Previously wrote "Sonicwall FortiGate firewall to establish Site to Site VPN"Article,At that time often encounter keep FortiGate devices do Site to Site VPN,And my hand is Sonicwall,The results are sometimes successful implementation sometimes fails,Later, there are times altogether spent some time,The two brands are set to be a way to organize,To facilitate subsequent reference。At that time testing and finishing News,Have found a slightly different FortiGate firmware,Quite the same way will be set,To trouble,Later, he gave the two methods can be successfully established connection”Tunnel”Give”Interface”Are recorded,So that the next encounter revision,You can try different methods。
Today we met the demand to keep FortiGate establish Site to Site VPN's,Model is FortiGate 80E,Firmware version 5.6.4,When you hear is buy a new firewall,I found myself out”Anything but reassuring”Idea,Wait until the connection over to see,Sure enough options changed again,And this time even the interface has changed a lot。The actual project start setting VPN,This discovery seems to have no points”Tunnel”Give”Interface”,I first tried to previous”Tunnel”The way to set the,But did not establish a successful VPN,Then changed to”Interface”set up,But appear strange results,Both sides of the Site to Site VPN has been successfully established,This end can ping Sonicwall FortiGate end segments,But not vice timeout。Checked the order and routing policy settings are no problem,Zhonglaiyici result is the same,Let me headache。
To inquire after official data,But for the present official 5.6 The firmware version appears to only provide the same to Site VPN Wizard Mode is set to Site FortiGate product of teaching,But I noticed that when completed the final step in the wizard mode,The wizard screen display mode in which projects were done several sets of transaction,Which have a file called “Blackhole Route” The project caught my attention,Because generally set Site to Site VPN,Are set “static route”,”Blackhole Route” This project is actually the first time I saw。Then went to “Static Routes” Go to View,In the Interface drop-down menu.,There really”Blackhole”Options,Try to add a sum of routing,And thrown into”Blackhole”This interface,After setting,Had also ping to the Sonicwall FortiGate network segment,Now less than a ping,Then I just added this to disable the routing group,Then the magic happened as soon as,Sonicwall network on both sides of the FortiGate can ping each other to,But after I disconnect and then reconnect the VPN,FortiGate again unable to ping the network segment Sonicwall,Sonicwall you can still ping the FortiGate network segment。
Then I practice the same again,The”Blackhole”Routing Enabled、And then deactivated,Segment on both sides and can communicate,After the test several times to confirm the results are the same,Began to study the”Blackhole”Routing settings。In the setting parameters of a route,Have”Priority”跟”Distance”Two values will affect the order,Finally, try out as long as”Blackhole”Routes”Priority”Value is less than VPN routes”Priority”;”Distance”Values greater than VPN routes”Distance”,You can make both sides of the normal network connection,Even restart VPN connection can also be a normal ping each other。
He then went to check on official”Blackhole”IT,Only found in previous firmware versions can go through this set of instructions”Blackhole”routing,But I still do not know why I like to try to solve the problem FortiGate network segment of ping less than Sonicwall network,Currently out first to share this success is set mode,If further follow-up information,Update this post again,Netizens know why words,In the following discussion are also welcome message,Thanks。
The two sides environment are as follows:
| Sonicwall NSA 4600 | FortiGate 80E |
| firmware:6.2.7.1 | firmware:5.6.4 |
| Lan: 192.168.1.0/24 192.168.2.0/24 Wan: |
Lan: 192.168.100.0/24 Wan: |
【Sonicwall設定】
1.建Object
「Network」->「Address Objects」
Name: FortiGate_network
Zone Assignment: VPN
Type: Network
Network: 192.168.100.0
Netmask: 255.255.255.0
OK
2.設定VPN Tunnel
「VPN」
Enable VPN
Add
–General tab
IPSec Keying Mode: IKE using Preshared Secret.
Name: FortiGate_network
IPSec primary Gateway Name or Address: 203.4.5.6
Shared Secret: 設一組密碼
Local IKE ID: IP Address (保留空白)
Peer IKE ID: IP Address (保留空白)
–Network tab
Local Network:LAN Primary Subnet(192.168.1.0/24、192.168.2.0/24)
Destination Networks:FortiGate_network(192.168.100.0/24)
–Proposals tab
IKE (Phase1) Proposal
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800
IKE (Phase2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
DH Group: Group 2
Life Time: 28800
–Advanced tab
Enable Keep Alive.
OK
[FortiGate Settings]
1.設定VPN
「VPN」->「IPsec Tunnels」
「Create New」
Name: SonicWall
Template Type: Custom
–Network
Remote Gateway: Static IP
IP Address: 203.1.2.3
Mode: Main
Authentication Method: Preshared Key
Pre-shared Key: 同上面Sonicwall設定的密碼
–Phase 1 Proposal
Encryption: 3DES
Authentication: SHA1
DH Group: 2
Keylife: 28800
–Phase 2 Selectors
Sets the first network segment(192.168.1.0)
Name: SonicWall-192.168.1.0
Local Address: 192.168.100.0/24
Remote Address: 192.168.1.0/24
設定第二個網段(192.168.2.0)
Name: SonicWall-192.168.2.0
Local Address: 192.168.100.0/24
Remote Address: 192.168.2.0/24
–Advanced
Encryption: 3DES
Authentication: SHA1
不勾選Enable perfect forward secrecy(PFS)
Keylife: 28800
2.建立路由
Setting 192.168.1.0 routing
「Network」->「Static Routes」
Create New
Destination: 192.168.1.0/24
Interface: SonicWall
Administrative Distance: 10
-Advanced Options
Priority: 3 (Blackhole is greater than the preset 0)
OK
Setting 192.168.2.0 routing
「Network」->「Static Routes」
Create New
Destination: 192.168.2.0/24
Interface: SonicWall
Administrative Distance: 10
-Advanced Options
Priority: 3 (Blackhole is greater than the preset 0)
OK
Setting 192.168.1.0 Blackhole
「Network」->「Static Routes」
Create New
Destination: 192.168.1.0/24
Interface: Blackhole
Administrative Distance: 12 (Generally greater than the preset route 10)
OK
Setting 192.168.2.0 Blackhole
「Network」->「Static Routes」
Create New
Destination: 192.168.2.0/24
Interface: Blackhole
Administrative Distance: 12 (Generally greater than the preset route 10)
OK
3.設定防火牆規則
「Policy & Objects」->「IPv4 Policy」
Create New
Name: Forti2Sonicwall
Source Interface: Port 1(192.168.100.0 Where the port)
Outgoing Interface: SonicWall
Source: FortiGate_network
Destination: SonicWall_network
Schedule: always
Service: ALL
Action: Accept
OK
Create New
Name: Sonicwall2Forti
Source Interface: SonicWall
Outgoing Interface: Port 1(192.168.100.0 Where the port)
Source: SonicWall_network
Destination: FortiGate_network
Schedule: always
Service: ALL
Action: Accept
OK
【參考連結】
- Old Sen Chang Tan >> Sonicwall FortiGate防火牆建立Site to Site VPN
- (20) 03 Firewall Fortigate, Fortinet: Firewall Policies. – YouTube
- Site-to-site IPsec VPN with overlapping subnets – Fortinet Cookbook
