Line 1: |
Line 1: |
| <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p> | | <p style="color:red">The information in this page is updated in accordance with [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.2'''] firmware version.</p> |
− | <p style="color:red">The information in this page is updated in accordance with '''Fortinet v7.4.3''' firmware version.</p> | + | <p style="color:red">The information in this page is updated in accordance with '''Fortigate v7.4.3''' firmware version.</p> |
| ==Introduction== | | ==Introduction== |
| Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route. | | Normally we configure IPsec for LAN-to-LAN communication, also known as split-tunnel VPN, when only specific hosts or subnets should be reachable via a VPN tunnel. However, we may also take a different approach and configure a VPN tunnel using the full tunnel method. This means that any non-directly connected network (i.e. lan interface) will be reachable only via IPsec tunnel and not via the typical default route. |
Line 10: |
Line 10: |
| | | |
| * One RUT/RUTX series router or TRB gateway with RUTOS firmware; | | * One RUT/RUTX series router or TRB gateway with RUTOS firmware; |
− | * One Fortinet series router; | + | * One Fortigate series router; |
| * An end device (PC, Laptop) for configuration; | | * An end device (PC, Laptop) for configuration; |
| | | |
Line 17: |
Line 17: |
| | | |
| ==Topology== | | ==Topology== |
− | '''Fortinet''' – The '''Fortinet''' will act as a "default gateway" for the RUT device. '''Fortinet''' has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the RUT. | + | '''Fortigate''' – The '''Fortigate''' will act as a "default gateway" for the RUT device. '''Fortigate''' has a LAN subnet of 192.168.5.0/24 and WAN subnet of 192.168.10.2/24 configured on it, which should be reachable by the RUT. |
| | | |
− | '''RUT''' – The '''RUTX11''' in this case will be connected to '''Fortinet''' for basic internet access. '''RUT''' has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it. | + | '''RUT''' – The '''RUTX11''' in this case will be connected to '''Fortigate''' for basic internet access. '''RUT''' has a LAN subnet of 192.168.1.0/24 and WAN subnet of 192.168.10.1/24 configured on it. |
| | | |
− | [[File:TopologijaIPsecDefaultRoute.png|border|class=tlt-border|center]] | + | [[File:TopologijaIPsecDefaultRoute_RUT_Fortinet.png|border|class=tlt-border|center]] |
− | ==Fortinet configuration== | + | ==Fortigate configuration== |
− | Start by configuring the '''Fortinet''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''. | + | Start by configuring the '''Fortigate''' device. Login to the WebUI, navigate to '''1. VPN → 2. IPsec Tunnels → 3. Create new → 4. IPsec Tunnel → 5. Your desired name → 6. Template type: Custom → 7. Click on the button next'''. |
| ---- | | ---- |
| <table class="nd-othertables_2"> | | <table class="nd-othertables_2"> |
Line 79: |
Line 79: |
| Make the following changes: | | Make the following changes: |
| # Incoming interface - '''''Tunnel interface name (In this case it is Teltonika);''''' | | # Incoming interface - '''''Tunnel interface name (In this case it is Teltonika);''''' |
− | # Outgoing interface - '''''wan2 (choose WAN port from which Fortinet gets internet);''''' | + | # Outgoing interface - '''''wan2 (choose WAN port from which Fortigate gets internet);''''' |
| # Source - '''''192.168.1.0/255.255.255.0;''''' | | # Source - '''''192.168.1.0/255.255.255.0;''''' |
| # Destination - '''all;''' | | # Destination - '''all;''' |
Line 123: |
Line 123: |
| Make the following changes: | | Make the following changes: |
| # '''''Enable''''' instance; | | # '''''Enable''''' instance; |
− | # Remote endpoint - '''''Fortinet WAN IP;''''' | + | # Remote endpoint - '''''Fortigate WAN IP;''''' |
| # Authentication method - '''''Pre-shared key;''''' | | # Authentication method - '''''Pre-shared key;''''' |
− | # Pre-shared key - the '''''same password''''' you have '''''set on Fortinet''''' when configuring the '''''Fortinet IPsec instance;''''' | + | # Pre-shared key - the '''''same password''''' you have '''''set on Fortigate''''' when configuring the '''''Fortigate IPsec instance;''''' |
| # Local identifier – '''''RUT WAN IP;''''' | | # Local identifier – '''''RUT WAN IP;''''' |
− | # Remote identifier – '''''Fortinet WAN IP;''''' | + | # Remote identifier – '''''Fortigate WAN IP;''''' |
| [[File:Networking_webui_manual_IPsec_Instance_Configuration.png|border|class=tlt-border|center]] | | [[File:Networking_webui_manual_IPsec_Instance_Configuration.png|border|class=tlt-border|center]] |
| ===Connection general section configuration=== | | ===Connection general section configuration=== |
Line 195: |
Line 195: |
| [[File:RutIpsecCurlPingTest.png|border|class=tlt-border|506x133px|center]] | | [[File:RutIpsecCurlPingTest.png|border|class=tlt-border|506x133px|center]] |
| ---- | | ---- |
− | To check if IPsec tunnel is working properly from '''Fortinet''', we can try pinging our '''RUT''' device by using this command in command line interface on Fortinet<code><span class="highlight" >'''exec ping 192.168.1.1'''</span></code>, if you are not able to ping '''RUT''' device, try changing the source interface from which we try pinging, by executing this command <code><span class="highlight" >'''exec ping-options source 192.168.5.99'''</span></code>: | + | To check if IPsec tunnel is working properly from '''Fortigate''', we can try pinging our '''RUT''' device by using this command in command line interface on Fortigate<code><span class="highlight" >'''exec ping 192.168.1.1'''</span></code>, if you are not able to ping '''RUT''' device, try changing the source interface from which we try pinging, by executing this command <code><span class="highlight" >'''exec ping-options source 192.168.5.99'''</span></code>: |
| [[File:Fortinet_IPsec_test_ping.png|border|class=tlt-border|center]] | | [[File:Fortinet_IPsec_test_ping.png|border|class=tlt-border|center]] |
| ---- | | ---- |
− | We can also check if IPsec tunnel is working properly from '''Fortinet''' WebUI, navigate to '''VPN → IPSec Tunnels''' and there you will see if the tunnel is working: | + | We can also check if IPsec tunnel is working properly from '''Fortigate''' WebUI, navigate to '''VPN → IPSec Tunnels''' and there you will see if the tunnel is working: |
| [[File:Fortinet_IPsec_WebUI_tunnel_status.png|border|class=tlt-border|center]] | | [[File:Fortinet_IPsec_WebUI_tunnel_status.png|border|class=tlt-border|center]] |
| ==See also== | | ==See also== |
Line 208: |
Line 208: |
| [https://openwrt.org/docs/guide-user/services/vpn/strongswan/basics OpenWrt Ipsec basics] | | [https://openwrt.org/docs/guide-user/services/vpn/strongswan/basics OpenWrt Ipsec basics] |
| | | |
− | [https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/762500/general-ipsec-vpn-configuration Fortinet Ipsec configuration] | + | [https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/762500/general-ipsec-vpn-configuration Fortigate Ipsec configuration] |