Recently measured by a subsidiary of a new Fortigate,Even after the first check up the firmware version,The result is a large version of the transaction,The original is 5.6,This is 6.0,Every version of the transaction,When establishing and my Sonicwall Site to Site VPN,I have had a hard time,Not surprisingly this is not a one-stop,Therefore, there has been the birth of this article,But compared to the previous two,The debugging process is relatively smooth a lot。
First look at history:
FortiGate 4.X and Sonicwall firewall to establish Site to Site VPN:Consolidated
FortiGate 5.6 Establish Site to Site VPN with Sonicwall firewall:Consolidated
The practice with 5.6 Much the same,Mainly Fortigate be connected to the Sonicwall is set in the Policy,To turn off NAT (Default is on),If you do not shut down,Met with 5.6 The same problem (Sonicwall can ping Fortigate,Not vice versa),And 5.6 Blackhole routing set of problems remain,Must be set up on the job。
The two sides environment are as follows:
Sonicwall NSA 4600 | FortiGate 100E |
firmware:6.5.4.4 | firmware:6.0.6 |
Lan: 192.168.1.0/24 192.168.2.0/24 Wan: |
Lan: 192.168.100.0/24 Wan: |
[Sonicwall Settings]
1.Built Object
「Network」->「Address Objects」
Name: FortiGate_network
Zone Assignment: VPN
Type: Network
Network: 192.168.100.0
Netmask: 255.255.255.0
OK
2.Setting VPN Tunnel
「VPN」
Enable VPN
Add
–General tab
IPSec Keying Mode: IKE using Preshared Secret.
Name: FortiGate_network
IPSec primary Gateway Name or Address: 203.4.5.6
Shared Secret: 設一組密碼
Local IKE ID: IP Address (保留空白)
Peer IKE ID: IP Address (保留空白)
–Network tab
Local Network:LAN Primary Subnet(192.168.1.0/24、192.168.2.0/24)
Destination Networks:FortiGate_network(192.168.100.0/24)
–Proposals tab
IKE (Phase1) Proposal
Exchange: IKEv2 Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800
IKE (Phase2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
DH Group: Group 2
Life Time: 28800
OK
[FortiGate Settings]
1.Setting VPN
「VPN」->「IPsec Tunnels」
「Create New」
Name: SonicWall
Template Type: Custom
–Network
Remote Gateway: Static IP
IP Address: 203.1.2.3
Interface: Wan1
–Authentication
Authentication Method: Preshared Key
Pre-shared Key: 同上面Sonicwall設定的密碼
IKE Version: 2
–Phase 1 Proposal
Encryption: AES128
Authentication: SHA1
DH Group: 2
Keylife: 28800
–Phase 2 Selectors
Sets the first network segment(192.168.1.0)
Name: SonicWall-192.168.1.0
Local Address: 192.168.100.0/24
Remote Address: 192.168.1.0/24
設定第二個網段(192.168.2.0)
Name: SonicWall-192.168.2.0
Local Address: 192.168.100.0/24
Remote Address: 192.168.2.0/24
–Advanced
Encryption: 3DES
Authentication: SHA1
不勾選Enable perfect forward secrecy(PFS)
Keylife: 28800
2.建立路由
Setting 192.168.1.0 routing
「Network」->「Static Routes」
Create New
Destination: 192.168.1.0/24
Interface: SonicWall
Administrative Distance: 10
-Advanced Options
Priority: 3 (Blackhole is greater than the preset 0)
OK
Setting 192.168.2.0 routing
「Network」->「Static Routes」
Create New
Destination: 192.168.2.0/24
Interface: SonicWall
Administrative Distance: 10
-Advanced Options
Priority: 3 (Blackhole is greater than the preset 0)
OK
Setting 192.168.1.0 Blackhole
「Network」->「Static Routes」
Create New
Destination: 192.168.1.0/24
Interface: Blackhole
Administrative Distance: 12 (Generally greater than the preset route 10)
OK
Setting 192.168.2.0 Blackhole
「Network」->「Static Routes」
Create New
Destination: 192.168.2.0/24
Interface: Blackhole
Administrative Distance: 12 (Generally greater than the preset route 10)
OK
3.設定防火牆規則
「Policy & Objects」->「IPv4 Policy」
Create New
Name: Forti2Sonicwall
Source Interface: Port 1(192.168.100.0 Where the port)
Outgoing Interface: SonicWall
Source: FortiGate_network
Destination: SonicWall_network
Schedule: always
Service: ALL
Action: Accept
Close NAT(The main problem in this version of the firmware can not be opened here)
OK
Create New
Name: Sonicwall2Forti
Source Interface: SonicWall
Outgoing Interface: Port 1(192.168.100.0 Where the port)
Source: SonicWall_network
Destination: FortiGate_network
Schedule: always
Service: ALL
Action: Accept
OK