SonicOS Enhanced to Fortinet FortiWiFi 60
11
VPN SonicOS Enhanced to Fortinet FortiWiFi-60 Deployment Scenario: SonicOS Enhanced 3.1.0.11 Log into the SonicWALL’s Management GUI using a current Web browser.
Transcript of SonicOS Enhanced to Fortinet FortiWiFi 60
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 1/10
VPN SonicOS Enhanced to Fortinet FortiWiFi-60
Deployment Scenario:
SonicOS Enhanced 3.1.0.11Log into the SonicWALL’s Management GUI using a current Web browser.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 2/10
The address objects will be created first. From the navigation bar on the left, clicon ‘Network’ and then ‘Address Objects’, this will bring up the ‘Network >
Address Objects’ page. In the ‘Address Objects’ section, click on ‘Add’ to createan address object for the Primary LAN Network connected to the FortinetFortiWiFi-60.
With this a popup window will appear where a new Address Object can becreated within.
Name: fortinet
Zone Assignment: VPN
Type: Network
Network: 192.168.1.0
Netmask: 255.255.255.0
Click ‘OK’ to finish.
This will provide all the address objects needed to create a VPN SA between the LAN of the
SonicWALL unit and the LAN of the Fortinet FortiWiFi-60 unit.
From the navigation bar on the left, click on ‘VPN’, this will bring up the ‘VPN > Settings’ page. In the‘VPN Global Settings’ section, make sure the ‘Enable VPN’ radio button is selected. In the ‘VPNPolicies’ section, click on ‘Add’ to create the new VPN policy for the Fortinet FortiWiFi-60.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 3/10
The ‘VPN Policy’ window will then appear. On the ‘General’ tab page, ‘Security Policy’ section, selec“IKE using Preshared Secret” from the ‘IPSec Keying Mode:’ dropdown box.
Name: "Fortinet"
IPSec Primary Gateway Name or Address:67.115.118.75
Shared Secret: preshared
Local IKE ID: IP Address <Empty>
Peer IKE ID: IP Address <Empty>
ext select the ‘Network’ tab.select the radio
d
the ‘Destination Networks’ section, select the
NIn the ‘Local Networks’ section,button next to ‘Choose local network from list’ anselect "LAN Primary Subnet" from the dropdownbox.
Inradio button next to ‘Choose destination networkfrom list’ and select "fortinet" from the dropdownbox.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 4/10
Next select the ‘Proposals’ tab. The default values should be correct.Verify that all values are correct.
IKE (Phase 1) ProposalExchange: Main Mode
DH Group: Group 2Encryption: 3DESAuthentication: SHA1Life Time (seconds): 28800
Ipsec (Phase 2) ProposalProtocol: ESPEncryption: 3DESAuthentication: SHA1DH Group Group 2Life Time (seconds): 28800
Do not enable Perfect Forward Security.
Next select the ‘Advanced’ tab.
Make sure that the option Enable Keep Alive
All other options can be left as they are.
Click the OK button.
This completes the settings on the SonicWALLunit installed.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 5/10
Fortinet FortiWiFi-60 SetupLog into the Fortinet FortiWiFi-60 Management GUI using a current Web browser.
Within the Fortinet it isn’t necessary to create a VPN SA using Address objects already createdtherefore we will start by creating the VPN SA before adding any Network Address Object into theFortinet device.
From the navigation bar on the left, click on ‘VPN’, thiswill bring up the ‘VPN > IPSEC ’ page. In the ‘Phase 1section, click on ‘Create New’ to create the new VPNPhase 1 policy for the SonicWALL unit.
Now it is necessary to specify the Phase 1 settingswhich are also available on the SonicWALL unit.
Verify that all values are correct.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 6/10
IKE (Phase 1) Proposal
Gateway Name: sonicwallRemote GW: Static IPIP Address: 83.160.31.204Mode: Main ModeAuthentication Method: Preshared KeyPre-shared Key: preshared
Advanced SettingsEncryption: 3DES
Authentication: SHA1DH Group: Group 2Life Time (seconds): 28800
NOTE: Within the Phase 1 Advanced settings there will be 2 Encryption’s pre-specified, therefore iis necessary to remove the second pre-specified Encryption.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 7/10
After Phase 1 is configured then it is necessary to set Phase 2.Click on Phase 2 and press the Create New button, when this is done specify the settings for thePhase 2 as they have been set on the SonicWALL Unit. Verify that all values are correct.
Ipsec (Phase 2) Proposal
Tunnel Name: sonicwallRemote Gateway: sonicwall (this is to be selected from the drop down menu)
Advanced SettingsEncryption: 3DESAuthentication: SHA1DH Group: Group 2Life Time (seconds): 28800Internet browsing: NoneQuick Mode Identities: ‘Use selectors from policy’
NOTE: Within the Phase 2 Advanced settings there will be 2 Encryption’s pre-specified, therefore iis necessary to remove the second pre-specified Encryption.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 8/10
Within the Fortinet it is normal to bind the Private Networks of both LAN’s via Firewall Policies to theVPN SA’s .
For this it is necessary to have Network Objects created which can be used in the Firewall Policies.From the navigation bar on the left select Firewall >Address to define the IP source address of theNetwork behind the Fortinet unit and to define the remote destination Network object.
Now it is necessary to specify an address object for the local LAN (where the VPN SA needs to beterminated on).
Press the create button and enterAddress Name: Fortinet-lanIP Range/Subnet:
192.168.1.0/255.255.255.0
This will generate a Network object for the Fortinet LAN, a similar address object needs to be createfor the LAN of the SonicWALL device.
Press the create button andenter:Address Name: sonicwall-lanIP Range/Subnet:192.168.27.0/255.255.255.0
Now the VPN SA’s have been created and the Address Objects for both LAN networks, to have thetraffic allowed over the VPN it is necessary to have Policies created which allow the traffic over theVPN SA’s.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 9/10
From the navigation bar on the left, click on ‘Firewall’,this will bring up the ‘Firewall > Policy ’ page. Click on‘Create New’ to create the new policy for the VPN SAtraffic.
First we create the Policy from the Fortinet LAN to theSonicWALL LAN,
Source DestinationInterface/Zone: internal wan-1Adress Name : Fortinet-lan sonicwall-lanSchedule : alwaysService: ANYAction: ENCRYPT
(Encrypt is to bind this policy to a VPN SA)
VPN Tunnel: sonicwall (from drop downmenu)Select the radio button ‘Allow inbound’Select the radio button ‘Allow outbound’
With this we have allowed traffic from the Fortinet LAN to the SonicWALL LAN, therefore we need tocreate a similar policy for the traffic coming from the SonicWALL UTM appliance.
8/4/2019 SonicOS Enhanced to Fortinet FortiWiFi 60
http://slidepdf.com/reader/full/sonicos-enhanced-to-fortinet-fortiwifi-60 10/10
Source DestinationInterface/Zone: wan-1 internalAdress Name : sonicwall-lan Fortinet-lanSchedule : alwaysService: ANYAction: ENCRYPT(Encrypt is to bound this policy to a VPN SA)
VPN Tunnel: sonicwall (from drop downmenu)Select the radio button ‘Allow inbound’Select the radio button ‘Allow outbound’
Now it is only necessary to send traffic across the VPN to the other side to have the VPN Up andRunning.
