Skip to content

IPSec site-to-site configuration guide with Fortigate

1.1 Go to Networks section and create a new network.

1.2 Define the network name.

1.3 Select the region and gateways number.

1.4 Choose the subnet.

1.5 Activate gateways for all users section is active by default. If you want to disable this function - just remove the mark.

2.1 Go to Networks section and click on the subnet that you created in Step-1.

2.2 Click on Gateway and add a Tunnel. Choose IPSec Site-to-Site Tunnel and press to continue.

2.3 Choose between a Single-Tunnel and Dual-Tunnel.

2.4 General Settings Values

  • Name

  • Public IP

  • Vipilink Side Subnets

  • Pre-Shared Key

  • Remote ID

  • Remote Side Subnets

2.5 Advanced Settings Values

  • Ike Version

  • Tunnel Lifetime

  • Encryption (Phase 1)

  • Integrity (Phase 1)

  • Diffie-Helman Groups (Phase 1)

  • Ike Lifetime

  • Dead Peer Detection Delay

  • Dead Peer Detection Timeout

  • Encryption (Phase 2)

  • Integrity (Phase 2)

  • Diffie-Helman Groups (Phase 2)

2.6 You can also manage a Network, Regions, Access, Firewall Rules, Routes Table, enable Split Tunneling and Private DNS.

3. Create the IPsec tunnel on Fortigate.

3.1 Log in to Fortigate Web Interface, navigate to VPN/IPsec Tunnels, and create a new IPsec Tunnel.

3.2 VPN Setup Values

  • Remote Gateway - static IP

  • IP Address - remote peer IP

  • Interface - WAN

  • Local Gateway - disable

  • NAT Traversal - enable

  • Keepalive Frequency - same parametr as on far end

  • Dead Peer Detection - On Demand

  • DPD Retry count - 3

  • DPD Retry interval - 10

3.3 Authentication Values

  • Method - Pre-Shared Key

  • Pre-Sharey Key - key value

3.4 IKE Values

  • Version - 2

3.5 Phase 1 Proposal Values

  • Encryption - AES256

  • Authentication - SHA256

  • Diffie-Helman Group - 14

  • Key Lifetime (Seconds) - 28800

  • Local ID - leave empty

3.6 Create New Phase 2 tunnel. The values are -

  • Name - specify the name of the tunnel

  • Comments - Leave a comment

  • Local Address - Local Subnet

  • Remote Address - Remote Subnet

3.7 Phase 2 Proposal Values

  • Encryption - AES256

  • Authentication - SHA256

  • Diffie-Helman Group - 14

  • Key Lifetime - 3600

4. Create a new policy.

4.1 Go to Policy & Objects/Firewall Policy and add a new policy. The values

  • Name - give a name to policy

  • Incoming Interface - LAN

  • Outgoing Interface - added interface after IPsec tunnel creation

  • Source - local subnet

  • Destination - remote subnet

  • Action - ACCEPT

  • NAT - disable

  • Policy - enabled

5. Add a new static route.

5.1 Go to Network/Static Routes and add a new route. The values are

  • Destination - remote subnet

  • Interface - added interface after IPsec tunnel creation

  • Administrative Distance - 10

  • Status - Enabled