Fortinet: IPsec Site-to-Site VPN Setup on FortiGate Firewall
HTML-код
- Опубликовано: 23 июл 2024
- Configure multiple IPSec VPN tunnels on FortiGate firewalls to secure work and home network.
Overview/Topology - 0:00
Configure FortiGate2 - 00:25
Configure FortiGate1 - 3:44 Наука
Great tutorial! Not often you see this video tutorials this good - many thanks. And a well named channel: To-the-point Fortinet. I will be coming back for more!
This was so straightforward and easy to understand. Thanks!
Great explanation - thank you!
Thanks a lot! It worked as a charm!!!
My god i wish i.had as much knowledge as you
So So Clear.. Thank you
Excellent ... well done ...
Hi, can you help with WAN, LAN and Site to Site VPN configuring on Fortigate 300D....
Thank you
Broooo! You saved the day!
Thanks foe your work..
Hello, thanks for your really great video. Why do you use the 'custom' option when setting up the VPN instead of the 'site-to-site' ?
Some of the other options work well because they do more for you such as creating static routes and firewall policy config. I used custom as the option because then it require manual configuration of routes + policies so that I could show more detail about what's required to configure everything.
This is great.
Just a few questions
Which model is this you are using?
Have you tested file sharing/transfers?
setup something like this between 2 locations on USGs. Found that simultaneous file transferring slowed down quite a bit on a 100/100 speed.
The model is FortiGate 61E - I didn't test file sharing while making this video. Here's 2 things to consider when troubleshooting IPsec site-to-site slow down between sites (or at least a couple easy ones to check off quickly):
1) Test a different protocol -> so try Iperf instead of SMB to isolate if the issue is specific to the USG inspection with SMB (USG is an Ubiquiti device right?)
2) Do an ISP test without IPsec -> so lets say you run a speed test on a workstation at both sites and you get 100Mbps for both tests -> this does NOT mean that SMB between sites will be the 100Mbps -> often the ISP will give you the best throughput to speedtest servers but when you test between different sites you might see a much lower value. It really depends on how much the ISPs will shape/throttle between each public IP -> you can test this with a forwarding rule on both sites, here's the FortiGate configuration on how to do it: ruclips.net/video/p8MV3da9D8o/видео.html --> or to rule out firewall entirely you can place a laptop directly to each ISP modem for a moment to test (if possible in your environment) -> generally even with this test, the two ISP's will throttle you down significantly from 100Mbps unless maybe you have dedicated lines
@@tothepointfortinet3823 alright thanks for this. I'll try the above
Great explanation. Is it compulsory to have both FORTIGATE WAN adresses to belong to the same public IP network ? Let's Say that WE have 2 different companies and the was not communicating before and their WAN adresses are not on the same network.
Hi Don, no they don't need to be on the same network, in my case they were because I am simulating it in my lab. Generally, WAN IP's will be on different networks; so as long as both FortiGate's can route traffic to eachother, then you can set up a tunnel between the two.
Can you make a tutorial video for redundant ipsec tunnel , I am using two ISP in my firewall
thanks for sharing this VD
What is selector in fortigate
Hi great video!! I was just wondering how DNS could be set through this ? Do you have any guides or intel on it ? Thanks :)
A site to site doesn't push config to any type of client so you can't set DNS from the FortiGate in this case. But, you can set a DNS server if you use a remote dial up IPsec tunnel or SSL tunnel
Hi Bro great, have created a tunnel but I can't access HTTP resource on the remote subnet (intranet running on remote LAN)
Here's some videos that will help to troubleshoot:
Packet capture: ruclips.net/video/meXTmUXHQoI/видео.html
IPsec Troubleshooting: ruclips.net/video/91GznQt2kzg/видео.html
What a great video! I am new with fortinet and I have a question: When setting up WAN interfaces for remote Sites, does these IP addresses have to be in Manual? I ask because if they are on DHCP, would the VPN be lost right?
you should have a static WAN IP for each remote site.
Amazing .
Hi Bro, Pls can you share the setup also Firewall behind the router? thanks
Looking for this too. I need to setup multiple sites behind ISP router
Tried this so many times and changed options, my tunnel always shows inactive
Creating address objects is what I'm stuck on and the video says "I've pre created some" man I wish that part was explained. I'm trying to setup a VPN to Azure and I'm not sure which "object" type to use.
Go to Policy & Objects > addresses
@@tothepointfortinet3823 Thanks. I finished setting up my tunnel to Azure today.
does this work with different vendor ? like Fortigate & Sonic or sophos ?
Yea this will work for other vendor too, just need to match the setting sun sonicwall gui
And If one Site have dynamic IP wann? Dialup VPN?
Yes that's one approach. Another could be to specify the FQDN on the side which has a static IP
Is this an example of a route based vpn or policy based vpn? Have always been confused by the two.
This would be considered a route based VPN
same question
Hi Bro this is naveen from india im watching so many videos regarding vpn but i didn't get the clarity. after creating everything vpn client is not connecting i'm doing the labs in vmware
please suggest me how to complte
What is the issue you are facing
What if both sites are behind NAT?
This should still work fine, you'd need to lab it to find all caveats, but here's a couple to consider:
- Port forward both port 500 and 4500 on firewall the FortiGate's are behind
- enable NATT on both ends
great