Comment on page

FortiGate

This guide will show you how to connect your FortiGate device to the GoodAccess Gateway via a site-to-site connection using the IPsec protocol.

Step 1 - Creating a new branch connection
​Log in to the GoodAccess Control Panel, and go to Clouds & Branches.​
Click + Add new, enter the Branch name and subnet, and select Gateway.
Choose IPSec Protocol, fill out the Settings configuration form, and click Save.
You may return to the configuration via the Edit button of your Branch at any time.
Step 2 - Creating new addresses
Log in to your FortiGate device, and go to Policy & Objects > Addresses. Click Create New and select Address.
Give the address a name and set the configuration as follows:
You have to create two Addresses - local and remote.
Creating a new address
Local Address
Type - Subnet
IP/Netmask - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)
Interface - Optional
Creating a local address
Click OK to confirm your settings.
Remote Address
Type - Subnet
IP/Netmask - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)
Interface - Optional
Creating a remote address
Click OK to confirm your settings.
Step 3 - Creating a new IPSec tunnel
Go to VPN > IPsec Tunnels. Click Create New and select IPSec Tunnel.
Give the tunnel a name, select Custom, and click Next.
Edit all the sections as follows:
Creating a new IPSec tunnel
Naming a new IPSec tunnel
Setting up a new IPSec tunnel
Network
Remote Gateway - Static IP Address
IP Address - IP of your GoodAccess Gateway
Interface - WAN (depends on your site)
NAT Traversal - Optional
Deed Peer Detection - Optional
Advanced:
1.Add route - Enabled
2.Auto discovery sender - Disabled
3.Auto discovery receiver - Disabled
4.Exchange interface IP - Disabled
5.Device creation - Enabled
Setting up the network section of a IPSec tunnel
Authentication
Method - Pre-shared Key
Pre-shared Key - Shared Secret from GoodAccess (Step 1)​
IKE Version - 2
Setting up the authentication section of a IPSec tunnel
Phase 1
Must match configuration from GoodAccess (Step 1).
Setting up the Phase I section of a IPSec tunnel
Phase 2
Must match configuration from GoodAccess (Step 1).
Local/Remote Address - Select Named Address, and choose Local/Remote Address (Step 2)​
Setting up the Phase II section of a IPSec tunnel
Click OK to confirm your settings.
Step 4 - Creating a new static route
Go to Network > Static Routes and click Create New.
Set the Destination as Subnet and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).
Click OK to confirm your settings.
Creating a new static route
Setting up the new static route
Step 5 - Creating a new firewall policy
Go to Policy & Objects > Firewall Policy and click Create New.
Give the policy a name and set the configuration as follows:
Incoming Interface - IPSec Tunnel
Outgoing Interface - LAN (depends on your site)
Source - Remote Address​
Destination -  Local Address​
Schedule and Service - Optional
Action - ACCEPT
Inspection Mode - Flow-based
Click OK to confirm your settings.
Creating a new firewall policy
You have now successfully connected your device to GoodAccess.
You may check the status of the connection in:
GoodAccess - Control Panel > Clouds & Branches > Edit button > Test connection
FortiGate - Monitor > IPSec Monitor

Cisco

MikroTik

Last modified 4mo ago