Scribd
Upload
19 views10 pages

97 Site2Site Custom VPN Lab

Uploaded by

eshensanjula2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
19 views10 pages

97 Site2Site Custom VPN Lab

Uploaded by

eshensanjula2002
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Site to Site Custom VPN Lab:

FW1 IP Schema
Outside Layer 3 Interface Port1– 192.168.1.1/24
Local Subnets 10.0.1.0/24
Remote Subnets 10.0.6.0/24
Inside Layer 3 Interface 10.0.1.254/24
Management IP Address 192.168.100.200/24
PC1 IP Address 10.0.1.1/24
Attacker IP Address 10.0.1.10/24
FW2 IP Schema
Outside Layer 3 Interface Port1– 192.168.3.111/24
Local Network 10.0.6.0/24
Remote Network 10.0.1.0/24
Inside Layer 3 Interface 10.0.6.254/24
Management IP Address 192.168.100.240/24
Remote-PC1 IP Address 10.0.6.1/24
Remote-PC2 IP Address 10.0.6.2/24

1 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


FW1 Configuration:
Test Before VPN:
First find out IP address and try to ping other side FW4 IP address because there no route it will
not reachable and not pingable.

VPN Setup:
To create IPsec VPN tunnel, connect to FW1 go to VPN > IPsec Wizard, & create new tunnel. In
the VPN Setup step, set Template Type to Custom and click Next.

2 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


For Remote Gateway, select Static IP Address. Set IP Address to the public IP address of the
FW4 FortiGate in my case 192.168.3.11. Assigns an interface as the Outgoing Interface. Enable
Local Gateway Click on Primary IP it will automatically put WAN interface IP. Disable NAT
Traversal, leave default Dead Peer Detection to On Demand.

Now, In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared
Key. Set IKE Version to 1, Choose Phase 1 Encryption and Authentication methods.

3 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


Choose and set Local Address subnet and remote Address Subnet and Phase 2 Encryption and
Authentication methods. Click OK to apply the settings.

Create Static Route:


Navigate to Network > Static Routes set the Destination of FW4 Network 10.0.6.0/24 set the
interface VPN. Click OK to save the settings.

4 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


Create Policy:
Go to Policy & Objects > Firewall Policy and click Create New. Enter a policy Name. For Incoming
Interface, select LAN(port3). For Outgoing Interface, select VPN Interface FW1-to-FW4 Select
the Source, Destination, Schedule, Service, and set Action to ACCEPT. Click OK.

Go to Policy & Objects > Firewall Policy and click Create New. Enter a policy Name. For Incoming
Interface, select VPN Interface FW1-to-FW4 for Outgoing Interface, Select LAN(port3). the
Source, Destination, Schedule, Service, and set Action to ACCEPT. Click OK.

5 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


FW4 Configuration:
VPN Setup:
To create IPsec VPN tunnel, connect to FW4 go to VPN > IPsec Wizard, & create new tunnel. In
the VPN Setup step, set Template Type to Custom and click Next.

For Remote Gateway, select Static IP Address. Set IP Address to the public IP address of the
FW1 FortiGate in my case 192.168.1.1. Assigns an interface as the Outgoing Interface. Enable
Local Gateway Click on Primary IP it will automatically put WAN interface IP. Disable NAT
Traversal, leave default Dead Peer Detection to On Demand.

6 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


Now, In the Authentication section, for Method, select Pre-shared Key and enter the Pre-shared
Key. Set IKE Version to 1, Choose Phase 1 Encryption and Authentication methods.

Choose and set Local Address subnet and remote Address Subnet and Phase 2 Encryption and
Authentication methods and Click OK to apply the settings.

7 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


Create Policy:
Go to Policy & Objects > Firewall Policy and click Create New. Enter a policy Name. For Incoming
Interface, select AG to SW(AG-1). For Outgoing Interface, select VPN Interface FW4-to-FW1.
Select the Source, Destination, Schedule, Service, and set Action to ACCEPT. Click OK.

Go to Policy & Objects > Firewall Policy and click Create New. Enter a policy Name. For Incoming
Interface, select VPN Interface FW4-to-FW1. For Outgoing Interface AG to SW(AG-1)., select.
Select the Source, Destination, Schedule, Service, and set Action to ACCEPT. Click OK.

8 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


Create Static Route:
Navigate to Network > Static Routes set the Destination of FW1 Network 10.0.1.0/24 set the
interface VPN. Click OK to save the settings.

Verification:
Try to ping from FW1 PC1 to FW4 Remote-PC2 it will work after VPN established.

Try to ping from FW4 Remote-PC2 to FW1 PC1 it will work after VPN established.

9 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717


Go to Dashboard >Network>IPsec and check the tunnel status on FortiGate Firewall.

Let’s capture the packets using Wireshark no traffic of ICMP only ESP encrypted.

10 | P a g e Created by Ahmad Ali E-Mail: ahmadalimsc@gmail.com , WhatsApp: 00966564303717

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy