How to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.

This is a detailed guide on how to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.

1. Fortigate Configuration

1.1 Configure the Fortigate Phase 1

 
config vpn ipsec phase1-interface 
edit "PfSense" 
set interface "wan1" 
set proposal aes256-sha256 
set dhgrp 5 
set remote-gw x.x.x.x
set psksecret 
next 
end

1.2 Configure the Fortigate Phase 2

 
config vpn ipsec phase2-interface 
edit "pfSense" 
set phase1name "PfSense" 
set proposal aes256-sha256 
set pfs disable 
set keepalive enable 
set auto-negotiate enable 
set src-subnet 192.168.0.0 255.255.0.0 
set dst-subnet 10.0.100.0 255.255.255.0 
next 
end 

1.3 Configure a static route on the Fortigate

 
config router static set dst 10.0.100.0 255.255.255.0 
set device "PfSense"

1.4 Configure Fortigate firewall policies


config firewall policy
edit 11
set srcintf "PfSense"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end


config firewall policy
edit 15
set srcintf "lo0"
set dstintf "PfSense"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
end

2. pfSense Configuration

2.1 Configure Phase 1 General Information on the pfSense 

pfsense - fortigate.PNG

Key Exchange Version = IKEv1

Remote Gateway = The public IP address of the Fortigate

2.2 Configure Phase1 Proposal ( Authentication) on the pfSense

pfsense - fortigate_1.PNG

Authentication Method = Mutual PSK

Negotiation Mode = Main

My Identifier = My IP address

Peer Identifier = This is important and needs to be the Private IP address of the WAN interface of the Fortigate or remote device. Normally this would just be the Peer IP address if the Public IP address was configured on the Remote Fortigate.

Pre-Shared Key = Make sure that the Pre-Shared key matches on both sides

2.3 Configure Phase1 Proposal ( Encryption) on the pfSense

Ensure that the Encryption Algorithms are an exact mirror on both devices. Also ensure that the timers match on either side.

2.4  Configure Advanced options on the pfSense 

pfsense - fortigate_2.PNG

You can leave this as the defaults values

2.5 Configure Pre-shared Keys TAB at the Top of the page

pfsense - fortigate_3.PNG

Click the TAB labelled Pre-Shared Keys and enter your Pre-shared Key again and the Private IP address of the WAN interface remote device (Fortigate).

2.6  Click the green Add P2 to add the pfSense’s phase 2 configuration 

pfsense - fortigate_4.PNG

Make sure that the Phase2 Selectors are an exact mirror to the Fortigate:

Networks

Authentication

Encryption

2.7  Configure Phase 2 General Information on the pfSense 

pfsense - fortigate_5.PNG

Set the local network to the local subnet connected to the pfSense.

Set the remote network to the remote subnet of the Fortigate.

2.8 Configure Phase  2 Proposal (SA/Key Exchange) on the pfSense

pfsense - fortigate_6.PNG

Make sure the phase 2 encryption and authentication match on both sides of the tunnel.

Configure Lifetime on the pfSense again ensuring that this matches on both end point devices.

(optional) PFS – In this case I have not configured it. As with all the encryption and authentication this will need to match on both sides. So if set to Group 2 on the pfSense this will need to match on the Fortigate.

2.9 PfSense Advanced Configuration

Set the automatically ping host value to the Privat IP address WAN interface of the Fortigate.

pfsense - fortigate_7.PNG

2.10 Configure pfSense Firewall Rules to allow traffic 

This can be found under the Firewall TAB labelled Rules

pfsense - fortigate_8.PNG

2.11 Check that the tunnel is up 

This is under the TAB Status labelled IPSec

pfsense - fortigate_9.PNG

3. Test the Connection 

 

C:\Users\Administrator>ping 192.168.101.254 
Pinging 192.168.101.254 with 32 bytes of data: 
Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 
Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 
Ping statistics for 192.168.101.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 27ms, Maximum = 28ms, Average = 27ms 

If you are new to the world of Linux, an avid Linux enthusiast or a student why not try our 0.99p per month Linux VPS.

Simply click on the screen shot below to find out more or navigate to https://piggybank.cloud

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s