Or you can use the cli to view the established tunnel: FG60F (root) # diagnose vpn tunnel list name vpn-to-obsd To view the currently established tunnels you can use the „IPsec Monitor“ in the FortiGates WebUI: Reload the iked daemon to activate the new config: rcctl reload iked Ikesa enc aes-256 auth hmac-sha2-512 group curve25519 \Ĭhildsa enc aes-256-gcm prf hmac-sha2-512 group curve25519 \ I expect that the OpenBSD system is already configured / used as an vpn gateway.įirst we need to add the configuration to the /etc/nf file: ikev2 "lab" esp \įrom 192.168.210.0/24 to 192.168.100.0/24 \ Using the FortiOS cli the configuration is done like this: config vpn ipsec phase1-interface Now the vpn configuration is finished and can be saved.Īs a last step a static route is needed, which tells the fortigate to route the destination network to the vpn tunnel interface: FortiGate Static Routing Then we create the Phase 2 Selector with the networks we want to connect.įor the encryption we use AES256GCM with Diffie-Hellmann-Group 31: IPsec Phase 2 Selectors on FortiGate The encryption algorithms are set to AES256GCM with PRFSHA512 and Diffie-Hellmann-Group 31 which is also known as curve25519: IPsec Phase 1 Proposal on FortiGate Then we set our pre-shared key and change the IKE Version to „2“: IPsec Authentication on FortiGate The following figure shows the lab environment I build for this tutorial:įirst, we need to create a new custom tunnel in the FortiGate configuration, where we set the basic parts as the peer ip-address and the interface we want to use for our vpn connection: IPSec Network configuration on FortiGate These are the devices I used for this tutorial:įortinet FortiGate 60F with FortiOS 7.2.3 You need to test the ressource usage and performance in your own environment. This can result in degraded performance and higher ressource usage depending on the used hardware. I typically use the strongest possible cryptographic algorithms between the two sites / vendors in my tutorials. The Key Exchange will be done using IKEv2 and both sites are using static ip-addresses on their wan interfaces. This is a step-by-step tutorial to set up a site-to-site VPN between a Fortinet FortiGate and a OpenBSD VPN-Gateway.
0 Comments
Leave a Reply. |