How to create a Site to Site IPSec VPN from an OpnSense to a Fortigate behind a NAT Router.

Hi all,

This is a step by step guide to create a site to site VPN from a Fortigate which sits behind a NAT router to an OpnSense Firewall.

1. Create a firewall rule to allow IPSEC traffic to the WAN interface or interface to where the VPN will terminate.

This is configured under the Firewall / Rules

2. Add new phase 1 entry

Configured under VPN /IPSEC / Tunnel Settings. Please note the phase 1 and phase 2 settings needs to be mirrored on both the local and remote device.

2.1 Click add

2.2 General Information

2.3 Phase 1 proposal (Authentication)

Make sure you put the Peer identifier as the Private IP address of the WAN interface of the Fortigate behind the NAT router.

The Pre-Shared key or shared secret needs to match on both sides. You can choose your own.

2.4 Phase 1 proposal (Algorithms)

2.5 Advanced options

(Important) NAT Traversal – Set this option to enable the use of NAT-T (i.e. the encapsulation of ESP in UDP packets) if needed, which can help with clients that are behind restrictive firewalls.

3. Enable IPSEC

Check the tick box enable IPsec.

4. Add new phase 2 entry

4.1 Click the Show phase 2 entries and click the plus button on the left.

I have highlighted where you enable IPsec, edit phase 1, edit phase 2 and add a phase 2.

4.2 General information, local and remote network.

Your local network is the private network that will be reachable from the remote private network.

The remote network is the network that will be reachable from the local network.

You create one phase 2 entry per private network. So if you have 3 networks you will create 3 phase 2 entries. Alternatively, you can summerise your networks to have less phase 2’s.

It is important that the networks are an exact match on both ends of the VPN.

4.3 Phase 2 proposal (SA/Key Exchange)

4.4 Lifetime and advance options

Set the Automatically ping host to your private IP address of the remote Fortigate WAN interface.

5. Create Pre-Shared key

Set the identifier as the Private IP address of WAN interface of the remote Fortigates WAN interface.

6. Create Firewall rules

6.1 Click add

6.2 Define rules – source, destination protocol

The following screen shot shows the IPSEC rules allowing all traffic. But you can define more stricter rules allowing only specific sources, destinations and protocols etc.

7. Configure the remote Fortigate.

The purpose of this guide is directed more at the OpnSense configuration. In this step I will just give the CLI configuration of the remote Fortigate.

7.1 Phase 1

Please note: Change the following to the remote public IP in the script below – set remote-gw “remote public IP”

This is just a example of my configuration and you will need to enter your own values.

config vpn ipsec phase1-interface
set type static
set interface "wan1"
set ip-version 4
set ike-version 1
set local-gw
set nattraversal enable
set keylife 28800
set authmethod psk
set mode main
set peertype any
set mode-cfg disable
set proposal aes256-sha256
set localid ''
set localid-type auto
set negotiate-timeout 30
set fragmentation enable
set dpd disable
set forticlient-enforcement disable
set comments ''
set npu-offload enable
set dhgrp 14
set wizard-type custom
set xauthtype disable
set mesh-selector-type disable
set remote-gw "remote public IP" 
set monitor ''
set add-gw-route disable
set psksecret ENC YJYQCQkgBRfA4Ynqobur+iFEHHENqWxdlMu1xinpodo6QLayj46K40rCVdOiW6JWEFzwatMOVd1hmYwXFf3udgSJJNCec49BYINwom29fz9M+u0Q9TEhPF2xc0+k/GTnMNLqQTpdEkhk4Ab2EoyAb1GeGKLK4ft8u23YOeIOPQ2GJHseKiBCfR1O1/VllXG/fiOAlg==
set keepalive 10
set auto-negotiate enable

7.2 Create Phase 2

config vpn ipsec phase2-interface
set phase1name "OPNSENSE_VPN"
set proposal aes256-sha256
set pfs enable
set dhgrp 14
set replay enable
set keepalive enable
set auto-negotiate enable
set keylife-type seconds
set encapsulation tunnel-mode
set comments ''
set protocol 0
set src-addr-type subnet
set src-port 0
set dst-addr-type subnet
set dst-port 0
set keylifeseconds 3600
set src-subnet
set dst-subnet

7.3 Create Firewall Policies

config firewall policy
edit 6
set uuid fc48a3fe-61c6-51e9-d528-a761270fcdd8
set srcintf "lo0"
set dstintf "OPNSENSE_VPN"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"

Policy from local interface to VPN Virtual interface.

config firewall policy
edit 7
set uuid 1a9bec44-5e93-51e9-9240-9337d084beb8
set srcintf "OPNSENSE_VPN"
set dstintf "lo0"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"

Policy from VPN Virtual Interface to local interface.

7.4 Create Static Route

config router static
edit 1
set dst
set device "OPNSENSE_VPN"

This will point the traffic down the tunnel.

8. Troubleshooting OpnSense

8.1 Make sure that the traffic is hitting the firewall on either port udp 500 or udp 4500.

8.2 Check IPSEC log and VPN Status

You can check the status of the VPN to make sure both phase 1 and 2 are up and passing traffic.

The log file provides debug information about the VPN to help you troubleshoot.

9. Troubleshooting Fortigate.

9.1 Make sure that the traffic is hitting the firewall on either port udp 500 or udp 4500.

Add the public IP address of the remote device after host.

diagnose sniffer packet any "host  and port 4500"

9.2 Debug VPN commands

Make sure you add the public IP address of the remote device after dst-addr4.

diagnose debug reset
diagnose vpn ike log-filter dst-addr4 
diagnose debug application ike -1
diagnose debug enable

10. Test the connection

PBC # execute ping-options source

PBC # execute ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=63 time=25.2 ms
64 bytes from icmp_seq=1 ttl=63 time=25.1 ms

--- ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 25.1/25.1/25.2 ms

I have tested from the Fortigate firewall sourcing from the interface that matches the phase 2 of the VPN.

Thank you for reading and please leave feedback.

If you have any queries please contact us using the following link:

How to connect using OpenVPN (Windows 10) to OpnSense firewall.

This is a detailed guide on how to connect to your OpnSense Firewall using OpenVPN for remote access. Piggybank Cloud lets you launch an OpnSense firewall with a click of a button. You can connect your virtual machines to your firewall all with ease from your Piggybank customer portal.

There is a known issue with the latest OpenVPN version and Windows 10 with the TAP adapter not working. This guide incorporates the fix for this issue.

1. Create OpenVPN server on OpnSense firewall

1.1. Click on “Use a wizard to setup a new server.

1.2 Select Authentication Type

Type of Server – Select local User Access

1.3 Create a Certificate Authority (CA)

1.4 Add new Certificate

1.5 General OpenVPN Server Information

1.5.1 Set your interface to where VPN Clients will be connecting (usually WAN)

1.5.2 Set Protocol to UDP

1.5.3 Set the local port or leave blank

Local port upon which OpenVPN will listen for connections. The default port is 1194. Leave this blank to auto-select an unused port.

1.5.4 Description

Add your own description

1.6 Cryptographic Settings

For this example I have left as the default settings as per screenshot.

1.7 Tunnel Settings

1.7.1 Configure IPv4 Tunnel Network

This will be network assigned to OpnVPN Clients.

1.7.2 Configure IPv4 Local Network

This will be the network that will be accessed by the OpnVPN Clients, for example: the local network or LAN.

1.8 Client Settings

1.8.1 Add DNS servers

1.9 Firewall Rule Configuration

The wizard will create the firewall rules automatically for you if you check the tick boxes. This will allow traffic to the OpnVPN server and allow traffic to the Local network behind the OpnSense Firewall.

1.9.1 WAN – Rules

1.9.2 OpenVPN -Rules

1.10 OpenVPN Server Example:

Please note: Certificate depth is set to do not check – this means that the same configuration can be used for multiple users to authenticate using the same OpnVPN server configuration.

2. Create local users

2.1 Navigate to System / Access / Users and click add.

2.2 Set user name and password

This is the credentials the client will use to authenticate when connecting to the VPN.

3. Install OpenVPN on Windows 10

3.1 Download and Install an older version of OpenVPN

When you install this you will be prompted to install a TAP driver which is version 9.Once installed we can update to the latest version of OpenVPN

3.2 Install later Version

Once the old version of OpenVPN is installed, install the version above.

3.3 Update the TAP drivers manually

3.3.1 Open device manager and right click TAP Windows Adapter and select update.

3.3.2 Select browse my computer for driver software

3.3.3 Point to the folder where you have saved the drivers. AMD64 for 64 bit and i386 for 32 bit.

4. Run OpenVPN GUI as administrator.

This will give you the OpenVPN icon in your windows tray. Right click the icon and click import. Before you do this you will need to download the client config from the Opnsense Firewall.

5. Download Client VPN Configuration

5.1 Navigate to VPN / OpenVPN / Client Export.

5.2 Set export type to file only.

5.3 Click on the small cloud icon to the left of the page.

5.4 Edit the Client configuration file.

5.4.1 Right click the file you have downloaded from the firewall and remove UDP from line 8 as per screen shots.

5.4.2 The config should looks as follows with x.x.x.x being you public IP of your firewall.

6. Import file for client configuration.

6.1 Right click on the OpenVPN in your system tray as per screen shot above in point 4.

6.2 Click import file and select file from download location.

7. Connect to your VPN.

7.1 Right click the OpenVPN tray icon and click connect.

7.2 Enter user credentials.

Please feel free to leave any feedback. If you would like to explore Piggybank Cloud navigate to

Thank you for reading.