Home How to Configure a Site to Site VPN from Fortigate to PFSense
Post
Cancel

How to Configure a Site to Site VPN from Fortigate to PFSense

Posted Mar 31, 2023 Updated Dec 2, 2023
By Ryan Van Massenhoven
2 min read

Overview

Today we will be going over how to create a Site to Site VPN between a Fortigate Appliance and a PFSense Firewall. Below is a overview of the Topology we are got to be using

Topology

Fortigate

VPN Tunnel

  1. Login to your Fortigate Appliance
  2. Under VPN > IPSec Wizard

Name the Tunnel your prefered name and select Custom Wizard

  1. Configure the VPN Tunnel settings

    a) Set the Remove Gateway to the WAN IP of your PFSense Firewall

    b) Set the Interface to your WAN interface

    c) Enable NAT Traversal

Tunnel

  1. Configure Authentication

    a) Set the Authentication Method to Pre-shared Key

    b) Enter a Pre-shared Key

    c) Select IKE version 2

authentication

  1. Configure Phase 1 Proposal

    a) Encryption: AES128

    b) Authentication: SHA256

    c) Diffie-Hellman Group: 14

    d) Key Lifetime: 28800

phase1

  1. Configure Phase2 Configuration

    a) Configure the Phase2 Name

    b) Configure the Local Address

    c) Configure the Remove Address

phase2

  1. Configure the Phase2 Proposal

    a) Encryption: AEC128

    b) Authentication: SHA2556

    c) Enable Replay Detection

    d) Enable Pefect Forward Secrecy (PFS)

    e) Diffie-Hellman Group: 14

    f) Enable Auto-negotiate

    g) Seconds: 3600

phase2-proposal

Security Policy

  1. Configure a Policy to allow traffic from LAN to our IPSec Tunnel

    a) Incoming Interface: LAN Network Interface

    b) Outgoing Interface: Our IPSec Tunnel

    C) Source: All

    d) Destination: All

    e) Services: All

    f) Action: ACCEPT

    g) Disable NAT

LAN-Rule

  1. Configure a policyt to allow traffic coming from our IPSec tunnel to our LAN

    NOTE: This must be a seporate policy and cannot be combined with our first Policy

    a) Incoming Interface: our IPSec Tunnel

    b) Outgoing Interface: Our LAN Network Interface

    C) Source: All

    d) Destination: All

    e) Services: All

    f) Action: ACCEPT

    g) Disable NAT

VPN-RuleA

VPN-RuleB

Static Route

  1. Navigate to Network > Routing > Static Routes > Create New

fortigate-staticroute

PFSense

VPN Tunnel

  1. Log into PFSense and naviagte to VPN > IPSec
  2. Select Add P1

  3. Configure the Phase 1 Configuration

    a) Set Interface to WAN

    b) Set Remote Gateway to the WAN IP of your Fortigate Appliance

PFPhase1

  1. Configure Phase 1 Authentication

    a) Authentication Method: Mutual PSK

    b) Enter the Pre-Shared key you created in Fortigate

    c) Confgigure the Encryption Algorithm as follows

    • Key Length: 128 bit
    • Hash: SHA256
    • DH Group: 14 (2048 bit)

PFAuth

  1. Configure the Life Time

PFLifeTime

  1. Add a P2

PFP2

  1. Configure the P2 Network Configuration

    a) Mode: Tunnel IPv4

    b) Local Network: Configured to your LAN Network for this firewall

    C) Remote Network: Configure the LAN Network for your Fortigate Firewall

PFNetwork

  1. Configure the Phase 2 Proposal

    a) Encryption Algorithms: AES 128 bits b) Hash Algorithms: SHA256 c) PFS Key Group: 14 (2048bit)

PFP2A

  1. Configure Life Time

PFP2LifeTime

Security Policy

If you would like to be able to access everything behind the PFSense Firewall. you will need to create a Default allow any any rule

PFP2LifeTime

Static Route

There is No Static Routes Required on the PFSense Firewall

Networking, VPN
Fortigate PFSense VPN
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents