Difference between revisions of "Default IPsec route configuration between Teltonika and Fortigate devices"
| (10 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | |||
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p> | <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p> | ||
| + | <p style="color:red">The information in this page is updated in accordance with '''Fortigate v7.4.3''' firmware version.</p> | ||
==Introduction== | ==Introduction== | ||
| − | Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route. | + | Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route. |
| + | |||
==Configuration overview and prerequisites== | ==Configuration overview and prerequisites== | ||
Before we begin, let's look at the configuration we are attempting to achieve and the prerequisites that make it possible. | Before we begin, let's look at the configuration we are attempting to achieve and the prerequisites that make it possible. | ||
| + | |||
'''Prerequisites:''' | '''Prerequisites:''' | ||
| − | |||
| − | |||
| − | |||
| − | + | * One RUT/RUTX series router or TRB gateway with RUTOS firmware; | |
| + | * One Fortigate series router; | ||
| + | * An end device (PC, Laptop) for configuration; | ||
| − | If you're having trouble finding | + | If you're having trouble finding this page or some of the parameters described here on your device's WebUI, you should turn on '''"Advanced WebUI" mode.''' You can do that by clicking the "Advanced" button, located at the top of the WebUI. |
| + | [[File:Networking_rutos_manual_webui_basic_advanced_mode_75.gif|border|center|class=tlt-border|1102x93px]] | ||
==Topology== | ==Topology== | ||
| + | '''Fortigate''' – The '''Fortigate''' will act as a "default gateway" for the RUT device. '''Fortigate''' has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the RUT. | ||
| − | ''' | + | '''RUT''' – The '''RUTX11''' in this case will be connected to '''Fortigate''' for basic internet access. '''RUT''' has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it. |
| − | |||
| − | ''' | ||
| − | |||
| − | |||
| − | |||
| + | [[File:TopologijaIPsecDefaultRoute_RUT_Fortinet.png|border|class=tlt-border|center]] | ||
| + | ==Fortigate configuration== | ||
| + | Start by configuring the '''Fortigate''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''. | ||
| + | ---- | ||
| + | <table class="nd-othertables_2"> | ||
| + | <tr> | ||
| + | <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Fortinet_Firewall_create_new.png|border|class=tlt-border|497x209px|left]]</th> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <th width=800; style="border-bottom: 1px solid white;" rowspan=1>[[File:Fortinet_Firewall_type_next_v2.png|border|class=tlt-border|437x209px|right]]</th> | ||
| + | </tr> | ||
| + | </table> | ||
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.'' | '''Note:''' ''Not specified fields can be left as is or changed according to your needs.'' | ||
===Network configuration=== | ===Network configuration=== | ||
| − | + | ---- | |
| − | + | Configure everything as follows. | |
| − | + | Make the following changes: | |
| − | + | # Remote Gateway – '''''Static IP Address;''''' | |
| − | + | # IP Address – '''''192.168.10.1;''''' | |
| − | + | #Interface – '''''wan1;''''' | |
| + | [[File:Fortigate_IPsec_Network_Configuration.png|border|class=tlt-border|center]] | ||
===Authentication configuration=== | ===Authentication configuration=== | ||
| − | + | ---- | |
| − | + | Make the following changes: | |
| − | + | # Method – '''''Pre-shared Key;''''' | |
| − | + | # Pre-shared Key – '''''your desired password;''''' | |
| − | + | # Version – '''''2;''''' | |
| − | + | [[File:Fortigate_IPsec_Authentication_Configuration.png|border|class=tlt-border|center]] | |
| − | |||
===Phase 1 Proposal configuration=== | ===Phase 1 Proposal configuration=== | ||
| + | ---- | ||
| + | '''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.'' | ||
| − | + | Make the following changes: | |
| − | + | # Encryption – '''''AES256;''''' | |
| − | + | # Authentication - '''''SHA512;''''' | |
| − | + | # Diffie-Hellman Group – '''''16;''''' | |
| − | + | # Key Lifetime (seconds) – '''''86400;''''' | |
| + | [[File:Fortigate_IPsec_Phase1_Proposal_Configuration.png|border|class=tlt-border|center]] | ||
| + | ===Phase 2 Selectors configuration=== | ||
| + | ---- | ||
| + | '''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.'' | ||
| − | + | Make the following changes: | |
| − | |||
| − | |||
'''''Click on Advanced settings;''''' | '''''Click on Advanced settings;''''' | ||
| + | # Encryption – '''''AES256;''''' | ||
| + | # Authentication - '''''SHA512;''''' | ||
| + | # Diffie-Hellman Group – '''''16;''''' | ||
| + | # Key Lifetime – '''''Seconds;''''' | ||
| + | # Seconds – '''''86400;''''' | ||
| + | [[File:Fortigate_IPsec_Phase2_Proposal_Configuration.png|border|class=tlt-border|center]] | ||
| − | + | ===Firewall configuration=== | |
| + | After setting up our IPsec instance, we will need to configure our firewall accordingly. Navigate to '''Policy & Objects → Firewall Policy → and click on a Create new button.'''. Configure everything as follows. | ||
| + | ---- | ||
| + | In this example, we are allowing all types of traffic through the tunnel, but you can restrict certain traffic by specifying the services that are allowed via the tunnel. | ||
| − | + | Make the following changes: | |
| − | + | # Incoming interface - '''''Tunnel interface name (In this case it is Teltonika);''''' | |
| − | + | # Outgoing interface - '''''wan2 (choose WAN port from which Fortigate gets internet);''''' | |
| − | + | # Source - '''''192.168.1.0/255.255.255.0;''''' | |
| − | + | # Destination - '''all;''' | |
| − | + | # Service - '''ALL;''' | |
| − | + | [[File:Fortinet_Ipsec_Firewall_default_route.png|border|class=tlt-border|center]] | |
| − | + | ===Static Routes configuration=== | |
| − | + | After setting up our IPsec instance and firewall, we will need to configure our static route accordingly. Navigate to '''Network → Static routes → and click on a Create new button.'''. For that we will need to create two static routes, one for blackhole and one for accessing our RUT device, configure everything as follows. | |
| − | ==RUT | + | ---- |
| − | Start by configuring the | + | Make the following changes: |
| + | <table class="nd-othertables_2"> | ||
| + | <tr> | ||
| + | <th width=330; style="border-bottom: 1px solid white;></th> | ||
| + | <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Fortinet_IPsec_Add_route_tunnel.png|border|class=tlt-border|center]]</th> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td style="border-bottom: 4px solid white> | ||
| + | # Destination - '''''192.168.1.0/255.255.255.0;''''' | ||
| + | # Interface - '''''Tunnel interface name (In this case it is Teltonika);''''' | ||
| + | </td> | ||
| + | </tr> | ||
| + | </table> | ||
| + | ---- | ||
| + | Then create a new static route for blackhole. | ||
| + | Make the following changes: | ||
| + | <table class="nd-othertables_2"> | ||
| + | <tr> | ||
| + | <th width=330; style="border-bottom: 1px solid white;></th> | ||
| + | <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Fortinet_IPsec_Add_route_to_blackhole.png|border|class=tlt-border|center]]</th> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td style="border-bottom: 4px solid white> | ||
| + | # Destination - '''''192.168.1.0/255.255.255.0;''''' | ||
| + | # Interface - '''''Blackhole;''''' | ||
| + | # Administrative distance - '''''254;''''' | ||
| + | </td> | ||
| + | </tr> | ||
| + | </table> | ||
| + | ==RUT configuration== | ||
| + | Start by configuring the '''RUT''' device. Login to the WebUI, navigate to '''Services → VPN → IPsec and add a new IPsec instance.''' Configure everything as follows. | ||
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.'' | '''Note:''' ''Not specified fields can be left as is or changed according to your needs.'' | ||
===Instance configuration=== | ===Instance configuration=== | ||
| − | + | ---- | |
| − | + | Make the following changes: | |
| − | + | # '''''Enable''''' instance; | |
| − | + | # Remote endpoint - '''''Fortigate WAN IP;''''' | |
| − | + | # Authentication method - '''''Pre-shared key;''''' | |
| − | + | # Pre-shared key - the '''''same password''''' you have '''''set on Fortigate''''' when configuring the '''''Fortigate IPsec instance;''''' | |
| − | + | # Local identifier – '''''RUT WAN IP;''''' | |
| − | + | # Remote identifier – '''''Fortigate WAN IP;''''' | |
| − | + | [[File:Networking_webui_manual_IPsec_Instance_Configuration.png|border|class=tlt-border|center]] | |
| − | |||
| − | |||
| − | |||
===Connection general section configuration=== | ===Connection general section configuration=== | ||
| + | ---- | ||
| + | Make the following changes: | ||
| + | # Mode - '''''Start;''''' | ||
| + | # Type - '''''Tunnel;''''' | ||
| + | # Local subnet – '''''192.168.1.0/24;''''' | ||
| + | # Remote subnet – '''''0.0.0.0/0;''''' | ||
| + | # Key exchange - '''''IKEv2;''''' | ||
| − | + | [[File:Networking_webui_manual_IPsec_configuration_connection_settings_v1.png|border|class=tlt-border|686x482px|center]] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
===Connection advanced section configuration=== | ===Connection advanced section configuration=== | ||
| − | + | ---- | |
| − | + | Make the following changes: | |
| − | + | # '''''Enable local firewall''''' | |
| − | + | #Remote DNS – '''''8.8.8.8;''''' | |
| − | + | # Passthrough subnets – '''''192.168.1.0/24;''''' | |
| − | + | [[File:Networking_webui_manual_IPsec_Connection_advanced_Configuration.png|border|class=tlt-border|686x482px|center]] | |
| − | |||
===Proposal configuration=== | ===Proposal configuration=== | ||
| − | ''' | + | ---- |
| + | '''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.'' | ||
| − | + | Make the following changes: | |
| + | <table class="nd-othertables_2"> | ||
| + | <tr> | ||
| + | <th width=330; style="border-bottom: 1px solid white;></th> | ||
| + | <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase1_settings_v1.png|border|class=tlt-border|671x336px|center]]</th> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td style="border-bottom: 4px solid white> | ||
| + | # Encryption - '''''AES256;''''' | ||
| + | # Authentication - '''''SHA512;''''' | ||
| + | # DH group - '''''MODP4096;''''' | ||
| + | # IKE lifetime - '''86400s'''. | ||
| + | </td> | ||
| + | </tr> | ||
| + | </table> | ||
| − | 2. Authentication - '''''SHA512;''''' | + | ---- |
| + | <table class="nd-othertables_2"> | ||
| + | <tr> | ||
| + | <th width=330; style="border-bottom: 1px solid white;></th> | ||
| + | <th width=800; style="border-bottom: 1px solid white;" rowspan=2>[[File:Networking_webui_manual_IPsec_configuration_proposal_phase2_settings_v1.png|border|class=tlt-border|644x331px|center]]</th> | ||
| + | </tr> | ||
| + | <tr> | ||
| + | <td style="border-bottom: 4px solid white> | ||
| + | # Encryption - '''''AES256;''''' | ||
| + | # Authentication - '''''SHA512;''''' | ||
| + | # PFS group - '''''MODP4096;''''' | ||
| + | # Lifetime – '''''86400s;''''' | ||
| + | </td> | ||
| + | </tr> | ||
| + | </table> | ||
| − | |||
| − | + | ==Testing the configuration== | |
| + | ---- | ||
| + | If you have followed all the above steps, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly. | ||
| − | ''' | + | Using the <code><span class="highlight">'''ipsec status'''</span></code> or we can use <code><span class="highlight">'''ipsec statusall'''</span></code> command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUT router. The command output on a '''RUT''' device: |
| − | 1. | + | [[File:Networking_ssh_manual_IPsec_configuration_IPsec_statusall_test_v1.png|border|class=tlt-border|971x135px|center]] |
| + | ---- | ||
| + | Also, we should be able to access internet routed via Fortigate, we can check it out by pinging 8.8.8.8 and checking what public IP we get by executing this command via command line on RUT device: <code><span class="highlight" >'''curl icanhazip.com'''</span></code> and <code><span class="highlight" >'''ping 8.8.8.8'''</span></code>: | ||
| + | [[File:RutIpsecCurlPingTest.png|border|class=tlt-border|506x133px|center]] | ||
| + | ---- | ||
| + | To check if IPsec tunnel is working properly from '''Fortigate''', we can try pinging our '''RUT''' device by using this command in command line interface on Fortigate<code><span class="highlight" >'''exec ping 192.168.1.1'''</span></code>, if you are not able to ping '''RUT''' device, try changing the source interface from which we try pinging, by executing this command <code><span class="highlight" >'''exec ping-options source 192.168.5.99'''</span></code>: | ||
| + | [[File:Fortinet_IPsec_test_ping.png|border|class=tlt-border|center]] | ||
| + | ---- | ||
| + | We can also check if IPsec tunnel is working properly from '''Fortigate''' WebUI, navigate to '''VPN → IPSec Tunnels''' and there you will see if the tunnel is working: | ||
| + | [[File:Fortinet_IPsec_WebUI_tunnel_status.png|border|class=tlt-border|center]] | ||
| + | ==See also== | ||
| − | + | [https://wiki.teltonika-networks.com/view/RUTX12_VPN#IPsec IPsec on Teltonika Networks devices] | |
| − | + | ==External links== | |
| − | + | [https://openwrt.org/docs/guide-user/services/vpn/strongswan/basics OpenWrt Ipsec basics] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | [https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/762500/general-ipsec-vpn-configuration Fortigate Ipsec configuration] | |
Latest revision as of 11:41, 25 June 2024
The information in this page is updated in accordance with 00.07.07.2 firmware version.
The information in this page is updated in accordance with Fortigate v7.4.3 firmware version.
Introduction
Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route.
Configuration overview and prerequisites
Before we begin, let's look at the configuration we are attempting to achieve and the prerequisites that make it possible.
Prerequisites:
- One RUT/RUTX series router or TRB gateway with RUTOS firmware;
- One Fortigate series router;
- An end device (PC, Laptop) for configuration;
If you're having trouble finding this page or some of the parameters described here on your device's WebUI, you should turn on "Advanced WebUI" mode. You can do that by clicking the "Advanced" button, located at the top of the WebUI.
Topology
Fortigate – The Fortigate will act as a "default gateway" for the RUT device. Fortigate has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the RUT.
RUT – The RUTX11 in this case will be connected to Fortigate for basic internet access. RUT has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it.
Fortigate configuration
Start by configuring the Fortigate device. Login to the WebUI, navigate to 1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next.
 |
|---|
 |
Note: Not specified fields can be left as is or changed according to your needs.
Network configuration
Configure everything as follows. Make the following changes:
- Remote Gateway – Static IP Address;
- IP Address – 192.168.10.1;
- Interface – wan1;
Authentication configuration
Make the following changes:
- Method – Pre-shared Key;
- Pre-shared Key – your desired password;
- Version – 2;
Phase 1 Proposal configuration
Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.
Make the following changes:
- Encryption – AES256;
- Authentication - SHA512;
- Diffie-Hellman Group – 16;
- Key Lifetime (seconds) – 86400;
Phase 2 Selectors configuration
Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.
Make the following changes: Click on Advanced settings;
- Encryption – AES256;
- Authentication - SHA512;
- Diffie-Hellman Group – 16;
- Key Lifetime – Seconds;
- Seconds – 86400;
Firewall configuration
After setting up our IPsec instance, we will need to configure our firewall accordingly. Navigate to Policy & Objects → Firewall Policy → and click on a Create new button.. Configure everything as follows.
In this example, we are allowing all types of traffic through the tunnel, but you can restrict certain traffic by specifying the services that are allowed via the tunnel.
Make the following changes:
- Incoming interface - Tunnel interface name (In this case it is Teltonika);
- Outgoing interface - wan2 (choose WAN port from which Fortigate gets internet);
- Source - 192.168.1.0/255.255.255.0;
- Destination - all;
- Service - ALL;
Static Routes configuration
After setting up our IPsec instance and firewall, we will need to configure our static route accordingly. Navigate to Network → Static routes → and click on a Create new button.. For that we will need to create two static routes, one for blackhole and one for accessing our RUT device, configure everything as follows.
Make the following changes:
 |
|
|---|---|
|
Then create a new static route for blackhole. Make the following changes:
 |
|
|---|---|
|
RUT configuration
Start by configuring the RUT device. Login to the WebUI, navigate to Services → VPN → IPsec and add a new IPsec instance. Configure everything as follows. Note: Not specified fields can be left as is or changed according to your needs.
Instance configuration
Make the following changes:
- Enable instance;
- Remote endpoint - Fortigate WAN IP;
- Authentication method - Pre-shared key;
- Pre-shared key - the same password you have set on Fortigate when configuring the Fortigate IPsec instance;
- Local identifier – RUT WAN IP;
- Remote identifier – Fortigate WAN IP;
Connection general section configuration
Make the following changes:
- Mode - Start;
- Type - Tunnel;
- Local subnet – 192.168.1.0/24;
- Remote subnet – 0.0.0.0/0;
- Key exchange - IKEv2;
Connection advanced section configuration
Make the following changes:
- Enable local firewall
- Remote DNS – 8.8.8.8;
- Passthrough subnets – 192.168.1.0/24;
Proposal configuration
Note: This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.
Make the following changes:
 |
|
|---|---|
|
 |
|
|---|---|
|
Testing the configuration
If you have followed all the above steps, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.
Using the ipsec status or we can use ipsec statusall command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUT router. The command output on a RUT device:
Also, we should be able to access internet routed via Fortigate, we can check it out by pinging 8.8.8.8 and checking what public IP we get by executing this command via command line on RUT device: curl icanhazip.com and ping 8.8.8.8:
To check if IPsec tunnel is working properly from Fortigate, we can try pinging our RUT device by using this command in command line interface on Fortigateexec ping 192.168.1.1, if you are not able to ping RUT device, try changing the source interface from which we try pinging, by executing this command exec ping-options source 192.168.5.99:
We can also check if IPsec tunnel is working properly from Fortigate WebUI, navigate to VPN → IPSec Tunnels and there you will see if the tunnel is working:
See also
IPsec on Teltonika Networks devices
