Teltonika Networks Wiki

Changes

Default IPsec route configuration between Teltonika and Fortigate devices (view source)

Revision as of 15:54, 18 June 2024

227 bytes added ,  18 June
no edit summary
Line 8: Line 8:  
'''Prerequisites:'''
 
'''Prerequisites:'''
   −
* One RUT/RUTX series router with RUTOS firmware;
+
* One RUT/RUTX series router or TRB gateway with RUTOS firmware;
* One Fortigate series router;
+
* One Fortinet series router;
 
* An end device (PC, Laptop) for configuration;
 
* An end device (PC, Laptop) for configuration;
   Line 17: Line 17:  
==Topology==
 
==Topology==
   −
'''Fortigate''' – The Fortigate will act as a '''hub'''. A hub is a server, to which our spoke will be connected (IPsec responder). It will be our "default gateway" for the spoke device. Fortigate has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the spoke.
+
'''Fortinet''' – The Fortinet will act as a '''hub'''. A hub is a server, to which our spoke will be connected (IPsec responder). It will be our "default gateway" for the spoke device. Fortinet has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the spoke.
    
'''RUT''' – '''RUTX11''' will act as a '''spoke'''. A spoke is a client, that will be connected to the spoke (IPsec initiator). It will be connected to a '''hub''' for basic internet access. RUTX11 has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it.
 
'''RUT''' – '''RUTX11''' will act as a '''spoke'''. A spoke is a client, that will be connected to the spoke (IPsec initiator). It will be connected to a '''hub''' for basic internet access. RUTX11 has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it.
   −
==Fortigate (Hub) configuration==
+
==Fortinet (Hub) configuration==
Start by configuring the hub (Fortigate) device. Login to the WebUI, navigate to '''VPN → IPsec Tunnels → Create new → IPsec Tunnel → Template Custom'''. Configure everything as follows.  
+
Start by configuring the hub (Fortinet) device. Login to the WebUI, navigate to '''VPN → IPsec Tunnels → Create new → IPsec Tunnel → Template Custom'''. Configure everything as follows.  
    
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
'''Note:''' ''Not specified fields can be left as is or changed according to your needs.''
 
===Network configuration===
 
===Network configuration===
 
----
 
----
 +
Make the following changes:
 
# Remote Gateway – '''''Static IP Address;'''''
 
# Remote Gateway – '''''Static IP Address;'''''
 
# IP Address – '''''192.168.10.1;'''''
 
# IP Address – '''''192.168.10.1;'''''
Line 33: Line 34:  
===Authentication configuration===
 
===Authentication configuration===
 
----
 
----
 +
Make the following changes:
 
# Method – '''''Pre-shared Key;'''''
 
# Method – '''''Pre-shared Key;'''''
 
# Pre-shared Key – '''''your desired password;'''''
 
# Pre-shared Key – '''''your desired password;'''''
Line 39: Line 41:  
===Phase 1 Proposal configuration===
 
===Phase 1 Proposal configuration===
 
----
 
----
 +
Make the following changes:
 
# Encryption – '''''AES256;'''''
 
# Encryption – '''''AES256;'''''
 
# Authentication -  '''''SHA512;'''''
 
# Authentication -  '''''SHA512;'''''
Line 46: Line 49:  
===Phase 2 Selectors configuration===
 
===Phase 2 Selectors configuration===
 
----
 
----
 +
Make the following changes:
 
'''''Click on Advanced settings;'''''
 
'''''Click on Advanced settings;'''''
 
# Encryption – '''''AES256;'''''
 
# Encryption – '''''AES256;'''''
Line 59: Line 63:  
===Instance configuration===
 
===Instance configuration===
 
----
 
----
 +
Make the following changes:
 
# '''''Enable''''' instance;
 
# '''''Enable''''' instance;
# Remote endpoint - '''''Fortigate WAN IP;'''''
+
# Remote endpoint - '''''Fortinet WAN IP;'''''
 
# Authentication method - '''''Pre-shared key;'''''
 
# Authentication method - '''''Pre-shared key;'''''
# Pre-shared key - the '''''same password''''' you have '''''set on Fortigate''''' when configuring the '''''Fortigate HUB instance;'''''
+
# Pre-shared key - the '''''same password''''' you have '''''set on Fortinet''''' when configuring the '''''Fortinet HUB instance;'''''
 
# Local identifier – '''''RUT WAN IP;'''''
 
# Local identifier – '''''RUT WAN IP;'''''
# Remote identifier – '''''Fortigate WAN IP;'''''
+
# Remote identifier – '''''Fortinet WAN IP;'''''
 
[[File:Networking_webui_manual_IPsec_Instance_Configuration.png|border|class=tlt-border|center]]
 
[[File:Networking_webui_manual_IPsec_Instance_Configuration.png|border|class=tlt-border|center]]
 
===Connection general section configuration===
 
===Connection general section configuration===
 
----
 
----
 +
Make the following changes:
 
# Mode - '''''Start;'''''
 
# Mode - '''''Start;'''''
 
# Type - '''''Tunnel;'''''
 
# Type - '''''Tunnel;'''''
Line 78: Line 84:  
===Connection advanced section configuration===
 
===Connection advanced section configuration===
 
----
 
----
 +
Make the following changes:
 
# '''''Enable local firewall'''''
 
# '''''Enable local firewall'''''
 
#Remote DNS – '''''8.8.8.8;'''''
 
#Remote DNS – '''''8.8.8.8;'''''
Line 84: Line 91:  
===Proposal configuration===
 
===Proposal configuration===
 
----
 
----
 
+
Make the following changes:
 
<table class="nd-othertables_2">
 
<table class="nd-othertables_2">
 
     <tr>
 
     <tr>
Line 135: Line 142:  
[https://openwrt.org/docs/guide-user/services/vpn/strongswan/basics OpenWrt Ipsec basics]
 
[https://openwrt.org/docs/guide-user/services/vpn/strongswan/basics OpenWrt Ipsec basics]
   −
[https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/762500/general-ipsec-vpn-configuration Fortigate Ipsec configuration]
+
[https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/762500/general-ipsec-vpn-configuration Fortinet Ipsec configuration]
Retrieved from "https://wiki.teltonika-networks.com/view/Special:MobileDiff/127039"