Firewall Sonicwall FortiGate membuat Situs ke Situs VPN

  三年前曾試過為Sonicwall NSA 2400與FortiGate 110C建立Site to Site VPN不過失敗了後來測試Juniper 5GT與Sonicwall倒是成功最近又有需求要與一台FortiGate 110C建VPN雖然手上已經有另一台FortiGate 110C照理說直接用同型號來建會省事很多但我還是想再試一次用Sonicwall來建看看能不能找出當初失敗的原因來回測試一整天總算搞定


雙方環境如下

Sonicwall NSA 4600 FortiGate 110C
Lan:
192.168.1.0/24
192.168.2.0/24

Wan:
203.1.2.3

Lan:
192.168.100.0/24
 

Wan:
203.4.5.6

【Sonicwall設定】
1.建Object
「Network」->「Address Objects」
Nama: FortiGate_network
Zone Assignment: VPN
Jenis: Jaringan
Jaringan: 192.168.100.0
Netmask: 255.255.255.0
OK

2.設定VPN Tunnel
「VPN」
Enable VPN
Tambahkan
General tab
IPSec Keying Mode: IKE using Preshared Secret.
Nama: FortiGate_network
IPSec primary Gateway Name or Address: 203.4.5.6
Shared Secret: 設一組密碼
Local IKE ID: IP Address (保留空白)
Peer IKE ID: IP Address (保留空白)

Network tab
Local NetworkLAN Primary Subnet(192.168.1.0/24、192.168.2.0/24)
Destination NetworksFortiGate_network.

Proposals tab
IKE (Phase1) Proposal
Exchange: Main Mode
DH Group: Group 2
Encryption: 3DES
Authentication: SHA1
Life Time: 28800

IKE (Phase2) Proposal
Protocol: ESP
Encryption: 3DES
Authentication: SHA1
DH Group: Group 2
Life Time: 28800

Advanced tab
Enable Keep Alive.
OK

接著設定FortiGate有Tunnel及Interface兩種方式二擇一設定即可。(官方教學是Tunnel模式)

【FortiGate設定—1.Tunnel模式】
1.設定VPN
「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 1」
「Create Phase 1」
Gateway Name: SonicWall
Remote Gateway: Static IP
IP Address: 203.1.2.3
Mode: Main
Authentication Method: Preshared Key
Pre-shared Key: 同上面Sonicwall設定的密碼

Advanced
Encryption: 3DES
Authentication: SHA1
DH Group: 2
Keylife: 28800
保留其他設定的預設值
OK

「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 2」
「Create Phase 2」
Tunnel Name: SonicWall-192.168.1.0
Remote Gateway: 選SonicWall
Advanced
Encryption: 3DES
Authentication: SHA1
不勾選「Enable perfect forward secrecy(PFS)"
(如果勾選就算Sonicwall也勾選仍可能造成VPN無法建立,alasan yang tidak diketahui,Interface模式則沒有此問題)

Keylife: 28800
Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.1.0/24
OK
**這邊Quick Mode一定要設才能與SonicWall建立連線不然FortiGate會出現no matching gateway for new request”Kesalahan。

設定第二個網段(192.168.2.0)
「Create Phase 2」
Tunnel Name: SonicWall-192.168.2.0
Remote Gateway: 選SonicWall
Advanced
Encryption: 3DES
Authentication: SHA1
不勾選「Enable perfect forward secrecy(PFS)"
Keylife: 28800
Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.2.0/24
OK

2.建立Address
「Firewall」->「Address」->「Address」
Create New
name:FortiGate_network
IP address:192.168.100.0
subnet:255.255.255.0
OK

Create New
name:SonicWall_network_1
IP address:192.168.1.0
subnet::255.255.255.0
OK

Create New
name:SonicWall_network_2
IP address:192.168.2.0
subnet::255.255.255.0
OK

把Sonicwall兩個網段設為一個群組
「Firewall」->「Address」->「Group」
Create New
Group Name:SonicWall_network
Members:SonicWall_network_1SonicWall_network_2
OK

3.設定防火牆規則
「Firewall」->「Policy」->「Policy」
Create New
Source Interface: Port 1(or Internal)
Source Address: FortiGate_network
Destination Interface: WAN1 (or External)
Destination Address: SonicWall_network
Schedule: always
Layanan: ANY
Action: IPSEC (or Encrypt)
VPN Tunnel: SonicWall
勾 Allow inbound
勾 Allow outbound
OK

【FortiGate設定—2.Interface模式】
1.設定VPN
「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 1」
「Create Phase 1」
Gateway Name: SonicWall
Remote Gateway: Static IP
IP Address: 203.1.2.3
Mode: Main
Authentication Method: Preshared Key
Pre-shared Key: 同上面Sonicwall設定的密碼

Advanced
勾「Enable IPsec Interface Mode」
Encryption: 3DES
Authentication: SHA1
DH Group: 2
Keylife: 28800
保留其他設定的預設值
OK

「VPN」->「IPSec」->「Auto Key(IKE)」->「Phase 2」
「Create Phase 2」
Tunnel Name: SonicWall-192.168.1.0
Remote Gateway: SonicWall

Advanced
Encryption: 3DES
Authentication: SHA1
不勾選Enable perfect forward secrecy(PFS)
Keylife: 28800

Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.1.0/24
OK
**這邊Quick Mode一定要設才能與SonicWall建立連線不然FortiGate會出現no matching gateway for new request”Kesalahan。

設定第二個網段(192.168.2.0)
「Create Phase 2」
Tunnel Name: SonicWall-192.168.2.0
Remote Gateway: SonicWall

Advanced
Encryption: 3DES
Authentication: SHA1
不勾選Enable perfect forward secrecy(PFS)
Keylife: 28800
Quick Mode Selector..
Source address:192.168.100.0/24
Destination address:192.168.2.0/24
OK

2.建立路由
「Router」->「Static」->「Static Route」
Create New
Destination IP/Mask: 192.168.1.0/24
Device: SonicWall
OK

Create New
Destination IP/Mask: 192.168.2.0/24
Device: SonicWall
OK

3.設定防火牆規則
「Firewall」->「Policy」->「Policy」
Create New
Source Interface: Port 1(or Internal)
Source Address: FortiGate_network
Destination Interface: SonicWall
Destination Address: SonicWall_network
Schedule: always
Layanan: ANY
Action: Accept
OK

Create New
Source Interface: SonicWall
Source Address: SonicWall_network
Destination Interface: Port 1(or Internal)
Destination Address: FortiGate_network
Schedule: always
Layanan: ANY
Action: Accept
OK

[Tautan referensi]

2 Tanggapan

  1. FortiGate 5.6 Buat Situs ke Situs VPN dengan firewall Sonicwall | Lama Sen Chang Tan Says |

    […]   先前寫過一篇「Sonicwall FortiGate 防火牆建立 Site to Site VPN」的文章當時常常遇到要跟 FortiGate 的設備做Site to Site VPN而我手上的是 Sonicwall實作的結果有時成功有時失敗後來有次乾脆花了些時間把兩個品牌的設定方式做個整理以方便後續參考當時在測試及整理資訊時就有發現 FortiGate 韌體稍微不同設定的方式就會不太一樣頗為困擾後來便把可以成功建立連線的兩種方式Tunnel”Memberikan”Interface都記錄下來以便下次遇到改版時可以試試不同的方法。 […]

  2. FortiGate 6.0 Buat Situs ke Situs VPN dengan firewall Sonicwall | Lama Sen Chang Tan Says |

    […] FortiGate 4.X 與 Sonicwall 防火牆建立 Site to Site VPN連結 FortiGate 5.6 與 Sonicwall 防火牆建立 Site to Site […]

Tinggalkan Komentar

Harap dicatat: Moderasi komentar diaktifkan dan dapat menunda komentar Anda. Tidak perlu mengirimkan kembali komentar Anda.