IPsec VPN : Protecting communication between offices across the Internet using IPsec VPN
  
Protecting communication between offices across the Internet using IPsec VPN
Problem
You need to provide secure, transparent communication between company headquarters (HQ) and a branch office.
Solution
Create a gateway-to-gateway IPsec VPN between headquarters and the branch office.
This basic gateway-to-gateway IPsec VPN assumes that both office have connections to the Internet with static IP addresses. This configuration uses a basic policy-based IPsec VPN configuration.
Configure the HQ FortiGate
1 Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure the IPsec VPN phase 1 configuration.
Name
HQ_to_Branch_p1
Remote Gateway
Static IP Address
IP Address
172.20.120.200
Local Interface
wan1
Mode
Main (ID protection)
Authentication Method
Preshared Key
Pre-shared Key
fortinet123
2 Select OK.
3 Select Create Phase 2 and configure the phase 2 configuration.
Name
HQ_to_Branch_p2
Phase 1
HQ_to_Branch_p1
4 Select OK.
5 Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the HQ network.
Name
HQ_net
Type
Subnet / IP Range
Subnet / IP Range
10.10.10.0/255.255.255.0
Interface
internal
6 Select Create New to add a firewall address for the branch office network.
Name
Branch_net
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.0/255.255.255.0
Interface
wan1
7 Select OK.
8 Go to Policy > Policy > Policy and select Create New to add a security policy for the IPsec VPN.
Source Interface/Zone
internal
Source Address
HQ_net
Destination Interface/Zone
wan1
Destination Address
Branch_net
Schedule
always
Service
ANY
Action
IPSEC
VPN Tunnel
HQ_to_Branch_p1
9 Select Allow inbound and Allow outbound.
10 Select OK.
Configure the Branch office
The branch office settings are almost identical to the HQ settings.
1 Go to VPN > IPsec > Auto Key (IKE), select Create Phase 1 and configure the IPsec VPN phase 1 configuration.
Name
Branch_to_HQ_p1
Remote Gateway
Static IP Address
IP Address
172.20.120.122
Local Interface
wan1
Mode
Main (ID protection)
Authentication Method
Preshared Key
Pre-shared Key
fortinet123
2 Select OK.
3 Select Create Phase 2.
4 Enter the following information
Name
Branch_to_HQ_p2
Phase 1
Branch_to_HQ_p1
5 Select OK.
6 Go to Firewall Objects > Address > Address and select Create New to add a firewall address for the branch office network.
Name
Branch_net
Type
Subnet / IP Range
Subnet / IP Range
192.168.1.0/255.255.255.0
Interface
internal
7 Select Create New to add a firewall address for the HQ network.
Name
HQ_net
Type
Subnet / IP Range
Subnet / IP Range
10.10.10.0/255.55.255.0
Interface
wan1
8 Select OK.
9 Go to Policy > Policy > Policy and select Create New to add a security policy for the IPsec VPN.
Source Interface/Zone
internal
Source Address
Branch_net
Destination Interface/Zone
wan1
Destination Address
HQ_net
Schedule
always
Service
ANY
Action
IPSEC
VPN Tunnel
Branch_to_HQ_p1
10 Select Allow inbound and Allow outbound.
11 Select OK.
Results
A user on either of the office networks should be able to connect to any address on the other office network transparently. For example, from a PC on the branch office with IP address 192.168.1.100 you should be able to ping a device on the HQ network with the IP address 10.10.10.100.
When the VPN is operating you should be able to go to VPN > Monitor > IPsec Monitor and verify that its status is up.