IPSec VPN with Fortinet VPN gateways

RansNet SD-WAN solutions can establish IPSec VPN tunnels with 3rd-party products using standard IPSec protocols. This interoperability is essential to complement customers’ legacy setup and/or enable business operations with multi-vendor networks. This document details how to set up VPN tunnels between RansNet and Fortinet devices.

In many cases, the VPN topology is hub-and-spoke, and remote sites are connected to the Internet with dynamic IP addresses or 4G/5G, so only the hub site (Fortinet) needs a static IP address. In this example, we use a Fortigate gateway as the VPN hub, and remote branches use RansNet SD-Branch (HSA/UA/CMG) routers. The same concept works for other brands of VPN gateways which may slightly differ in GUI/CLI settings only.

It’s important to note that all RansNet SD-WAN/SD-Branch routers also have firewall and VPN gateway capabilities. Each RansNet appliance can function as either VPN gateway or branch router. We will have a separate document to explain how to setup RansNet as the VPN Gateway and other brands as remote branch.

Configuration on Fortinet VPN gateway

Other parts of Fortinet settings are omitted here. Below steps show the required VPN and firewall settings on the Fortinet gateway to establish VPN tunnels with RansNet branch routers.

Step 1 – Create a custom tunnel, eg. named “VPN_FN_TO_RN1”

.

Step 2 – Configure VPN network settings.

NOTE

– Select “Dialup User” for Remote Gateway, so that the branch routers can use dynamic IP addresses.
– Enable “NAT Traversal” if the Fortinet is behind another firewall with NAT.
– Most other parameters can just leave the default.

.

Step 3– Configure peer authentication (pre-shared key) and accept “Any peer ID”

.

Step 4– Configure Phase I (IKE) proposal.

NOTE

– If the Fortinet is behind a firewall (with NAT), then the “Local ID” must be configured.

.

Step 5 – Configure Phase 2 (IPSec) Selectors.

NOTE

– Add multiple Selectors here for multiple branch routers

.

Step 6 – Configure firewall rules to permit access and disable NAT for VPN tunnel traffic.

Overview of the firewall rules:

.

Detail firewall rule configuration:

.

.

.

Configuration for RansNet Branch Routers

The branch routers can be connected over 4G/5G or broadband connections with static/dynamic IP addresses. In typical deployment scenarios, there’ll be many remote branch routers, and managing individual router configurations can be a challenge. Fortunately, we can still use the RansNet SD-WAN orchestrator (mfusion) to centrally provision and manage configurations for all routers, despite the hub being a 3rd-party VPN router.

In this case, we will provision a dummy gateway on mfusion and create an IPSec VPN instance to emulate Fortinet VPN settings, and assign all branch routers to the gateway VPN instance, as we would do for SD-WAN provisioning. Then all routers’ VPN configurations will be centrally generated and pushed with just a few clicks.

Step 1– provision all branch routers and a dummy VPN gateway to mfusion. Refer to Provision Hosts for a detailed guide. The branch routers should be online after this step, user can view the status by navigating to ‘ORCHESTRATOR > Monitoring > Hosts‘ menu

Image: Ransnet provision host config
Image: 3rd Party VPN Gateway config

.

Step 2 – import hosts to mfusion orchestrator.

User can Import the dummy “Fortinet_VPN_gateway” host to the “Orchestrator → Gateway” menu, select the ‘Empty‘ template from the topology template. The Status will show as “DOWN” but just ignore it.

Import the branch router to the “Orchestrator > SD-Branch” menu, select the ‘Default‘ template from the topology template (or copy it from other hosts if you already have existing configured hosts).

.

Step 3 – On the dummy VPN gateway, create an IPSec VPN instance to emulate Fortinet VPN settings.

NOTE

– “Gateway IP” is the publicly accessible IP of the Fortinet VPN gateway
– The “Gateway ID” must match the “Local ID” in Step #4 of Fortinet (required if the gateway IP is NATed)
– Pre-shared key and Phase I & II security policies need to match with Fortinet
– “Gateway Network” is the “Local Address” of Fortinet

.

Step 4 – Assign all branch routers to the VPN instance and configure branch (remote) network for each router.

NOTE

– If you have multiple branch routers, just assign them to the same VPN instance and change each router branch network setting
– However, on the Fortinet side, please make sure to create respective “Phase 2 Selectors” for each remote branch and include the correct “Local Address” (Gateway Network) and “Remote Address” (Branch Network) settings.

.

Step 4 – Click the “Apply Config” button and all the required settings will be pushed to the branch routers. All branch routers will auto initiate VPN tunnels to the Fortinet gateway.

NOTE

Config push to the dummy VPN gateway will fail but you can safely ignore it.

.

Step 5 – Configure firewall access rules to permit VPN traffic across the tunnel ( User can configure a firewall template and apply it to all branch routers). Make sure firewall rules permit two-way communications. NAT is auto disabled for VPN tunnel networks, no special configuration is required.

.

Snip of CLI config pushed to RansNet branch router

!
firewall-access 200 permit all ip src 192.168.0.0/16 dst 192.168.0.0/16
!
ipsec ike-policy 2
 authentication psk
 policy AES-256 SHA-256 5
!
ipsec esp-policy 2
 policy AES-256 SHA-256 5
!
ipsec peer 49.128.58.71
 local-id 1c-40-e8-17-9f-ca
 local-net 192.168.98.1/24
 remote-id fortinet1
 remote-net 192.168.1.0/24
 policy ike 2 esp 2
 psk Letmein99
!