This is a detailed guide on how to create a Site to Site IPSec VPN from a pfSense to a Fortigate behind a NAT Router.
1. Fortigate Configuration
1.1 Configure the Fortigate Phase 1
config vpn ipsec phase1-interface edit "PfSense" set interface "wan1" set proposal aes256-sha256 set dhgrp 5 set remote-gw x.x.x.x set psksecret next end
1.2 Configure the Fortigate Phase 2
config vpn ipsec phase2-interface edit "pfSense" set phase1name "PfSense" set proposal aes256-sha256 set pfs disable set keepalive enable set auto-negotiate enable set src-subnet 192.168.0.0 255.255.0.0 set dst-subnet 10.0.100.0 255.255.255.0 next end
1.3 Configure a static route on the Fortigate
config router static set dst 10.0.100.0 255.255.255.0 set device "PfSense"
1.4 Configure Fortigate firewall policies
config firewall policy edit 11 set srcintf "PfSense" set dstintf "lo0" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
config firewall policy edit 15 set srcintf "lo0" set dstintf "PfSense" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end
2. pfSense Configuration
2.1 Configure Phase 1 General Information on the pfSense
Key Exchange Version = IKEv1
Remote Gateway = The public IP address of the Fortigate
2.2 Configure Phase1 Proposal ( Authentication) on the pfSense
Authentication Method = Mutual PSK
Negotiation Mode = Main
My Identifier = My IP address
Peer Identifier = This is important and needs to be the Private IP address of the WAN interface of the Fortigate or remote device. Normally this would just be the Peer IP address if the Public IP address was configured on the Remote Fortigate.
Pre-Shared Key = Make sure that the Pre-Shared key matches on both sides
2.3 Configure Phase1 Proposal ( Encryption) on the pfSense
Ensure that the Encryption Algorithms are an exact mirror on both devices. Also ensure that the timers match on either side.
2.4 Configure Advanced options on the pfSense
You can leave this as the defaults values
2.5 Configure Pre-shared Keys TAB at the Top of the page
Click the TAB labelled Pre-Shared Keys and enter your Pre-shared Key again and the Private IP address of the WAN interface remote device (Fortigate).
2.6 Click the green Add P2 to add the pfSense’s phase 2 configuration
Make sure that the Phase2 Selectors are an exact mirror to the Fortigate:
2.7 Configure Phase 2 General Information on the pfSense
Set the local network to the local subnet connected to the pfSense.
Set the remote network to the remote subnet of the Fortigate.
2.8 Configure Phase 2 Proposal (SA/Key Exchange) on the pfSense
Make sure the phase 2 encryption and authentication match on both sides of the tunnel.
Configure Lifetime on the pfSense again ensuring that this matches on both end point devices.
(optional) PFS – In this case I have not configured it. As with all the encryption and authentication this will need to match on both sides. So if set to Group 2 on the pfSense this will need to match on the Fortigate.
2.9 PfSense Advanced Configuration
Set the automatically ping host value to the Privat IP address WAN interface of the Fortigate.
2.10 Configure pfSense Firewall Rules to allow traffic
This can be found under the Firewall TAB labelled Rules
2.11 Check that the tunnel is up
This is under the TAB Status labelled IPSec
3. Test the Connection
C:\Users\Administrator>ping 192.168.101.254 Pinging 192.168.101.254 with 32 bytes of data: Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 Reply from 192.168.101.254: bytes=32 time=28ms TTL=254 Reply from 192.168.101.254: bytes=32 time=27ms TTL=254 Ping statistics for 192.168.101.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 27ms, Maximum = 28ms, Average = 27ms
If there is anything in the world of Security Networking Linux that you are struggling to find documented in detail on the Wide World Web please feel free to send us a message.
Please feel free to leave a comment on any of our guides if you feel that we have missed something or not quite got it right.