FortiGate IPSec IKEv2: Site-to-Site VPN Setup

by Jhon Lennon 46 views

Setting up a secure and reliable VPN connection between two sites is crucial for many organizations today. FortiGate firewalls offer a robust solution using IPSec with IKEv2 for creating site-to-site VPNs. This article will guide you through the process of configuring a FortiGate IPSec IKEv2 site-to-site VPN, ensuring secure communication between your networks.

Understanding IPSec and IKEv2

Before we dive into the configuration, let's clarify what IPSec and IKEv2 are and why they're important.

IPSec (Internet Protocol Security) is a suite of protocols used to establish secure IP communication channels. It provides confidentiality, integrity, and authentication for data transmitted over unsecured networks, like the internet. IPSec operates at the network layer, securing all traffic between the VPN endpoints.

IKEv2 (Internet Key Exchange version 2) is a key management protocol used with IPSec. It handles the negotiation, establishment, modification, and teardown of security associations (SAs) between two endpoints. IKEv2 is known for its speed, stability, and support for modern encryption algorithms, making it a preferred choice for VPN configurations. It's more resilient to network changes and offers better support for mobile devices compared to older protocols like IKEv1.

Why choose IKEv2? IKEv2 offers several advantages:

  • Improved Speed and Performance: IKEv2 uses fewer message exchanges during the VPN setup process, resulting in faster connection establishment and better performance.
  • Enhanced Stability: IKEv2 is more resilient to network address translation (NAT) and network changes, providing a more stable VPN connection.
  • Better Mobile Support: IKEv2 supports the Mobility and Multihoming Protocol (MOBIKE), allowing mobile devices to seamlessly switch between different networks (e.g., Wi-Fi and cellular) without interrupting the VPN connection.
  • Stronger Security: IKEv2 supports modern encryption algorithms and provides robust authentication mechanisms.

Prerequisites

Before you begin, make sure you have the following:

  • Two FortiGate firewalls, one at each site.
  • Public IP addresses for both FortiGate firewalls.
  • Knowledge of the local and remote network subnets.
  • Administrative access to both FortiGate firewalls.

Configuration Steps

We'll walk through the configuration steps on both FortiGate firewalls. Let's call them FortiGate A (at Site A) and FortiGate B (at Site B).

FortiGate A Configuration

  1. Create a New VPN Tunnel:

    • Go to VPN > IPSec Tunnels and click Create New > Custom Tunnel.
    • Name: Give your tunnel a descriptive name (e.g., "SiteA-to-SiteB-VPN").
    • Template Type: Select "Custom".
    • Interface: Choose the external interface that will be used for the VPN connection (usually the interface connected to the internet, like "wan1").
    • Remote Gateway: Select "Static IP Address" and enter the public IP address of FortiGate B.
    • IPSec Version: Select "IKEv2".
    • Address Mode: Select "Tunnel Interface". A tunnel interface is a virtual interface created specifically for the VPN tunnel. All traffic that needs to traverse the VPN is routed through this tunnel interface. This approach simplifies routing policies and enhances security.
    • Interface IP Address/Netmask: Specify an unused IP address and subnet mask for the tunnel interface (e.g., 169.254.1.1/30). This IP address is only used for the tunnel interface and does not need to be routable on your internal network.
    • Remote IP Address/Netmask: Specify an IP address for the remote end of the tunnel interface (e.g., 169.254.1.2/30). This IP address should be in the same subnet as the local tunnel interface IP address.

  2. Authentication:

    • Authentication Method: Select "Pre-shared Key".
    • Pre-shared Key: Enter a strong and unique pre-shared key. Make sure to use the same key on both FortiGate devices. A strong pre-shared key is essential for securing your VPN connection. It should be a complex combination of letters, numbers, and symbols to prevent unauthorized access. Avoid using common words or easily guessable phrases.

  3. IPSec Phase 1 Settings:

    • Proposal: Select or create an IKEv2 proposal. Ensure the following settings are configured:
      • Encryption: Choose a strong encryption algorithm like AES256.
      • Authentication: Select SHA256 or SHA512.
      • DH Group: Use a Diffie-Hellman group like Group 14 (2048-bit MODP).
      • Key Lifetime: Specify a key lifetime (e.g., 28800 seconds).

  4. IPSec Phase 2 Settings:

    • Proposal: Select or create an IPSec proposal. Ensure the following settings are configured:
      • Encryption: Choose a strong encryption algorithm like AES256.
      • Authentication: Select SHA256 or SHA512.
      • PFS (Perfect Forward Secrecy): Enable PFS and select a Diffie-Hellman group like Group 14.
      • Key Lifetime: Specify a key lifetime (e.g., 3600 seconds).
    • Auto-negotiate: Enable this option.
    • Replay Detection: Enable this option to prevent replay attacks.
    • Protocol: Select ESP(Encapsulating Security Payload).

  5. Static Route:

    • Go to Network > Static Routes and click Create New.
    • Destination: Enter the remote network subnet (the network behind FortiGate B).
    • Interface: Select the VPN tunnel interface you created earlier.
    • Distance: Set a distance value (e.g., 10). This value determines the route's priority if you have multiple routes to the same destination. A lower distance value indicates a higher priority.

  6. Firewall Policies:

    • Go to Policy & Objects > Firewall Policy and create two new policies:
      • Policy 1: From your local network to the remote network, using the VPN tunnel as the outgoing interface. Allow the necessary services and applications.
      • Policy 2: From the remote network to your local network, using the VPN tunnel as the incoming interface. Allow the necessary services and applications.
    • Source: Define the source address. Usually, this will be your internal network subnet.
    • Destination: Define the destination address. This will be the remote network subnet.
    • Service: Specify the services you want to allow through the VPN (e.g., HTTP, HTTPS, SSH, RDP).
    • Action: Set the action to "ACCEPT".
    • Outgoing Interface: Select the VPN tunnel interface.
    • Incoming Interface: Define the incoming interface. Usually, this will be your internal interface.

FortiGate B Configuration

Repeat the steps above on FortiGate B, with the following changes:

  1. Remote Gateway: Enter the public IP address of FortiGate A.
  2. Tunnel Interface IP Addresses: Reverse the IP addresses assigned to the tunnel interface (e.g., if FortiGate A uses 169.254.1.1, FortiGate B should use 169.254.1.2).
  3. Static Route: Enter the remote network subnet (the network behind FortiGate A).
  4. Firewall Policies: Adjust the source and destination networks in the firewall policies to match the local and remote networks on FortiGate B. The policies must mirror those on FortiGate A but with the source and destination reversed.

Verification

After configuring both FortiGate firewalls, you can verify the VPN connection:

  1. Check the VPN Tunnel Status:

    • Go to VPN > IPSec Tunnels on both FortiGate devices. The tunnel status should be "Up". If the tunnel is not up, review your configuration for any errors.

  2. Ping Test:

    • From a device on the local network behind FortiGate A, ping a device on the remote network behind FortiGate B. If the ping is successful, the VPN connection is working correctly.
    • Similarly, test the connection from a device on the remote network to a device on the local network.

  3. Traffic Monitoring:

    • Use the FortiGate's traffic monitoring tools to observe traffic flowing through the VPN tunnel. This can help you identify any issues with performance or connectivity.

Troubleshooting

If you encounter issues with the VPN connection, consider the following troubleshooting steps:

  1. Check the Logs:

    • Examine the FortiGate logs for any error messages or warnings related to the VPN connection. The logs can provide valuable clues about the cause of the problem.

  2. Verify the Configuration:

    • Double-check all the configuration settings on both FortiGate devices, ensuring that they match and are correct. Pay close attention to IP addresses, subnets, pre-shared keys, and encryption settings.

  3. Firewall Policies:

    • Ensure that the firewall policies are correctly configured to allow traffic to flow through the VPN tunnel. Verify that the source and destination networks, services, and interfaces are correctly specified.

  4. Connectivity:

    • Verify that both FortiGate devices have internet connectivity and can reach each other's public IP addresses. Use tools like ping and traceroute to test connectivity.

  5. MTU Issues:

    • In some cases, MTU (Maximum Transmission Unit) issues can cause VPN connectivity problems. Try reducing the MTU size on the tunnel interface to see if it resolves the issue.

Advanced Configuration Options

FortiGate offers several advanced configuration options for IPSec IKEv2 VPNs:

  • Dead Peer Detection (DPD): DPD allows the FortiGate to detect when the remote peer is no longer reachable and automatically terminate the VPN connection. This can help improve stability and prevent stale connections.
  • Traffic Selectors: Traffic selectors allow you to specify which traffic should be encrypted and sent through the VPN tunnel. This can be useful for creating more granular VPN policies.
  • Multiple Tunnels: You can create multiple VPN tunnels between two FortiGate devices to provide redundancy and load balancing.

Conclusion

Configuring a FortiGate IPSec IKEv2 site-to-site VPN provides a secure and reliable way to connect two networks. By following the steps outlined in this article, you can establish a secure communication channel and protect your data from unauthorized access. Remember to always use strong encryption algorithms, secure pre-shared keys, and regularly monitor your VPN connection for any issues. With proper configuration and maintenance, your FortiGate IPSec IKEv2 VPN will provide a solid foundation for secure network communication. Remember to consult Fortinet's official documentation for the most up-to-date information and best practices. Good luck, and happy networking!