IPsec VPN Configuration Example: FortiGate 60D Firewall


IPsec VPN Configuration Example: FortiGate 60D Firewall

This example illustrates how to configure two IPSec VPN tunnels from a FortiGate 60D firewall to two ZENs: a primary tunnel from the FortiGate 60D firewall to a ZEN in one data center, and a backup tunnel from the same firewall to a ZEN in another data center. In this example, the peers are using a pre-shared key for authentication. DPD is enabled so the firewall can detect if one VPN goes offline and move the Internet-bound traffic to the backup VPN.

This example uses private IP addresses because it was tested in a lab environment.

Zscaler IPSec tunnels support a limit of 200 Mbps for each public source IP address. If your organization wants to forward more than 200 Mbps of traffic, Zscaler recommends configuring more IPSec VPN tunnels with different public source IP addresses. For example, if your organization forwards 400 Mbps of traffic, you can configure two primary VPN tunnels and two backup VPN tunnels. If your organization forwards 600 Mbps of traffic, you can configure three primary VPN tunnels and three backup VPN tunnels.

A network diagram of the primary and secondary IPSec tunnels from a FortiGate 60D firewall to two Zscaler ZENs

Prerequisites

Before you start configuring the Zscaler service and the firewall, ensure that you send Zscaler the following information:

  • The IP address of the tunnel interface on the firewall.
  • The PSK.

Additionally, ensure that you have the IP addresses of the ZENs.

Configure the Zscaler Service

Do the following to configure the Zscaler service:

Configure the FortiGate 60D Firewall

This section describes how to configure two IPsec VPN tunnel interfaces on a FortiGate 60D firewall running version 5.2.1. Refer to the Fortinet documentation for additional information about the user interface.

The following figure shows the lab setup.

Screenshot of the internal and external tunnel interfaces in the FortiGate 60D web UI

The corporate office sends its traffic through the internal interface in the internal network. It sends traffic destined for any external network through the external interface, wan1.

A. Define the VPN parameters for the primary VPN tunnel.

  1. Go to VPN > IPsec > Tunnels and click Create New.

Screenshot of the Create New button in the Tunnels content pane

  1. Enter a name for the tunnel, which is Zscaler in this example, and select Custom VPN Tunnel as the template.

Screenshot of the configured VPN Setup window in the FortiGate 60D web UI

  1. Configure the primary tunnel as shown in the following figures.

Screenshot of the IPSec tunnel configuration in the FortiGate 60D web UI

B. Configure the secondary tunnel as described in the preceding steps. After both tunnels are configured, you can go to VPN > IPsec > Tunnels to view them.

Screenshot of the configured primary and secondary IPSec tunnels in the Tunnels content pane

C. Define IPv4 policies to allow access to the newly configured tunnels.

  1. Go to Policy and Objects > Policy > IPv4 and click Create New.

Screenshot of the Create New button in the IPv4 content pane

  1. Create a new policy rule to allow the Zscaler primary tunnel access to the Fortigate external interface (wan1). In this example, we are forwarding all traffic to the service. The following figure shows the required settings.

Screenshot of the first configured IPv4 policy in the FortiGate 60D web UI

If you want to forward only HTTP and HTTP traffic to the Zscaler service, then select them in the Service field.

  1. Create a new policy rule to allow internal network access to the Zscaler primary tunnel. The following figure shows the required settings.

Screenshot of the second configured IPv4 policy in the FortiGate 60D web UI

D. Configure similar policy rules for the backup tunnel. Once all four policies are defined, you can go to Policy and Objects > Policy > IPv4 to view them.

Screenshot of four configured IPv4 policies in the FortiGate 60D web UI

E. Verify that both the tunnels are up by going to VPN > Monitor > IPsec Monitor.

Screenshot of the IPsec Monitor content pane

F. Establish static routes for the primary and backup tunnels and configure them with the same priority and distance as the default route.

  1. Go to Router > Static > Static Routes and click Create New.

Screenshot of the Create New button in the Static Routes pane

  1. Define the primary tunnel route as shown in the following figure. Make sure that this tunnel gets equal distance and a larger priority value compared to the default route. A tunnel with a larger priority value has lower priority. The PBR will override that priority setting. Since there are two tunnels, the primary tunnel priority value must have a lower priority than the secondary tunnel.

Screenshot of the configured static route for the primary IPSec tunnel

  1. Define the secondary tunnel route as shown in the following figure.

Screenshot of the configured static route for the secondary IPSec tunnel

  1. Go to Router > Monitor > Routing Monitor and verify the routing table.

Screenshot of the Routing Monitor content pane

At this stage, the default route has the highest priority followed by the Zscaler primary tunnel, and then the secondary tunnel.

G. Define a policy route for each tunnel. In this example, we are forwarding all traffic to Zscaler.

  1. Go to Router > Static > Policy Routes.
  2. Define the primary tunnel as shown in the following figure.

Screenshot of the configured policy route in the FortiGate 60D web UI

If you are forwarding only HTTP and HTTPS traffic to the Zscaler service, do the following:

  • Select port 80 as the destination port and define rules for the primary and secondary tunnels.
  • Define similar rules that specify port 443 as the destination port.

Troubleshooting

Go to VPN > Monitor > IPsec Monitor and verify that traffic is flowing through the primary tunnel.

Screenshot of the IPsec Monitor content pane

The network processor (NP) of some Fortinet devices don’t support offloading VPN phase one traffic, resulting in an unacceptable drop in VPN tunnel performance. For further information, see the following URL: http://kb.fortinet.com/kb/documentLink.do?externalID=FD36044.

For more troubleshooting tips, please visit the troubleshooting page of the Fortinet FortiOS Handbook at http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/TestandMonitor.129.08.html.

  1. In the admin portal, go to Administration > Resources > VPN Credentials.
  2. Click Add and do the following:
    • Choose IP, and then choose the gateway IP address. This is the IP address that was given to Zscaler beforehand.
    • Enter the pre-shared key abc in the text box and confirmation box.
  3. Click Save and activate the change.
  1. In the admin portal, go to Administration > Resources > Locations.
  2. Click Add.
  3. In the Add Location page, do the following:
    • Enter the location name.
    • Click the down arrow beside VPN Credentials and choose the credentials you created.
  4. Click Save and activate the change.