How to Site2site With Safe@ Fortinet

8/12/2019 How to Site2site With Safe@ Fortinet

1/18

Configuring a Site-to-Site IPSEC VPN with aCheck Point Embedded NG Security

Appliance and a Fortinet FortiGate Security Appliance

Note : This document assumes the reader is familiar with the basic network installation of a Check

Point Embedded NG appliance and a Fortinet FortiGate security appliance.

Overview

This document explains how to create a Site-to-Site IPSEC VPN connection between a Check Point Embedded NG

security appliance and a Fortinet FortiGate security appliance. In particular, it describes the configuration of the

following sample network:

Figure 1: Site-to-Site VPN with Check Point Embedded NG and Fortinet FortiGate Security Appliances

This sample network uses the parameters shown in the table below; however, you can change any of these parameters

as desired, so long as they are the same on both appliances.


2/18

2

Table 1: Site-to-Site VPN Configuration Parameters

Parameter Value

Encryption 3DES

Integrity SHA1

Authentication Pre-shared Key (Shared Secret)

Diffie-Hellman (DH) Group 2

Perfect Forward Secrecy (PFS) Disabled

Phase-1 key lifetime 24 hours (86400 seconds)

Phase-2 key lifetime 1 hour (3600 seconds)

Note : The Embedded NG appliance must be installed with firmware 5.0 or a subsequent version.

Configuring the FortiGate Securi ty Appliance

To configure the FortiGate security appliance for Site-to-Site VPN

1. Configure the encryption domain.

The encryption domain represents the networks to and from which you want to encrypt. These are the networks

behind the VPN gateways.

Do the following:

a. Create an object for the Embedded NG VPN gateways internal network.

See Creating an Object for the Embedded NG VPN Gateways Internal Network, page 3.

b. Create an object for the FortiGate VPN gateways internal network.

See Creating an Object for the FortiGate VPN Gateways Internal Network, page 4.

2. Configure the IPSEC parameters, by doing the following:

a. Configure a Phase-1 profile.

See Configuring a Phase-1 Profile, page 5.

b. Configure a Phase-2 profile.

See Configuring a Phase-2 Profile, page 6.


3/18

3

3. Configure VPN rules, by doing the following:

a. Configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway

network.

See Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the Embedded NG VPN

Gateway Network, page 8.

b. Configure an Encrypt rule from the Embedded NG VPN gateway network to the FortiGate VPN gateway

network.

See Configuring an Encrypt Rule from the Embedded NG VPN Gateway Network to the FortiGate VPN

Gateway Network, page 9.

Configuring the Encryption Domain

Creating an Object for the Embedded NG VPN Gateways Internal Network

To create an object for the Embedded NG VPN gateways internal network

1. In the main menu, click Firewall .

The Firewall submenu opens.

2. In the Firewall submenu, click Address .

The Address page appears.

3. Click Create New .

The New Address page appears.


4/18

4

4. In the Address Name field, type a name for the Embedded NG VPN gateway internal network object.

For example: CP_Internal.

5. In the IP Range/Subnet field, type the IP address and subnet mask of the Embedded NG VPN gateways internal

network.

For example: 192.168.100.0/24.

6. Click OK .

Creating an Object for the FortiGate VPN Gateways Internal Network

To create an object f or t he FortiGate VPN gateways internal network



2. In the Firewall submenu, click Address .

The Address page appears.

3. Click Create New .

The New Address page appears.

4. In the Address Name field, type a name for the FortiGate VPN gateway internal network object.

For example: FG_Internal.

5. In the IP Range/Subnet field, type the IP address and subnet mask of the FortiGate VPN gateways internal

network.

For example: 192.168.1.0/255.255.255.0.


5/18

5

6. Click OK .

Configur ing IPSEC Parameters

Configuring a Phase-1 Profile

To conf igure a Phase-1 profil e

1. In the main menu, click VPN .

The VPN submenu opens.

2. In the VPN submenu, click IPSEC .

The Phase 1 page appears.

3. Click Create New.

The New VPN Gateway page appears.

4. Click Advanced .

Additional fields appear.

5. Fill in the fields as described in the table below.

Do not change the default settings of fields that are not listed in the table.

6. Click OK .


6/18

6

Table 2: Phase-1 Profile Fields

In this field Do thi s In the sample

network

Gateway Name Type a name for the gateway. Site2Site

Remote Gateway Type the remote gateways static IP address.

IP address Type the Embedded NG VPN gateways IP address. 212.150.8.85

Authentication

Method

Select the authentication method to use. Preshared Key

Pre-shared Key Type the pre-shared key. Use the same pre-shared

key as configured on the

Embedded NG VPN

gateway.

For example: Secret123

Encryption Select the type of encryption to use to secure the VPN

connection.

3DES

Authentication Select the authentication algorithm to use. SHA1

DH Group Select the Diffie-Hellman group to use. 2

Keylife Type the Phase-1 key lifetime in seconds. 86400

This parameter must

match the Phase-1 keylife

on the Embedded NG

appliance VPN gateway.

Configuring a Phase-2 Profile

To conf igure a Phase-2 profil e

1. In the main menu, click VPN .

The VPN submenu opens.

2. In the VPN submenu, click IPSEC .


3. Click on the Phase 2 tab.



The New VPN Tunnel page appears.


7/18

7

5. Click Advanced .

Additional fields appear.



7. Click OK .

Table 3: IPSEC Phase-2 Profile Fields


network

Tunnel Name Enter a name for the tunnel. Check Point

Remote Gateway Select the Phase-1 profile you created for this tunnel. Site2Site

1-Encryption Select the type of encryption to use to secure the VPN

connection.

3DES

Authentication Select the authentication algorithm to use. SHA1

Enable perfect

forward secrecy

(PFS)

Specify whether to use PFS. Clear this option.

Keylife Use the fields provided to specify the Phase-2 keylife in

seconds.

3600

This parameter must

match the Phase-2 keylife

on the Embedded NG

appliance VPN gateway.


8/18

8

Configuring VPN Rules

Configuring an Encrypt Rule from the FortiGate VPN Gateway Network to the

Embedded NG VPN Gateway Network

To configure an Encrypt rule from the FortiGate VPN gateway network to the Embedded NG VPN gateway

network



2. In the Firewall submenu, click Policy .

The Policy page appears.


The New Policy page appears.



5. Click OK .


9/18


10/18

10

The New Policy page appears.



5. Click OK .

Table 5: Encrypt Rule from the Embedded NG Network to the FortiGate Network Fields


network

Interface/Zone In the Source drop-down list, select Internal .

In the Destination drop-down list, select External .

Address Name In the Source drop-down list, select the Embedded NG VPN

gateway address object from which you want traffic to be

encrypted.

In the Destination drop-down list, select the internal

FortiGate VPN gateway address object to which you want

traffic to be encrypted.

CP_Internal

FG_External

Action Select ENCRYPT .

VPN Tunnel Select the Phase-2 profile you created. CheckPoint


11/18

11

Configuring the Embedded NG Security Appliance

To configure the Embedded NG security appliance for Site-to-Site VPN

1. Add the FortiGate security appliance as a Site-to-Site gateway.

See Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway, page 11.

2. Configure IPSEC parameters to match those you configured on the FortiGate appliance.

Do the following:

a. Modify IKE Phase-1 encryption parameters.

See Modifying IKE Phase-1 Encryption Parameters, page 16.

b. Modify IKE Phase-2 encryption parameters.

See Modifying IKE Phase-2 Encryption Parameters , page 17.

c. Modify the IKE Phase-1 key lifetime.

See Modifying the IKE Phase-1 Key Lifetime , page 17.

d. Modify the IKE Phase-2 key lifetime.

See Modifying the IKE Phase-2 Key Lifetime , page 18.

Adding the FortiGate Security Appliance as a Site-to-Site VPN Gateway

To add th e FortiGate appliance as a Site-to-Site VPN gateway

1. Click VPN in the main menu, and click the VPN Sites tab.

The VPN Sites page appears.

2. Click New Site .


12/18

12

The VPN Site Wizard opens, with the Welcome to the VPN Site Wizard dialog box displayed.

3. Select Site-to-Site VPN .

4. Click Next .

The VPN Gateway Address dialog box appears.

5. In the VPN Gateway field, type the IP address of the FortiGate VPN gateway.

6. Select Bypass NAT .

This setting enables the FortiGate VPN gateway to bypass NAT when connecting to the Embedded NG VPN

gateway internal network.

7. Select Bypass the firewall .

This setting enables the FortiGate VPN gateway to bypass the firewall and access the Embedded NG VPN

gateways internal network without restriction over the VPN tunnel only.


13/18

13

8. Click Next .

The VPN Network Configuration dialog box appears.

9. Select Specify Configuration .

10. Click Next .

A second VPN Network Configuration dialog box appears.

11. In the Destination network fields, type up to three destination network addresses at the FortiGate VPN gateway.

12. In the Subnet mask fields, select the subnet masks for the destination network addresses.


14/18

14

13. Click Next .

The Authentication Method dialog box appears.

14. Select Shared Secret.

15. Click Next .

The Authentication dialog box appears.

16. In the Use Shared Secret field, type the shared secret to use for secure communications with the FortiGate VPN

gateway.

This should be the pre-shared key you configured on the FortiGate VPN gateway in Configuring a Phase-1

Profile, page 5.


15/18

15

17. Click Next .

The Connect dialog box appears.

18. If you configured the FortiGate appliance as described in Configuring the FortiGate Security Appliance, page 2,

select the Try to Connect to the VPN Gateway check box to try to connect to it.

This allows you to test the VPN connection.

Warning : If you try to connect to the VPN site before completing the wizard, all existing tunnels will

be terminated.

19. Click Next .

If you selected Try to Connect to the VPN Gateway , the Connecting screen appears, and then the

Contacting VPN Site screen appears. The Site Name dialog box appears.

20. Type a name for the VPN site.

You may choose any name. For example: FortiGate.


16/18

16

Note : Do not select Keep this site alive .

21. Click Next .

The VPN Site Created screen appears.

22. Click Finish .

The VPN Sites page reappears. The new site appears in the VPN Sites list.

Configur ing IPSEC Parameters

Configuring the IPSEC parameters on the Embedded NG security appliance is done through the appliances command

line interface (CLI). For information on accessing the CLI, refer to the User Guide. For information on CLI syntax,

refer to the Check Point Embedded NG CLI Reference Guide .

Modifying IKE Phase-1 Encrypt ion Parameters

To mod ify IKE Phase-1 encryption parameters

Use the following command syntax:

set vpn sites number phase1ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 |

aes128/sha1 | aes256/md5 | aes256/sha1 ]

where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG

Portal.

For example, if the FortiGate VPN gateway appears in row 2 in theVPN Sites table, and you want to set the

Embedded NG appliance to use 3DES/SHA1 encryption for Phase-1 IKE negotiations with this gateway, then run

the command:

set vpn si t es 2 phase1i keal gs 3des/ sha1


17/18

17

Modifying IKE Phase-2 Encrypt ion Parameters

To mod ify IKE Phase-2 encryption parameters


set vpn sites number phase2ikealgs [automatic | des/md5 | des/sha1 | 3des/md5 | 3des/sha1 | aes128/md5 |

aes128/sha1 | aes256/md5 | aes256/sha1 ]

where number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NGPortal.


Embedded NG appliance to use 3DES/SHA1 encryption for Phase-2 IKE negotiations with this gateway, then run

the command:

set vpn si t es 2 phase2i keal gs 3des/ sha1

Modifying the IKE Phase-1 Key Lifetime

To modify the IKE Phase-1 key lifetime


set vpn sites number phase1exptime seconds

where:

number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal.

seconds is the length of the IKE Phase-1 key lifetime in seconds.


Embedded NG appliance to use a Phase-1 key lifetime of 24 hours (86400 seconds) with this gateway, then run

the command:

set vpn si t es 2 phase1expt i me 86400


18/18

18

Modifying the IKE Phase-2 Key Lifetime

To modify IKE Phase-2 key lifetime


set vpn sites number phase2exptime seconds

where:

number is the number of the FortiGate VPN gateways row in the VPN Sites table in the Embedded NG Portal.

seconds is the length of the IKE Phase-2 key lifetime in seconds.


Embedded NG appliance to use a Phase-2 key lifetime of 1 hours (3600 seconds) with this gateway, then run the

command:

set vpn si t es 2 phase2expt i me 3600

How to Site2site With Safe@ Fortinet

Documents

Transcript of How to Site2site With Safe@ Fortinet