To create a firewall policy for the VPN traffic going from the Fortinet FortiGate unit to the SonicWall device Now as you configure both Phase 1 and Phase 2 VPN settings, Its time to add the Firewall policyįor adding a firewall policy, we need to add an source and destination addresses and add internal to external policy that comprises these source and destination addresses to allow the traffic flow.Įnter a name for the address, for example FortiGate_network.Įnter the FortiGate IP address and subnet.Įnter the name for the address, for example SonicWall_network.Įnter the SonicWall IP address and subnet. **Quick Mode Identities: add source and destination networks as SonicWall will require this in building the Security Associations Leave all other settings as their default. (default values shown can be changed by admin) Select Create New and enter the following: Below is the Fortinet Fortigate phase 1 VPN settings or configurations For the configuration, you need to configure the Phase 1 and Phase 2 settings for VPN in Fortinet Fortigate device. Let’s take Fortinet Fortigate Device first. We will do GUI configuration between both Fortinet and SonicWall devices.įig 1.1- Fortigate to SonicWall VPN tunnel As both of these devices having the GUI interfaces. You should have FortiGate running the software version of FortiOS 3.0 and higher and for SonicWall it should be SonicOS Enhanced software version 3.1.x.x. So it may happen that some of the configurations varies on both Fortinet and SonicWall devices.Īs we discuss about the VPN tunnel between Fortinet and SonicWall It should have the recommended software version. I am not going to talk about the specific models of Fortinet and SonicWall. I am using a sonicwall with under <4.0 firmware and snow leopard.Today I am going to talk about the VPN tunnel configuration between Fortinet and SonicWall security devices. I noticed on the sonicwall that when I had a tunnel before opening the firewall I would have an address like 10.10.10.2(publicwanIP) - Once I configured the firewall, I only had the 10.10.10.2 address under users. This essentially bypasses the firewall on the outbound side for port 4500. So I set up a firewall rule to allow IPSEC/NAT-T UDP outbound (port 4500). Some people report that some routers allow this and others don't allow NAT-T to work. If NAT-T was enabled then no tunnel would come up. If I had NAT-T off the tunnel comes up but no connectivity to remote resources. You have to enable the manual configuration of the IP address in the sonicwall as the article states. #1 I don't think ipsecuritas does DHCP over VPN. There are a couple of things that make this a problem. Please contact me if you need help with your connection. Also, be wary of mapping multiple networks behind the Sonicwall, each has to build its own contract. Always have your log file open when trying to debug these connections. Otherwise you will get "NO PROPOSAL WAS CHOSEN" when trying to negotiate phase 1. The reason for this was that IPSecuritas just does PFS without an option to turn it off or on, so you must turn it on, on the Sonicwall. The key for me was Perfect Forward Secrecy was NOT enabled but it should have been! So ENABLE perfect forward secrecy. Name Server Addresses: probably your domain controller ip address Store Password: checked if you would like the password to be storedĭNS: check "enable domain specific DNS servers" just fill in the "Unique Firewall Identifier" from the Sonicwall VPN section Remote Mode: Network (Internal LAN network of the Sonicwall, such as 10.0.1.0 CIDR/Mask 24) Remote IPSec Device: IP or host name of Sonicwall (must be reachable from Internet)Įndpoint Mode: Host (IP Address left blank) Use Default Key for Simple Client Provisioning is Selected Personal Firewall on Client Machine is Not Required Set Default Route as this Gateway is Not SelectedĪpply VPN Access Control List is Not Selected Virtual Adapter Settings: DHCP Lease or Manual Configuration Policy Options : PFS: on Xauth: on Netbios: on Multicast: offĬache XAUTH User Name and Password on Client: Never IPsec Proposal : DH Group 2 Encrypt/Auth - ESP: 3DES/HMAC SHA1 IKE Proposal : DH Group 2 Encrypt/Auth - 3DES/SHA1 Sonicwall side config (straight out of the tech support report)Īuthentication Method : IKE with Preshared secret I always had some difficulty getting the free IPsecuritas connected so I am sure others had problems too.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |