Configuring the FortiGate unit

There are several steps to the GRE-over-IPsec configuration:

• Enable overlapping subnets. This is needed because the IPsec and GRE tunnels will use the same addresses.
• Configure a route-based IPsec VPN on the external interface.
• Configure a GRE tunnel on the virtual IPsec interface. Set its local gateway and remote gateway addresses to match the local and remote gateways of the IPsec tunnel.
• Configure security policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
• Configure security policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.
• Configure a static route to direct traffic destined for the network behind the Cisco router into the GRE-over-IPsec tunnel.

 

Enabling overlapping subnets

By default, each FortiGate unit network interface must be on a separate network. The configuration described in this chapter assigns an IPsec tunnel end point and the external interface to the same network. Enable subnet overlap as follows:

config system settings

set allow-subnet-overlap enable end

 

Configuring the IPsec VPN

A route-based VPN is required. It must use encryption and authentication algorithms compatible with the Cisco equipment to which it connects. In this chapter, preshared key authentication is shown.

 

To configure the IPsec VPN – web-based manager

1. Define the Phase 1 configuration needed to establish a secure connection with the remote Cisco device. Enter these settings in particular:

Name    Enter a name to identify the VPN tunnel, tocisco for example. This is the name of the virtual IPsec interface. It appears in Phase 2 configurations, security policies and the VPN monitor.

Remote Gateway                       Select Static IP Address.

IP Address                                 Enter the IP address of the Cisco device public interface. For example, 192.168.5.113.

Local Interface                          Select the FortiGate unit’s public interface. For example, 172.20.120.141.

Mode                                           Select Main (ID Protection).

Authentication Method            Preshared Key

Pre–shared Key                          Enter the preshared key. It must match the preshared key on the Cisco device.

Advanced                                   Select the Advanced button to see the following settings.

Phase 1 Proposal                      3DES–MD5

At least one proposal must match the settings on the Cisco unit.

For more information about these settings, see Phase 1 parameters on page 1624.

2. Define the Phase 2 parameters needed to create a VPN tunnel with the remote peer. For compatibility with the Cisco router, Quick Mode Selectors must be entered, which includes specifying protocol 47, the GRE protocol. Enter these settings in particular:

Phase 2 Proposal                      3DES–MD5

At least one proposal must match the settings on the Cisco unit.

Quick Mode Selector

Source Address                        Enter the GRE local tunnel end IP address.

For example 172.20.120.141.

Source Port                                0

Destination Address                 Enter the GRE remote tunnel end IP address.

For example 192.168.5.113.

Destination Port                        0

Protocol                                      47

For more information about these settings, see Phase 2 parameters on page 1642.

3. If the Cisco device is configured to use transport mode IPsec, you need to use transport mode on the FortiGate VPN. You can configure this only in the CLI. In your Phase 2 configuration, set encapsulation to transport-mode as follows:

config vpn phase2-interface edit to_cisco_p2

set encapsulation transport-mode end

 

To configure the IPsec VPN – CLI

config vpn ipsec phase1-interface edit tocisco

set interface port1

set proposal 3des-sha1 aes128-sha1 set remote-gw 192.168.5.113

set psksecret xxxxxxxxxxxxxxxx end

config vpn ipsec phase2-interface

edit tocisco_p2

set phase1name “tocisco” set proposal 3des-md5

set encapsulation tunnel-mode // if tunnel mode

set encapsulation transport-mode // if transport mode

set protocol 47

set src-addr-type ip

set dst-start-ip 192.168.5.113 set src-start-ip 172.20.120.141

end

 

Adding IPsec tunnel end addresses

The Cisco configuration requires an address for its end of the IPsec tunnel. The addresses are set to match the GRE gateway addresses. Use the CLI to set the addresses, like this:

config system interface edit tocisco

set ip 172.20.120.141 255.255.255.255 set remote-ip 192.168.5.113

end

 

Configuring the GRE tunnel

The GRE tunnel runs between the virtual IPsec public interface on the FortiGate unit and the Cisco router. You must use the CLI to configure a GRE tunnel. In the example, you would enter:

config system gre-tunnel edit gre1

set interface tocisco

set local-gw 172.20.120.141 set remote-gw 192.168.5.113

end

interface is the virtual IPsec interface, local-gw is the FortiGate unit public IP address, and remote-gw is the remote Cisco device public IP address

 

Adding GRE tunnel end addresses

You will also need to add tunnel end addresses. The Cisco router configuration requires an address for its end of the GRE tunnel. Using the CLI, enter tunnel end addresses that are not used elsewhere on the FortiGate unit, like this:

config system interface edit gre1

set ip 10.0.1.1 255.255.255.255 set remote-ip 10.0.1.2

end

 

Configuring security policies

Two sets of security policies are required:

• Policies to allow traffic to pass in both directions between the GRE virtual interface and the IPsec virtual interface.
• Policies to allow traffic to pass in both directions between the protected network interface and the GRE virtual interface.

To configure security policies – web-based manager

1. Define an ACCEPT firewall security policy to permit communications between the protected network and the GRE

tunnel:

Incoming Interface                   Select the interface that connects to the private network behind this FortiGate unit.

Source Address                        All

Outgoing Interface                   Select the GRE tunnel virtual interface you configured.

Destination Address                 All

Action                                         ACCEPT

Enable NAT                                Disable

2. To permit the remote client to initiate communication, you need to define a firewall address security policy for communication in that direction:

Incoming Interface                   Select the GRE tunnel virtual interface you configured.

Source Address                        All

Outgoing Interface                   Select the interface that connects to the private network behind this FortiGate unit.

Destination Address                 All

Action                                         ACCEPT

Enable NAT                                Disable

3. Define a pair of ACCEPT firewall address security policies to permit traffic to flow between the GRE virtual interface and the IPsec virtual interface:

Incoming Interface                   Select the GRE virtual interface. See Configuring the GRE tunnel on page 1792.

Source Address                        All

Outgoing Interface                   Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 1790.

Destination Address                 All

Action                                         ACCEPT

Enable NAT                                Disable

Incoming Interface                   Select the virtual IPsec interface you created. See Configuring the IPsec VPN on page 1790.

Source Address                        All

Outgoing Interface                   Select the GRE virtual interface.See Configuring the GRE tunnel on page 1792.

Destination Address                 All

Action                                         ACCEPT

Enable NAT                                Disable