Professional Documents
Culture Documents
VPN Site To Site Forti
VPN Site To Site Forti
This is a sample configuration of IPsec VPN to allow transparent communication between two overlapping networks that are located
behind different FortiGates using a route-based tunnel with source and destination NAT.
In the following topology, both FortiGates (HQ and Branch) use 192.168.1.0/24 as their internal network, but both networks need to be
able to communicate to each other through the IPsec tunnel.
New virtual subnets of equal size must be configured and used for all communication between the two overlapping subnets. The devices
on both local networks do not need to change their IP addresses. However, the devices and users must use the new subnet range of the
remote network to communicate across the tunnel.
4. For Pre-shared Key, enter a secure key. You will use the same key when configuring IPsec VPN on the Branch FortiGate.
5. In the Phase 2 Selectors section, enter the subnets for the Local Address (10.1.1.0/24) and Remote Address (10.2.2.0/24).
6. Optionally, expand Advanced and enable Auto-negotiate.
7. Click OK.
4. Click OK.
5. Create another route with the same Destination, but change the Administrative Distance to 200 and for Interface, select Blackhole.
This is a best practice for route-based IPsec VPN tunnels because it ensures traffic for the remote FortiGate's subnet is not sent
using the default route in the event that the IPsec tunnel goes down.
5. Click OK.
1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
2. For Name, enter HQ-new-to-original.
3. For Interface, select the VPN interface (VPN-to-Branch).
4. Enter the External IP address/range (10.1.1.1 – 10.1.1.254, the new HQ subnet) and Mapped IP address/range (192.168.1.1 –
192.168.1.254, the original HQ subnet).
5. Click OK.
5. In the Phase 2 Selectors section, enter the subnets for the Local Address (10.2.2.0/24) and Remote Address (10.1.1.0/24).
6. Optionally, expand Advanced and enable Auto-negotiate.
7. Click OK.
4. Click OK.
5. Create another route with the same Destination, but change the Administrative Distance to 200 and for Interface, select Blackhole.
5. Click OK.
1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
2. For Name, enter Branch-new-to-original.
3. For Interface, select the VPN interface (VPN-to-HQ).
4. Enter the External IP address/range (10.2.2.1 – 10.2.2.254, the new Branch subnet) and Mapped IP address/range (192.168.1.1 –
192.168.1.254, the original Branch subnet).
To configure the address objects:
5. Click OK
6. Create another address object named HQ-new, but for IP/Netmask, enter the new LAN subnet of HQ (10.1.1.0/24), and select the
VPN interface (VPN-to-HQ).
1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
2. For Name, enter Branch-new-to-original.
3. For Interface, select the VPN interface (VPN-to-HQ).
4. Enter the External IP address/range (10.2.2.1 – 10.2.2.254, the new Branch subnet) and Mapped IP address/range (192.168.1.1 –
192.168.1.254, the original Branch subnet).
5. Click OK
6. Create another address object named HQ-new, but for IP/Netmask, enter the new LAN subnet of HQ (10.1.1.0/24), and select the
VPN interface (VPN-to-HQ).
5. Click OK.
1. Go to Policy & Objects > Virtual IPs and click Create New > Virtual IP.
2. For Name, enter Branch-new-to-original.
3. For Interface, select the VPN interface (VPN-to-HQ).
4. Enter the External IP address/range (10.2.2.1 – 10.2.2.254, the new Branch subnet) and Mapped IP address/range (192.168.1.1 –
192.168.1.254, the original Branch subnet).
5. Click OK.
1. Go to Dashboard > Network and click the IPsec widget to expand to full screen view. The tunnels should be up on both
FortiGates. If you did not enable Auto-negotiate in the IPsec VPN settings, you may have to select the tunnel and click Bring Up.
2. From a PC on the HQ network, ping a PC on the Branch network using the new IP for the Branch PC. The ping should be
successful.