Changes

30 bytes added , Tuesday at 11:41

no edit summary

Line 1: Line 1:

The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.

−

The information in this page is updated in accordance with '''~~Fortinet~~ v7.4.3''' firmware version.

+

The information in this page is updated in accordance with '''Fortigate v7.4.3''' firmware version.

==Introduction==

Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route.

Line 10: Line 10:

* One RUT/RUTX series router or TRB gateway with RUTOS firmware;

−

* One ~~Fortinet~~ series router;

+

* One Fortigate series router;

* An end device (PC, Laptop) for configuration;

Line 17: Line 17:

==Topology==

−

'''~~Fortinet~~''' – The '''~~Fortinet~~''' will act as a "default gateway" for the RUT device. '''~~Fortinet~~''' has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the RUT.

+

'''Fortigate''' – The '''Fortigate''' will act as a "default gateway" for the RUT device. '''Fortigate''' has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the RUT.

−

'''RUT''' – The '''RUTX11''' in this case will be connected to '''~~Fortinet~~''' for basic internet access. '''RUT''' has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it.

+

'''RUT''' – The '''RUTX11''' in this case will be connected to '''Fortigate''' for basic internet access. '''RUT''' has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it.

−

[[File:~~TopologijaIPsecDefaultRoute~~.png|border|class=tlt-border|center]]

+

[[File:TopologijaIPsecDefaultRoute_RUT_Fortinet.png|border|class=tlt-border|center]]

−

==~~Fortinet~~ configuration==

+

==Fortigate configuration==

−

Start by configuring the '''~~Fortinet~~''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''.

+

Start by configuring the '''Fortigate''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''.

----

Line 79: Line 79:

Make the following changes:

# Incoming interface - '''''Tunnel interface name (In this case it is Teltonika);'''''

−

# Outgoing interface - '''''wan2 (choose WAN port from which ~~Fortinet~~ gets internet);'''''

+

# Outgoing interface - '''''wan2 (choose WAN port from which Fortigate gets internet);'''''

# Source - '''''192.168.1.0/255.255.255.0;'''''

# Destination - '''all;'''

Line 123: Line 123:

Make the following changes:

# '''''Enable''''' instance;

−

# Remote endpoint - '''''~~Fortinet~~ WAN IP;'''''

+

# Remote endpoint - '''''Fortigate WAN IP;'''''

# Authentication method - '''''Pre-shared key;'''''

−

# Pre-shared key - the '''''same password''''' you have '''''set on ~~Fortinet~~''''' when configuring the '''''~~Fortinet~~ IPsec instance;'''''

+

# Pre-shared key - the '''''same password''''' you have '''''set on Fortigate''''' when configuring the '''''Fortigate IPsec instance;'''''

# Local identifier – '''''RUT WAN IP;'''''

−

# Remote identifier – '''''~~Fortinet~~ WAN IP;'''''

+

# Remote identifier – '''''Fortigate WAN IP;'''''

[[File:Networking_webui_manual_IPsec_Instance_Configuration.png|border|class=tlt-border|center]]

===Connection general section configuration===

Line 195: Line 195:

[[File:RutIpsecCurlPingTest.png|border|class=tlt-border|506x133px|center]]

----

−

To check if IPsec tunnel is working properly from '''~~Fortinet~~''', we can try pinging our '''RUT''' device by using this command in command line interface on ~~Fortinet~~<code>'''exec ping 192.168.1.1'''</code>, if you are not able to ping '''RUT''' device, try changing the source interface from which we try pinging, by executing this command <code>'''exec ping-options source 192.168.5.99'''</code>:

+

To check if IPsec tunnel is working properly from '''Fortigate''', we can try pinging our '''RUT''' device by using this command in command line interface on Fortigate<code>'''exec ping 192.168.1.1'''</code>, if you are not able to ping '''RUT''' device, try changing the source interface from which we try pinging, by executing this command <code>'''exec ping-options source 192.168.5.99'''</code>:

[[File:Fortinet_IPsec_test_ping.png|border|class=tlt-border|center]]

----

−

We can also check if IPsec tunnel is working properly from '''~~Fortinet~~''' WebUI, navigate to '''VPN → IPSec Tunnels''' and there you will see if the tunnel is working:

+

We can also check if IPsec tunnel is working properly from '''Fortigate''' WebUI, navigate to '''VPN → IPSec Tunnels''' and there you will see if the tunnel is working:

[[File:Fortinet_IPsec_WebUI_tunnel_status.png|border|class=tlt-border|center]]

==See also==

Line 208: Line 208:

[https://openwrt.org/docs/guide-user/services/vpn/strongswan/basics OpenWrt Ipsec basics]

−

[https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/762500/general-ipsec-vpn-configuration ~~Fortinet~~ Ipsec configuration]

+

[https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/762500/general-ipsec-vpn-configuration Fortigate Ipsec configuration]

Dziugas.Syminas

Administrators

68

edits

Namespaces

Variants

Views

More

Search

Changes

Default IPsec route configuration between Teltonika and Fortigate devices (view source)

Revision as of 11:41, 25 June 2024

Navigation menu

Personal tools

NAVIGATION

Tools

Categories