Create a site-to-site IPsec VPN connection between Vyatta and FortiGate

Suggest Edits

This article shows you how to create a site-to-site Internet Protocol Security
(IPsec) virtual private network (VPN) connection between a Vyatta® router
(Rackspace) and FortiGate® by using a dynamic Domain Name System (DDNS)
name. Configuring an IPsec VPN between two end points typically requires a
static Internet Protocol (IP) address on both ends. However, the Vyatta server
appliance has an option to configure a DDNS name to configure a
VPN.

The following table shows the left side as point A (the Rackspace Vyatta
router appliance) and the right side (FortiGate with a
dynamic IP address and DDNS name) as point B:

Point A (Vyatta router)	Point B (FortiGate with a dynamic IP address and DDNS name)
Device: Vyatta router appliance at Rackspace eth0: 134.213.135.XXX (public IP) eth1: 10.181.200.XXX (private IP)	Device: Fortigate firewall wan1: Dynamic IP with the DDNS name forti.fortiddns.com internal: 192.168.10.0/24 (local area network (LAN) subnet)

After you successfully establish a site-to-site IPsec VPN tunnel connection
between Vyatta and FortiGate, you can ping the Vyatta router's private IP
address (such as 10.181.200.XXX) from any internal IP address
(such as 192.168.1.7).

FortiGate enables you to create a DDNS name. To learn how to configure a DDNS
name in FortiGate, see How to set up DDNS on a FortiGate device.

Step 1: Configure the IPsec VPN in the Vyatta router appliance

Use the following steps to configure the IPsec VPN in the Vyatta router
appliance:

$ssh vyatta@cloud-server-09
vyatta@cloud-server-09:~$ show interfaces ethernet                        //Get interface IP details
$configure                                                                                         //Move to configuration mode
vyatta@cloud-server-09# set vpn ipsec ipsec-interfaces interface eth0
[edit]
vyatta@cloud-server-09# show vpn ipsec ipsec-interfaces
+interface eth0
[edit]
vyatta@cloud-server-09# set vpn ipsec ike-group IKE-RS proposal 1
[edit]
vyatta@cloud-server-09# set vpn ipsec ike-group IKE-RS proposal 1 encryption aes256
vyatta@cloud-server-09# set vpn ipsec ike-group IKE-RS proposal 1 hash sha1
vyatta@cloud-server-09# set vpn ipsec ike-group IKE-RS proposal 2 encryption aes128
[edit]
vyatta@cloud-server-09# set vpn ipsec ike-group IKE-RS proposal 2 hash sha1
[edit]
vyatta@cloud-server-09# set vpn ipsec ike-group IKE-RS lifetime 3600
vyatta@cloud-server-09# set vpn ipsec esp-group ESP-RS proposal 1
[edit]
vyatta@cloud-server-09# set vpn ipsec esp-group ESP-RS proposal 1 encryption aes256
[edit]
vyatta@cloud-server-09# set vpn ipsec esp-group ESP-RS proposal 1 hash sha1
[edit]
vyatta@cloud-server-09# set vpn ipsec esp-group ESP-RS proposal 2 encryption 3des
[edit]
vyatta@cloud-server-09# set vpn ipsec esp-group ESP-RS proposal 2 hash md5
[edit]
vyatta@cloud-server-09# set vpn ipsec esp-group ESP-RS lifetime 3600
[edit]

Configure the IPsec connection key and DDNS settings, as shown in the
following example:

vyatta@cloud-server-09# set vpn ipsec site-to-site peer forti.fortiddns.com authentication mode pre-shared-secret       // Replace forti.fortiddns.com with your DDNS name
[edit]
vyatta@cloud-server-09# edit vpn ipsec site-to-site peer forti.fortiddns.com
[edit vpn ipsec site-to-site peer forti.fortiddns.com]
vyatta@cloud-server-09# set authentication pre-shared-secret test_test_111               // Use the same in key at Fortigate end
[edit vpn ipsec site-to-site peer forti.fortiddns.com]
vyatta@cloud-server-09# set default-esp-group ESP-RS
[edit vpn ipsec site-to-site peer forti.fortiddns.com]
vyatta@cloud-server-09# set ike-group IKE-RS
[edit vpn ipsec site-to-site peer forti.fortiddns.com]
vyatta@cloud-server-09# set local-address 134.213.XX.XX                                         // Public IP of the Vyatta router appliance
[edit vpn ipsec site-to-site peer forti.fortiddns.com]
vyatta@cloud-server-09# set tunnel 1 local prefix 10.181.XX.XX/19                           // Vyatta  Private subnet IP
[edit vpn ipsec site-to-site peer forti.fortiddns.com]
vyatta@cloud-server-09# set tunnel 1 remote prefix 192.168.1.0/24                          // LAN subnet behind Fortigate
vyatta@cloud-server-09# top
vyatta@cloud-server-09# commit

vyatta@cloud-server-09# show vpn ipsec site-to-site peer  // To view the IPsec configurations

Step 2: Configure the IPsec VPN in the FortiGate firewall

Use the following steps to configure the IPsec VPN in the FortiGate firewall:

Log in to the FortiGate firewall as an administrative user.
Select VPN > IPsec > Tunnel > Create new > Custom VPN Tunnel.
In the Name field, enter RSVPN.
Select Static IP address and enter the public IP address of the Vyatta
router appliance in the IP Address column.
In the Authentication section, select Pre-shared Key and enter the
key as test_test_111. The preshared key should be same in Vyatta and
FortiGate.
Ensure that the Internet Key Exchange version (IKE version) is 1
and the Mode is set to Main.
You must use the following encryptions and settings:
- Advanced Encryption Standard 128 (AES128), with authentication set to
  Secure Hash Algorithm 1 (SHA1)
- AES256, with authentication set to SHA1
- Triple DES (3DES), with authentication set to message digest
  algorithm 5 (MD5)
You must also use the following settings:
- Diffie-Hellman (DH) Groups: 14,5, and 2
- Key lifetime: 3600 seconds
The Local Address is the address of the LAN. The Remote Address is
the Vyatta appliance's private subnet IP. Use the following encryptions and
settings:
- AES128, with authentication set to SHA1
- AES256, with authentication set to SHA1
- 3DES, with authentication set to MD5
You must also use the following settings:
- DH Groups: 14,5, and 2
- Key Lifetime: 3600 seconds
Select Network and add static route 10.181.192.0/19 (the
subnet of the Vyatta appliance).
Add a firewall policy that allows traffic between the two private subnets.
Finally, select VPN > Monitor > IPsec Monitor and verify that the
Status displays as UP.

Updated 4 months ago