IPSec VPN between eSoft Instagate and Fortinet Fortigate
Overview
The Fortinet Fortigate is a firewall and UTM appliance with VPN capability, used in business offices large and small. This guide's aim is to help the eSoft InstaGate administrator create a Remote Office (IPSec) VPN tunnel to this device.
Several parameters use different nomenclature to describe the settings used for configuring a VPN, and this document will try to clarify those differences to guide you to a working configuration.
These settings were tested and created on Fortigate version 4.0 build 5272,100625(MR1), other versions of Fortigate may require a different configuration to connect to InstaGate.
InstaGate Configuration
Configuration on the Multi-function Firewall is fairly simple, using the default IPSec and IKE parameters. You should simply need to define your Shared Secret and the Remote Gateway and Remote Network addresses or subnet ranges.
1. To begin, log into your InstaGate's administrator interface, and browse to Firewall > Remote Office VPNs
2. Click the Add button to create a new tunnel. Assign an appropriate Name, choose your tunnel type (Local Network to Remote Network by default), and ensure Key Management is set to Automatic (Shared Secret).
3. The Local Network should be populated with your LAN data by default, modify this if you need to restrict access to a particular subnet or host on your LAN, otherwise leave the default.
4. The Remote Gateway IP Address will be the Public (WAN) IP address of the Fortinet Fortigate device. The Remote Network will be the LAN network or host behind the Fortinet device to which you wish to connect.
5. Supply a Shared Secret - this value must be identical on both devices, this is the 'password' which allows IPSec VPN to verify the authenticity of the remote device.
6. Click the IKE button.
7. Set the Key Refresh to 8 hours. All other settings should be left at defaults.
8. Click Apply.
9. Click the IPSec button.
10. Set the Key refresh to 8 hours and PFS to Disabled. Proposal should stay at High Security.
11. Click Apply.
12. Finally, click Apply to finish setting up the tunnel.
Fortigate Configuration
The Fortinet device follows the same IPSec VPN conventions used by eSoft devices, however the default settings differ slightly.
1. Browse to the VPN menu and select IPSec VPN to begin creating a new connection.
2. Click the Create Phase 1 button.
3. Phase 1 corresponds with IKE settings on your eSoft device. Please change the parameters to match your InstaGate's default configuration:
- Name - Unique name for the tunnel
- Remote Gateway - Static IP Address
- IP Address - Public (WAN) IP address of the Instagate device
- Local Interface - Depending on your configuration, wan1 or wan2
- Mode - Main
- Authentication Method - Preshared Key
- Pre-shared Key - same 'password' that was entered on the Instagate
4. Click the Advanced button.
5. Please change the parameters to match your InstaGate's default configuration:
- Enable IPSec Interface Mode - Disabled
- Local Gateway IP - Main Interface IP
- Encryption - 3DES
- Authentication - SHA1
- DH Group - 2
- Keylife - 86400
- XAUTH - Disable
- NAT Traversal - Disable
- Keepalive Frequency - 10
- Dead Peer Detection - Enable
6. Click OK.
7. Click the Create Phase 2 button.
8. Phase 2 corresponds with IPSec settings on your eSoft device. Please change the parameters to match your InstaGate's default configuration:
- Name - Unique name for the tunnel
- Phase 1 - Select the Phase 1 we just created
9. Click the Advanced button.
10. Please change the parameters to match your InstaGate's default configuration:
- Encryption - 3DES
- Authentication - SHA1
- Enable replay detection - Disabled
- Enable perfect forward secrecy(PFS) - Disabled
- Keylife - 3600 seconds
- Autokey Keep Alive - Disabled
- Quick Mode Selector - Leave all fields at 0
11. Click OK.
12. From the menu on the left, click Firewall, then Address.
13. Click the Create New button.
14. Enter the following information below:
- Address Name - Name to denote remote network for the VPN tunnel
- Type - Subnet / IP Range
- Subnet / IP Range - Instagate unit's LAN IP Range
- Interface - Any
15. Click OK.
16. Click the Create New button.
17. Enter the following information below:
- Address Name - Name to denote local network for the VPN tunnel
- Type - Subnet / IP Range
- Subnet / IP Range - Fortigate LAN IP Range
- Interface - Any
18. Click OK.
19. From the menu on the left, click Firewall, then Policy.
20. Click the Create New button.
21. Enter the following information below:
- Source Interface/Zone - internal
- Source Address - Select the Address you created for the Fortigate LAN
- Destination Interface/Zone - wan1 or wan2
- Destination Address - Select the Address you created for the Instagate LAN
- Schedule - always
- Service - Any
- Action - IPSec
- VPN Tunnel - Select the VPN tunnel you created
- Allow Inbound - Enabled
- Allow Outbound - Enabled
- All other options - Disabled
22. Click OK.
23. If more than one firewall policy exists, make sure your new policy is at the top of the list to eliminate conflicts.
Troubleshooting
Often, to force the negotiation of the VPN tunnel, it is necessary to send traffic through the tunnel. The simplest way to do this is to ping from your local network to a device on the remote network.
Diagnosing and troubleshooting IPSec VPN connections can be fairly complex. If you cannot establish a VPN tunnel between these devices and you've followed the configuration outlined above, please contact technical support, or get more help at http://support.esoft.com
