68
edits
Changes
Default IPsec route configuration between Teltonika and Fortigate devices (view source)
Revision as of 13:51, 19 June 2024
, 19 Juneno edit summary
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p>
<p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p>
==Introduction==
==Introduction==
Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route.
Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route.
==Configuration overview and prerequisites==
==Configuration overview and prerequisites==
===Phase 1 Proposal configuration===
===Phase 1 Proposal configuration===
----
----
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
Make the following changes:
Make the following changes:
# Encryption – '''''AES256;'''''
# Encryption – '''''AES256;'''''
===Phase 2 Selectors configuration===
===Phase 2 Selectors configuration===
----
----
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
Make the following changes:
Make the following changes:
'''''Click on Advanced settings;'''''
'''''Click on Advanced settings;'''''
After setting up our IPsec instance, we will need to configure our firewall accordingly. Navigate to '''Policy & Objects → Firewall Policy → and click on a Create new button.'''. Configure everything as follows.
After setting up our IPsec instance, we will need to configure our firewall accordingly. Navigate to '''Policy & Objects → Firewall Policy → and click on a Create new button.'''. Configure everything as follows.
----
----
In this example, we are allowing all types of traffic through the tunnel, but you can restrict certain traffic by specifying the services that are allowed via the tunnel.
Make the following changes:
Make the following changes:
# Incoming interface - '''''Tunnel interface name (In this case it is Teltonika);'''''
# Incoming interface - '''''Tunnel interface name (In this case it is Teltonika);'''''
===Proposal configuration===
===Proposal configuration===
----
----
'''Note:''' ''This is only an example of a secure configuration. Other algorithms or even combinations of them could be used. However, we strongly recommend refraining from using older encryption and hashing algorithms unless support for certain legacy systems is required.''
Make the following changes:
Make the following changes:
<table class="nd-othertables_2">
<table class="nd-othertables_2">
If you have followed all the above steps, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.
If you have followed all the above steps, your configuration should be finished. But as with any other configuration, it is always wise to test the setup in order to make sure that it works properly.
Using the <code><span class="highlight">'''ipsec status'''</span></code> command we can see that IPsec tunnel is successfully established on RUT router. The command output on a '''RUT''' device:
Using the <code><span class="highlight">'''ipsec status'''</span></code> or we can use <code><span class="highlight">'''ipsec statusall'''</span></code> command for a more verbose output. With these commands we can see that the IPsec tunnel is successfully established on RUT router. The command output on a '''RUT''' device:
[[File:Networking_ssh_manual_IPsec_configuration_IPsec_statusall_test_v1.png|border|class=tlt-border|971x135px|center]]
[[File:Networking_ssh_manual_IPsec_configuration_IPsec_statusall_test_v1.png|border|class=tlt-border|971x135px|center]]
To check if IPsec tunnel is working properly from '''Fortinet''', we can try pinging our '''RUT''' device by using this command in command line interface on Fortinet<code><span class="highlight" >'''exec ping 192.168.1.1'''</span></code>, if you are not able to ping '''RUT''' device, try changing the source interface from which we try pinging, by executing this command <code><span class="highlight" >'''exec ping-options source 192.168.5.99'''</span></code>:
To check if IPsec tunnel is working properly from '''Fortinet''', we can try pinging our '''RUT''' device by using this command in command line interface on Fortinet<code><span class="highlight" >'''exec ping 192.168.1.1'''</span></code>, if you are not able to ping '''RUT''' device, try changing the source interface from which we try pinging, by executing this command <code><span class="highlight" >'''exec ping-options source 192.168.5.99'''</span></code>:
[[File:Fortinet_IPsec_test_ping.png|border|class=tlt-border|center]]
[[File:Fortinet_IPsec_test_ping.png|border|class=tlt-border|center]]
----
We can also check if IPsec tunnel is working properly from '''Fortinet''' WebUI, navigate to '''VPN → IPSec Tunnels''' and there you will see if the tunnel is working:
[[File:Fortinet_IPsec_WebUI_tunnel_status.png|border|class=tlt-border|center]]
==See also==
==See also==