How to configure IPSec VPN between a CradlePoint router and a Fortinet router Summary This article presents an example configuration of a Policy-Based site-to-site IPSec VPN tunnel between a Series 3 CradlePoint router and Fortinet router. Requirements Products Supported AER3100, AER2100, MBR1400v2, IBR11x0, IBR6x0 and the MBR1200B Click here to identify your router. NCOS Version 6.0.1 - for information on upgrading NCOS, click here. Assumptions CradlePoint model AER2100, MBR1400, IBR11x0, IBR6x0, or MBR1200B. Fortinet router with 5.0 or newer (Example used is FortiWiFi 60D). Static publicly routable IP addresses on both the CradlePoint and Fortinet router. 1
Network Topology 2
Configuration Configuration Difficulty: Intermediate CradlePoint Configuration: 1. Log into NCOS. For help with logging in please click here. 2. Click on Networking and select Tunnels and then IPSec VPN. 3. Under IPSec VPN Tunnels click Add. 4. Enter a Tunnel Name. 5. Enter a Pre-Shared Key. 6. Click Next. 3
7. Under Local Networks click Add and enter the CradlePoint's LAN that you want to be accessible across the tunnel. 8. Click Next. 9. Enter the Remote Gateway which is the WAN IP of the Fortinet. 10. Under Remote Networks click Add and enter the Fortinet's LAN that you want to be accessible across the tunnel. 11. Click Next. 4
12. Select the desired IKE Phase 1 parameters. CradlePoint recommends AES-256 encryption, SHA1 hash, DH Group 1, and IKE Phase 1 key lifetime of 86400. 13. Click Next. 14. Select the desired IKE Phase 2 parameters. CradlePoint recommends AES-256 encryption, SHA1 hash, and DH Group 1, and Phase 2 key lifetime of 3600. 15. Click Next. 16. Configure Dead Peer Detection to your preferences. CradlePoint recommends keeping this setting enabled. 17. Click Finish. 5
18. Under Global VPN Settings check Enable VPN Service and hit Save. Fortinet Configuration: The Fortinet product in this example is the FortiWiFi 60D 19. On the Fortinet, go to VPN > IPsec >Auto Key (IKE). Select Create Phase 1. Set IP Address to the IP of the Branch FortiGate, Local Interface to the Internet-facing interface, enter a Pre-shared Key and select Security Proposal that match the CradlePoint s settings. 20. Go to Firewall Objects > Address >Addresses. Create a local address. Set Type to Subnet, Subnet/IP Range to the HQ subnet, and Interface to an internal port. 6
21. Create a remote LAN address. Set Type to Subnet, Subnet/IP Range to the Branch subnet, and Interface to the VPN Phase 1. 22. Return to VPN > IPsec >Auto Key (IKE). Select Create Phase 2, set it to use the Phase 1, and click Advanced. Set the correct Phase 2 security proposal, enable Autokey Keep Alive and Auto- Negotiate. Select Source address as the Local LAN and Destination address as the Remote LAN. 7
23. Go to Policy > Policy > Policy. Create a policy for outbound traffic. Set Incoming Interface to the internal port, Source Address to the Local LAN, Outgoing Interface to the VPN Phase 1, and Destination Address to the Remote LAN. 24. Create a second policy for inbound traffic. Set Incoming Interface to the VPN phase 1, Source Address to the Remote LAN, Outgoing Interface to the internal port, and Destination Address to the Local LAN. 25. Go to Router > Static > Static Routes. Create a route for IPsec traffic, setting Device to the VPN Phase 1. If the Router menu is not visible, go to System > Config > Features to ensure that Advanced Routing is turned on 8
. 9