68
edits
Changes
IPsec site to site configuration between Teltonika and Fortinet devices (view source)
Revision as of 15:48, 21 June 2024
, 21 Juneno edit summary
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p>
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p>
<p style="color:red">The information in this page is updated in accordance with '''Fortinet v7.4.3''' firmware version.</p>
==Introduction==
==Introduction==
Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route.
Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route.
[[File:Networking_rutos_manual_webui_basic_advanced_mode_75.gif|border|center|class=tlt-border|1102x93px]]
[[File:Networking_rutos_manual_webui_basic_advanced_mode_75.gif|border|center|class=tlt-border|1102x93px]]
==Topology==
==Site to site configuration RUT public IP==
'''RUT''' – '''RUT''' will act as a '''hub'''. A hub is a server, to which our spoke will be connected (IPsec responder). It will be our "default gateway" for the spoke device. RUT has a LAN subnet of 192.168.1.0/24 and a WAN with Public IP, which should be reachable by the spoke.
----
This section provides a guide on how to configure a successful site to site IPsec vpn connection between '''RUT''' and '''Fortinet''' devices.
===Topology===
----
'''RUT''' – '''RUT''' will act as a '''hub'''. A hub is a server (IPsec responder), to which our spoke will be connected. It will be our remote endpoint for the spoke device. RUT has a LAN subnet of 192.168.1.0/24 and a WAN with Public IP, which should be reachable by the spoke.
'''Fortinet''' – '''Fortinet''' will act as a '''spoke'''. A spoke is a client, that will be connected to the hub (IPsec initiator). It will be connected to a '''hub''' for basic internet access. Fortinet has a LAN subnet of 192.168.5.0/24 and a WAN with private IP.
'''Fortinet''' – '''Fortinet''' will act as a '''spoke'''. A spoke is a client (IPsec initiator), that will be connected to the hub. It will be connected to a '''hub''' to be able to reach RUT LAN subnet. Fortinet has a LAN subnet of 192.168.5.0/24 and a WAN with private IP.
[[File:TopologijaIPsecPublicRutSingleLAN.png|border|class=tlt-border|center]]
[[File:Fortinet_RUT_IPsec_site_to_site_rut_public.png|border|class=tlt-border|center]]
===Fortinet configuration===
===Fortinet configuration===
----
Start by configuring the '''Fortinet''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''.
Start by configuring the '''Fortinet''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''.
----
----
----
----
Configure everything as follows.
Configure everything as follows.
Make the following changes:
Make the following changes:
# Remote Gateway – '''''Static IP Address;'''''
# Remote Gateway – '''''Static IP Address;'''''
Make the following changes:
Make the following changes:
'''''Click on Advanced settings;'''''
'''''Click on Advanced settings;'''''
# Encryption – '''''AES256;'''''
# Encryption – '''''AES256;'''''
----
----
Then create a second firewall rule.
Then create a second firewall rule.
Make the following changes:
Make the following changes:
# Incoming interface - '''''IPsec tunnel interface name (In this case it is Teltonika);'''''
# Incoming interface - '''''IPsec tunnel interface name (In this case it is Teltonika);'''''
----
----
Then create a new static route for blackhole.
Then create a new static route for blackhole.
Make the following changes:
Make the following changes:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
----
----
Make the following changes:
Make the following changes:
# '''''Enable''''' instance;
# '''''Enable''''' instance;
# Authentication method - '''''Pre-shared key;'''''
# Authentication method - '''''Pre-shared key;'''''
----
----
Make the following changes:
Make the following changes:
# Mode - '''''Start;'''''
# Mode - '''''Start;'''''
# Type - '''''Tunnel;'''''
# Type - '''''Tunnel;'''''
==Site to site configuration with multiple LANs==
==Site to site configuration with multiple LANs==
----
----
This section provides a guide on how to configure a successful site to site IPsec vpn connection between '''RUT''' and '''Fortinet''' devices with multiple LANs. Here is the list of LANs with their subnets:
This section provides a guide on how to configure a successful site to site IPsec vpn connection between '''RUT''' and '''Fortinet''' devices with multiple LANs.
===Topology===
----
'''RUT''' – '''RUT''' will act as a '''hub'''. A hub is a server (IPsec responder), to which our spoke will be connected. It will be our remote endpoint for the spoke device. RUT has a LAN1 subnet of 192.168.1.0/24, LAN2 subnet of 192.168.2.0/24 and a WAN with Public IP, which should be reachable by the spoke.
'''Fortinet''' – '''Fortinet''' will act as a '''spoke'''. A spoke is a client (IPsec initiator), that will be connected to the hub. It will be connected to a '''hub''' to be able to reach RUT LAN1 and LAN2 subnet. Fortinet has a LAN1 subnet of 192.168.5.0/24, LAN2 subnet of 192.168.4.0/24 a WAN with private IP.
[[File:Fortinet_RUT_IPsec_site_to_site_rut_public_multiple_lan.png|border|class=tlt-border|center]]
===Fortinet configuration===
===Fortinet configuration===
----
----
[[File:Fortinet_static_route_general.png|border|class=tlt-border|center]]
[[File:Fortinet_static_route_general.png|border|class=tlt-border|center]]
----
----
===RUT configuration===
Then configure the '''RUT''' device. Login to the WebUI, navigate to '''Services → VPN → IPsec and add a new IPsec instance.''' Configure everything the same like site to site configuration, only change the '''Connection general section''' accordingly.
====Connection general section configuration====
----
<table class="nd-othertables_2">
<tr>
<th width=330; style="border-bottom: 1px solid white;></th>
<th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Rut_IPsec_configuration_connection_general_site_to_site_multiple_lan.png|border|class=tlt-border|center]]</th>
</tr>
<tr>
<td style="border-bottom: 4px solid white>
Make the following changes:
# Local subnet – '''''192.168.1.0/24;'''''
# '''''Click + button to add another Local subnet;'''''
# Local subnet - '''''192.168.2.0/24;'''''
# Remote subnet – '''''192.168.5.0/24;'''''
# '''''Click + button to add another Remote subnet;'''''
# Remote subnet – '''''192.168.4.0/24;'''''
# Key exchange - '''''IKEv2;'''''
</td>
</tr>
</table>
----
==Site to site configuration Fortinet public IP==
----
This section provides a guide on how to configure a successful site to site IPsec vpn connection between '''RUT''' and '''Fortinet''' when '''Fortinet''' has a public IP and RUT is behind NAT. This setup will be similiar to Site to site configuration RUT public IP, we will need only to change network section on Fortinet and on RUT we will need to add Remote endpoint.
===Topology===
----
Fortinet – Fortinet will act as a hub. A hub is a server (IPsec responder), to which our spoke will be connected. It will be our remote endpoint for the spoke device. Fortinet has a LAN subnet of 192.168.5.0/24 and a WAN with Public IP, which should be reachable by the spoke.
RUT – RUT will act as a spoke. A spoke is a client (IPsec initiator), that will be connected to the hub. It will be connected to a hub to be able to reach Fortinet LAN subnet. RUT has a LAN subnet of 192.168.1.0/24 and a WAN with private IP.
[[File:Fortinet_RUT_IPsec_site_to_site_fortinet_public.png|border|class=tlt-border|center]]
===Fortinet configuration===
----
As for the configuration of IPsec tunnel, everything is the same, only the Network and authentication sections needs to be changed, so for other sections refer to the guide site to site.
Start by configuring the '''Fortinet''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''.
----
<table class="nd-othertables_2">
<tr>
<th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Fortinet_Firewall_create_new.png|border|class=tlt-border|497x209px|left]]</th>
</tr>
<tr>
<th width=800; style="border-bottom: 1px solid white;" rowspan=1>[[File:Fortinet_Firewall_type_next_v2.png|border|class=tlt-border|437x209px|right]]</th>
</tr>
</table>
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
====Network configuration====
----
Make the following changes:
# Remote Gateway – '''''Dialup User;'''''
# Interface – '''''wan1;'''''
[[File:Fortinet_IPsec_network_public_rut_private.png|border|class=tlt-border|center]]
====Authentication configuration====
----
Make the following changes:
# Method – '''''Pre-shared Key;'''''
# Pre-shared Key – '''''your desired password;'''''
# Version – '''''2;'''''
# Accept Types - '''''Any peer ID;'''''
[[File:Fortinet_IPsec_authentication_public_rut_private.png|border|class=tlt-border|center]]
----
===RUT configuration===
Start by configuring the '''RUT''' device. Login to the WebUI, navigate to '''Services → VPN → IPsec and add a new IPsec instance.''' Configure everything as follows. For other sections refer to the '''"Site to site configuration RUT public IP"'''
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
====Instance configuration====
----
Make the following changes:
# '''''Enable''''' instance;
# Remote endpoint - '''''Public IP of Fortinet device'''''
# Authentication method - '''''Pre-shared key;'''''
# Pre-shared key - the '''''same password''''' you have '''''set on Fortinet''''' when configuring the '''''Fortinet IPsec instance;'''''
# Local identifier – '''''RUT LAN IP;'''''
# Remote identifier – '''''%any;'''''
[[File:Rut_IPsec_configuration_instance_site_to_site_private_ip.png|border|class=tlt-border|center]]
==Testing the configuration==
==Testing the configuration==
----
----
