG/fiOAlg==
set keepalive 10
set auto-negotiate enable
next
end

7.2 Create Phase 2

config vpn ipsec phase2-interface
edit "OPNSENSE_VPN"
set phase1name "OPNSENSE_VPN"
set proposal aes256-sha256
set pfs enable
set dhgrp 14
set replay enable
set keepalive enable
set auto-negotiate enable
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 3600
set src-subnet 192.168.101.0 255.255.255.0
set dst-subnet 10.10.0.0 255.255.255.0
next
end

7.3 Create Firewall Policies

config firewall policy
edit 6
set uuid fc48a3fe-61c6-51e9-d528-a761270fcdd8
set srcintf "lo0"
set dstintf "OPNSENSE_VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Policy from local interface to VPN Virtual interface.

config firewall policy
edit 7
set uuid 1a9bec44-5e93-51e9-9240-9337d084beb8
set srcintf "OPNSENSE_VPN"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

Policy from VPN Virtual Interface to local interface.

7.4 Create Static Route

config router static
edit 1
set dst 10.10.0.0 255.255.255.0
set device "OPNSENSE_VPN"

This will point the traffic down the tunnel.

8. Troubleshooting OpnSense

8.1 Make sure that the traffic is hitting the firewall on either port udp 500 or udp 4500.

8.2 Check IPSEC log and VPN Status

You can check the status of the VPN to make sure both phase 1 and 2 are up and passing traffic.

The log file provides debug information about the VPN to help you troubleshoot.

9. Troubleshooting Fortigate.

9.1 Make sure that the traffic is hitting the firewall on either port udp 500 or udp 4500.

Add the public IP address of the remote device after host.

diagnose sniffer packet any "host  and port 4500"

9.2 Debug VPN commands

Make sure you add the public IP address of the remote device after dst-addr4.

diagnose debug reset
diagnose vpn ike log-filter dst-addr4 
diagnose debug application ike -1
diagnose debug enable

10. Test the connection


PBC # execute ping-options source 192.168.101.254

PBC # execute ping 10.10.0.102
PING 10.10.0.102 (10.10.0.102): 56 data bytes
64 bytes from 10.10.0.102: icmp_seq=0 ttl=63 time=25.2 ms
64 bytes from 10.10.0.102: icmp_seq=1 ttl=63 time=25.1 ms

--- 10.10.0.102 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 25.1/25.1/25.2 ms

I have tested from the Fortigate firewall sourcing from the interface that matches the phase 2 of the VPN.

Thank you for reading and please leave feedback.

If you have any queries please contact us using the following link:

https://piggybankcloud.blog/contact-piggybank-cloud