© 2016

VNS3 to Fortigate InstructionsFortiOS 5.2.2 IPsec Configuration Guide 2016

© 2016

Site-to-Site IPsec Tunnel

2

IPsec protocol allows you to securely connect two sites together over the public internet using cryptographically secured services. IPsec ensure private and secure communication between two devices. This type of VPN has many use-cases. We will focus on the Site-to-Site or LAN-to-LAN setup most often used with VNS3 to build Hybrid Clouds.

• Many network hardware devices support IPsec tunneling functionality. Check your device's data sheet to see if it is compatible with VNS3. The requirements are:

• IKE1 or IKE2 • AES256 or AES128 or 3DES • SHA1 or MD5 • NAT-Traversal capability (some clouds require NAT-Traversal encapsulation -

AWS Generic EC2, Microsoft Azure, etc.) A diagram of the typical secure hybrid cloud setup using VNS3 is provided on the right. The IPsec tunnel provides secure and encrypted connectivity between the office subnet (192.169.3.0/24) and the VNS3 Overlay Network (172.31.1.0/24).

This guide will provide steps to setup the Fortigate side of the IPsec configuration.

The most important thing in any IPsec configuration is to make sure all settings match on both devices that are going to connect to each other. Mismatches are the primary cause for tunnel failure or instability.

Public Cloud

Overlay Network Subnet: 172.31.1.0/24

Cloud Server Overlay IP: 172.31.1.1

Server B LAN IP: 192.168.3.100

Server A LAN IP: 192.168.3.50

Customer Remote Office Remote subnet: 192.168.3.0/24

VNS3 public IP: 184.73.174.250 overlay IP: 172.31.1.250

Firewall / IPsec Fortigate 60D

Active IPsec tunnel 192.168.3.0/24 - 172.31.1.0/24

© 2016

Use the FortiOS IPsec VPN Wizard

3

Unless you are familiar with the FortiOS 5.2.2, the configuration wizards are the easiest way to configure an IPsec tunnel.

From the Cisco ASDM menu click VPN>IPsec>Wizard.

Select Custom VPN Tunnel (No Template) and click Next.

© 2016

IPsec VPN Wizard - Network/Authentication

4

The resulting page is a generic form for entering IPsec tunnel parameters and network definitions for the encrypted domains that will be allowed to use the tunnel.

Enter the following into the Network and Authentication Sections:

•In the Name field enter a name to assign to this IPsec configuration.

•Select IPv4 for the IP Version

•Select Static IP Address for Remote Gateway

•Enter the VNS3 instance Public IP for the IP Address

•Select wan for the Interface

•Leave Mode Config unchecked

•Check NAT-Traversal if you are using NAT-T encapsulation. If you are negotiating a native IPsec tunnel, uncheck NAT-Traversal.

•Select a Keepalive Frequency of 10 and check DPD (optional but recommended). DPD is an independent process (does not need any matching settings on the other side of the connection) that attempts to re-connect during periods of no response from the remote endpoint.

•Select Pre-shared Key as the Authentication Method

•Enter the pre-shared key used in the VNS3 IPsec configuration Continue to the next page.

© 2016

IPsec VPN Wizard - IKE/Phase1

5

Enter the following into the IKE/Phase1 Section:

•Select IKE version 1

•Select Main Mode

•Select the matching Phase1 settings:

•encryption algorithm - our example uses aes256

•authentication hash - our example uses shal1

•diffie-helmann group - our example uses dh5

•Enter a Phase1 lifetime - VNS3 default is 3600s

Select disabled for XAUTH (authentication of dialup clients).

Continue to the next page.

© 2016

5. Set the 2.x/3.x Manager only to receive IPsec

6

Enter the following into the Phase2 Section:

1.Enter Subnet behind the Fortunate device that will be connected to the VNS3 network in the Local Address section

•Select Subnet from the first dropdown

•Enter the subnet using Netmask notation - e.g. 192.168.7.0/255.255.255.0

2.Enter Subnet behind the VNS3 device that will be connected to the Fortunate local subnet in the Remote Address section

•Select Subnet from the first dropdown

•Enter the subnet using Netmask notation - e.g. 172.31.200.0/255.255.255.0

Continue to the Next Page.

© 2016

IPsec VPN Wizard - Phase 2 Advanced

7

Click Advanced and enter the following information

•Remove all the Encryption lines except the explicit line that matches the VNS3 configuration - AES256 SHA1

•Disable Replay Detection

•In our example we use Perfect Forward Secrecy on DH 5. You can enable or disable per your use-case, just make sure that VNS3 and the Fortunate have matching settings.

•Local Port is the port number that the local VPN peer uses to transport traffic related to the specified service (protocol number). The range is 0 to 65535. Either click the All checkbox or specify a specific port or port range.

•Remote Port is the port number that the remote VPN peer uses to transport traffic related to the specified service (protocol number). The range is 0 to 65535. Either click the All checkbox or specify a specific port or port range.

•Protocol is the IP protocol number of the service. The range is 1 to 255. Either click the All checkbox or specify a specific protocol or protocol range.

•Select the Autokey Keep Alive check box if you want the tunnel to remain active when no data is being processed. We recommend keeping this disabled to maximize interoperability.

•Enable the Auto-negotiate option if you want the tunnel to be automatically renegotiated when the tunnel expires.

•Enter a Phase2 Key Lifetime - VNS3 default is 28800s.

Click OK.

© 2016

Adding Routes

8

Double check the appropriate routes are added on the Fortigate device - System>Network>Routing.

In the Static Routes section you should see a route to the VNS3 remote subnet listed using the VNS3-IPsec device you just configured via the IPsec Tunnel Wizard.

If it is not listed, manually add the route by clicking Create New.

Enter the Remote Subnet used in the IPsec tunnel Configuration. In our example we used 172.31.200.0/255.255.255.0.

Select the IPsec tunnel as the device.

Click OK.

© 2016

VNS3 Document Links

9

VNS3 Product Resources - Documentation | Add-ons

VNS3 Configuration Document Instructions and screenshots for configuring a VNS3 Controller in a single or multiple Controller topology. Specific steps include, initializing a new Controller, generating clientpack keys, setting up peering, building IPsec tunnels, and connecting client servers to the Overlay Network.

VNS3 Docker InstructionsExplains the value of the VNS3 3.5 Docker integration and covers uploading, allocating and exporting application containers.

VNS3 Troubleshooting Troubleshooting document that provides explanation issues that are more commonly experienced with VNS3.