FortiOS 5.2 VPN: Remote browsing using site-to-site IPsec VPN

Last Update:2019-02-21 Source: Internet

Author: User

Keywords IPsec VPN Remote browsing

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

In this recipe, you will configure a site-to-site, also called gateway-to-gateway, IPsec VPN between an office with Internet access restrictions (Remote Office) and an office without these restrictions (Head Office) so that the Remote Office can access the Internet through the Head Office, avoiding the restrictions.

To bypass this restriction, this example shows how create a site-to-site VPN to connect the Remote Office FortiGate unit to the Head Office FortiGate unit, and allow Remote Office staff to transparently browse the Internet to google.com using the Head Office’s Internet connection.

Note that both FortiGates run FortiOS firmware version 5.2.2 and have static IP addresses on Internet-facing interfaces. You will also need to know the Remote Office’s gateway IP address.

1. Configuring IPsec VPN on the Head Office FortiGate

In a real world scenario, a Remote Office’s ISP or something in their local Internet may be blocking access to Google, or any other site for that matter.

On the Head Office FortiGate, go to VPN > IPSec > Wizard.

Name the VPN, select Site to Site – FortiGate, and click Next.

Set the Remote Gateway to the Remote Office FortiGate IP address

The Wizard should select the correct Outgoing Interface when you click anywhere else in the window. Depending on your configuration, you may have to manually set the outgoing interface.

Select Pre-shared Key for the Authentication Method.

Enter a pre-shared key then click Next.

Under Policy & Routing, set the Local Interface to the interface connected to the Head Office internal network.

For Local Subnets, enter the subnet range of the Head Office internal network. Depending on your configuration, this may be set automatically by the wizard.

For Remote Subnets, enter the subnet range of the Remote Office internal network then click Create.

The VPN Wizard informs you that a static route has been created, as well as two two security policies and two address objects, which are added to two address groups (also created).

Create a security policy to allow the Remote Office to have Internet access. Go to Policy & Objects > Policy > IPv4 and select Create New.

Set Incoming Interface to the VPN interface created by the VPN wizard and set Source Address to the remote office address group created by the VPN wizard.

Set Outgoing Interface to the Internet-facing interface and set Destination Address to all.

Enable NAT and (optionally) enforce any company security profiles.

2. Adding a route on the Remote Office FortiGate

On the Remote Office FortiGate, create a static route that forwards traffic destined for the Head Office FortiGate to the ISP’s Internet gateway.

(In this example, the Head Office FortiGate IP address is 172.20.120.154 so the destination IP/Mask is 172.20.120.154/255.255.255.0 and the ISP’s gateway IP address is 10.10.20.100.)

3. Configuring IPsec VPN on the Remote Office FortiGate

On the Remote Office FortiGate, go to VPN > IPSec > Wizard.

Name the VPN, select Site to Site – FortiGate, and click Next.

Set the Remote Gateway to the Head Office FortiGate IP address.

The Wizard should select the correct Outgoing Interface.

Select Pre-shared Key for the Authentication Method and enter the same Pre-shared Key as you entered in Step 1.

Under Policy & Routing, set the Local Interface to the interface connected to the Remote Office internal network.

For Local Subnets, enter the subnet range of the Remote Office internal network.

For Remote Subnets, enter the subnet range of the Head Office internal network then click Create.

The VPN Wizard informs you that a static route has been created, as well as two address groups and two security policies.

Allow Internet traffic from the remote office to enter the VPN tunnel.

On the Remote Office FortiGate, go to Policy & Objects > Policy > IPv4.

Edit the outbound security policy created by the VPN Wizard.

Change the Destination Address to all so that the policy accepts Internet traffic.

4. Establishing the tunnel

On either FortiGate, go to VPN > Monitor > IPsec Monitor.

Right-click the newly created tunnel and select Bring Up.

If the tunnel is established, the Status column will read Up on both of the FortiGates.

6. Results

With the tunnel up, you can now visit google.com without being blocked, since the Internet traffic is handled by the Head Office FortiGate and the access restrictions on the remote FortiGate have been bypassed.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More