FortiGate

This guide will show you how to connect your FortiGate device to the GoodAccess Gateway via a site-to-site connection using the IPSec protocol.

Step 1 - Creating a new branch connection

Log in to the GoodAccess Control Panel, and go to Network > Clouds & Branches.

Click + Add new, enter the Branch name and subnet, and select Gateway.

Choose IPSec Protocol, fill out the Settings configuration form, and click Save.

You may return to the configuration via the Edit button of your Branch at any time.

Example of configuration (Default preset):

  • Cloud/Branch subnet - Subnet of your local network

  • Shared Secret - Create a new strong password

  • Public IP - IP of your FortiGate

  • IKE Lifetime (Phase 1) - 8 hours (28800 seconds)

  • Tunnel Lifetime (Phase 2) - 1 hour (3600 seconds)

  • Dead Peer Detection Delay - 30 seconds

  • Encryption (Phase 1) - aes256

  • Encryption (Phase 2) - aes256

  • Integrity (Phase 1) - sha256

  • Integrity (Phase 2) - sha256

  • Diffie-Hellman Groups (Phase 1) - 16 - modp4096

  • Diffie-Hellman Groups (Phase 2) - 16 - modp4096

Step 2 - Creating new addresses

Log in to your FortiGate device, and go to Policy & Objects > Addresses. Click Create New and select Address.

Give the address a name and set the configuration as follows:

You have to create two Addresses - local and remote.

Local Address

  • Type - Subnet

  • IP/Netmask - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)

  • Interface - Optional

Click OK to confirm your settings.

Remote Address

  • Type - Subnet

  • IP/Netmask - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)

  • Interface - Optional

Click OK to confirm your settings.

Step 3 - Creating a new IPSec tunnel

Go to VPN > IPsec Tunnels. Click Create New and select IPSec Tunnel.

Give the tunnel a name, select Custom, and click Next.

Edit all the sections as follows:

Network

  • Remote Gateway - Static IP Address

  • IP Address - IP of your GoodAccess Gateway

  • Interface - WAN (depends on your site)

  • NAT Traversal - Optional

  • Deed Peer Detection - Optional

  • Advanced:

    1. Add route - Enabled

    2. Auto discovery sender - Disabled

    3. Auto discovery receiver - Disabled

    4. Exchange interface IP - Disabled

    5. Device creation - Enabled

Authentication

Method - Pre-shared Key

Pre-shared Key - Shared Secret from GoodAccess (Step 1)

IKE Version - 2

Phase 1

Must match configuration from GoodAccess (Step 1).

Phase 2

Must match configuration from GoodAccess (Step 1).

  • Local/Remote Address - Select Named Address, and choose Local/Remote Address (Step 2)

Click OK to confirm your settings.

Step 4 - Creating a new static route

Go to Network > Static Routes and click Create New.

Set the Destination as Subnet and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).

Click OK to confirm your settings.

Step 5 - Creating a new firewall policy

Go to Policy & Objects > Firewall Policy and click Create New.

Give the policy a name and set the configuration as follows:

  • Incoming Interface - IPSec Tunnel

  • Outgoing Interface - LAN (depends on your site)

  • Destination - Local Address

  • Schedule and Service - Optional

  • Action - ACCEPT

  • Inspection Mode - Flow-based

Click OK to confirm your settings.

You have now successfully connected your device to GoodAccess.

You may check the status of the connection in:

  • GoodAccess - Control Panel > Clouds & Branches > Edit button > Test connection

  • FortiGate - Monitor > IPSec Monitor

Last updated