Sonicwall FortiGate防火牆建立Site to Site VPN

  三年前曾試過為Sonicwall NSA 2400與FortiGate 110C建立Site to Site VPN,不過失敗了,Later tests Juniper 5GT and Sonicwall actually succeed。Recently, with a demand to build VPN FortiGate 110C,雖然手上已經有另一台FortiGate 110C,照理說直接用同型號來建會省事很多,但我還是想再試一次用Sonicwall來建,看看能不能找出當初失敗的原因,來回測試一整天,Finally get。


The two sides environment are as follows:

Sonicwall NSA 4600 FortiGate 110C
Lan:
192.168.1.0/24
192.168.2.0/24

Wan:
203.1.2.3

Lan:
192.168.100.0/24
 

Wan:
203.4.5.6

【Sonicwall設定】
1.建Object
「Network」->「Address Objects」
Name: FortiGate_network
Zone Assignment: VPN
Type: Network
Network: 192.168.100.0
Netmask: 255.255.255.0
OK

2.設定VPN Tunnel
「VPN」
Enable VPN
Add
–General tab
IPSec Keying Mode: IKE using Preshared Secret.
Name: FortiGate_network
IPSec primary Gateway Name or Address: 203.4.5.6
Shared Secret: 設一組密碼
Local IKE ID: IP Address (保留空白)
Peer IKE ID: IP Address (保留空白)

–Network tab
Local Network:LAN Primary Subnet(192.168.1.0/24、192.168.2.0/24)
Destination Networks:FortiGate_network.

–Proposals tab
IKE (Phase1) Proposal
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800

IKE (Phase2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
不勾選「Enable perfect forward secrecy」
Life Time: 28800

–Advanced tab
Enable Keep Alive.
OK

接著設定FortiGate,有Tunnel及Interface兩種方式,The alternative to a set。(官方教學是Tunnel模式)

【FortiGate設定—1.Tunnel模式】
1.設定VPN
「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 1」
「Create Phase 1」
Gateway Name: SonicWall
Remote Gateway: Static IP
IP Address: 203.1.2.3
Mode: Main
Authentication Method: Preshared Key
Pre-shared Key: 同上面Sonicwall設定的密碼

–Advanced
Encryption: 3DES
Authentication: SHA1
DH Group: 2
Keylife: 28800
Leave the default values ​​for the other set。
OK

「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 2」
「Create Phase 2」
Tunnel Name: SonicWall-192.168.1.0
Remote Gateway: 選SonicWall
–Advanced
Encryption: 3DES
Authentication: SHA1
不勾選「Enable perfect forward secrecy(PFS)」
(如果勾選,就算Sonicwall也勾選,仍可能造成VPN無法建立,原因不明,Interface模式則沒有此問題)

Keylife: 28800
–Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.1.0/24
OK
**Here Quick Mode must be set in order to establish a connection with the SonicWall。不然FortiGate會出現”no matching gateway for new request”mistake。

設定第二個網段(192.168.2.0)
「Create Phase 2」
Tunnel Name: SonicWall-192.168.2.0
Remote Gateway: 選SonicWall
–Advanced
Encryption: 3DES
Authentication: SHA1
不勾選「Enable perfect forward secrecy(PFS)」
Keylife: 28800
–Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.2.0/24
OK

2.建立Address
「Firewall」->「Address」->「Address」
Create New
name:FortiGate_network
IP address:192.168.100.0
subnet:255.255.255.0
OK

Create New
name:SonicWall_network_1
IP address:192.168.1.0
subnet::255.255.255.0
OK

Create New
name:SonicWall_network_2
IP address:192.168.2.0
subnet::255.255.255.0
OK

把Sonicwall兩個網段設為一個群組
「Firewall」->「Address」->「Group」
Create New
Group Name:SonicWall_network
Members:SonicWall_network_1、SonicWall_network_2
OK

3.設定防火牆規則
「Firewall」->「Policy」->「Policy」
Create New
Source Interface: Port 1(or Internal)
Source Address: FortiGate_network
Destination Interface: WAN1 (or External)
Destination Address: SonicWall_network
Schedule: always
Service: ANY
Action: IPSEC (or Encrypt)
VPN Tunnel: SonicWall
勾 Allow inbound
勾 Allow outbound
OK

【FortiGate設定—2.Interface模式】
1.設定VPN
「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 1」
「Create Phase 1」
Gateway Name: SonicWall
Remote Gateway: Static IP
IP Address: 203.1.2.3
Mode: Main
Authentication Method: Preshared Key
Pre-shared Key: 同上面Sonicwall設定的密碼

–Advanced
勾「Enable IPsec Interface Mode」
Encryption: 3DES
Authentication: SHA1
DH Group: 2
Keylife: 28800
Leave the default values ​​for the other set。
OK

「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 2」
「Create Phase 2」
Tunnel Name: SonicWall-192.168.1.0
Remote Gateway: SonicWall

–Advanced
Encryption: 3DES
Authentication: SHA1
不勾選Enable perfect forward secrecy(PFS)
Keylife: 28800

–Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.1.0/24
OK
**Here Quick Mode must be set in order to establish a connection with the SonicWall。不然FortiGate會出現”no matching gateway for new request”mistake。

設定第二個網段(192.168.2.0)
「Create Phase 2」
Tunnel Name: SonicWall-192.168.2.0
Remote Gateway: SonicWall

–Advanced
Encryption: 3DES
Authentication: SHA1
不勾選Enable perfect forward secrecy(PFS)
Keylife: 28800
–Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.2.0/24
OK

2.建立路由
「Router」->「Static」->「Static Route」
Create New
Destination IP/Mask: 192.168.1.0/24
Device: SonicWall
OK

Create New
Destination IP/Mask: 192.168.2.0/24
Device: SonicWall
OK

3.設定防火牆規則
「Firewall」->「Policy」->「Policy」
Create New
Source Interface: Port 1(or Internal)
Source Address: FortiGate_network
Destination Interface: SonicWall
Destination Address: SonicWall_network
Schedule: always
Service: ANY
Action: Accept
OK

Create New
Source Interface: SonicWall
Source Address: SonicWall_network
Destination Interface: Port 1(or Internal)
Destination Address: FortiGate_network
Schedule: always
Service: ANY
Action: Accept
OK

【參考連結】

2 Responses

  1. FortiGate 6.0 Establish Site to Site VPN with Sonicwall firewall | Old Sen Chang Tan Says |

    […] FortiGate 4.X and Sonicwall firewall to establish Site to Site VPN:FortiGate link 5.6 Sonicwall firewall and establish Site to Site […]

  2. FortiGate 5.6 Establish Site to Site VPN with Sonicwall firewall | Old Sen Chang Tan Says |

    […] Previously wrote "Sonicwall FortiGate firewall to establish Site to Site VPN" article,At that time often encounter keep FortiGate devices do Site to Site VPN,And my hand is Sonicwall,The results are sometimes successful implementation sometimes fails,Later, there are times altogether spent some time,The two brands are set to be a way to organize,To facilitate subsequent reference。At that time testing and finishing News,Have found a slightly different FortiGate firmware,Quite the same way will be set,To trouble,Later, he gave the two methods can be successfully established connection”Tunnel”Give”Interface”Are recorded,So that the next encounter revision,You can try different methods。 […]

Leave a Comment

Please note: Comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.