search
GoodAccess WebsiteRequest Free TrialDownload App

FortiGate

This guide will show you how to connect your FortiGate device to the GoodAccess Gateway via a site-to-site connection using the IPSec protocol.

hashtag
Step 1 - Creating a new branch connection

Log in to the GoodAccess Control Panel, and go to Network > Clouds & Branches.arrow-up-right

Click + Add new, enter the Branch name and subnet, and select Gateway.

Choose IPSec Protocol, fill out the Settings configuration form, and click Save.

circle-info

You may return to the configuration via the Edit button of your Branch at any time.

circle-info

Example of configuration (Default preset):

  • Cloud/Branch subnet - Subnet of your local network

  • Shared Secret - Create a new strong password

  • Public IP - IP of your FortiGate

  • IKE Lifetime (Phase 1) - 8 hours (28800 seconds)

  • Tunnel Lifetime (Phase 2) - 1 hour (3600 seconds)

  • Dead Peer Detection Delay - 30 seconds

  • Encryption (Phase 1) - aes256

  • Encryption (Phase 2) - aes256

  • Integrity (Phase 1) - sha256

  • Integrity (Phase 2) - sha256

  • Diffie-Hellman Groups (Phase 1) - 16 - modp4096

  • Diffie-Hellman Groups (Phase 2) - 16 - modp4096

hashtag
Step 2 - Creating new addresses

Log in to your FortiGate device, and go to Policy & Objects > Addresses. Click Create New and select Address.

Give the address a name and set the configuration as follows:

circle-info

You have to create two Addresses - local and remote.

Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new address.
Creating a new address

hashtag
Local Address

  • Type - Subnet

  • IP/Netmask - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)

  • Interface - Optional

Router's graphical user interface (GUI) showing configuration of the local address.
Creating a local address

Click OK to confirm your settings.

hashtag
Remote Address

  • Type - Subnet

  • IP/Netmask - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)

  • Interface - Optional

Router's graphical user interface (GUI) showing configuration of the remote address.
Creating a remote address

Click OK to confirm your settings.

hashtag
Step 3 - Creating a new IPSec tunnel

Go to VPN > IPsec Tunnels. Click Create New and select IPSec Tunnel.

Give the tunnel a name, select Custom, and click Next.

Edit all the sections as follows:

Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec tunnel.
Creating a new IPSec tunnel
Router's graphical user interface (GUI) showing first step of the VPN Creation Wizard.
Naming a new IPSec tunnel
Router's graphical user interface (GUI) with arrows highlighting key steps to configuring an IPSec tunnel.
Setting up a new IPSec tunnel

hashtag
Network

  • Remote Gateway - Static IP Address

  • IP Address - IP of your GoodAccess Gateway

  • Interface - WAN (depends on your site)

  • NAT Traversal - Optional

  • Deed Peer Detection - Optional

  • Advanced:

    1. Add route - Enabled

    2. Auto discovery sender - Disabled

    3. Auto discovery receiver - Disabled

    4. Exchange interface IP - Disabled

    5. Device creation - Enabled

Router's graphical user interface (GUI) showing configuration for the Network section of an IPSec tunnel.
Setting up the network section of a IPSec tunnel

hashtag
Authentication

Method - Pre-shared Key

Pre-shared Key - Shared Secret (Step 1)

IKE Version - 2

Router's graphical user interface (GUI) showing configuration for the Authentication section of an IPSec tunnel.
Setting up the authentication section of a IPSec tunnel

hashtag
Phase 1

circle-info

Must match configuration from GoodAccess (Step 1).

Router's graphical user interface (GUI) showing configuration for the Phase 1 section of an IPSec tunnel.
Setting up the Phase 1 section of a IPSec tunnel

hashtag
Phase 2

circle-info

Must match configuration from GoodAccess (Step 1).

  • Local/Remote Address - Select Named Address, and choose Local/Remote Address (Step 2)

Router's graphical user interface (GUI) showing configuration for the Phase 2 section of an IPSec tunnel.
Setting up the Phase 2 section of a IPSec tunnel

Click OK to confirm your settings.

hashtag
Step 4 - Creating a new static route

Go to Network > Static Routes and click Create New.

Set the Destination as Subnet and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).

Click OK to confirm your settings.

Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new static route.
Creating a new static route
Router's graphical user interface (GUI) showing configuration of a static route.
Setting up the new static route

You have now successfully connected your device to GoodAccess.

circle-exclamation

Firewall rules

Make sure that your device allows incoming connections from your GoodAccess Gateway private subnet on the following ports:

  • UDP 500

  • UDP 4500

circle-info

You may check the status of the connection in:

  • GoodAccess - Control Panel > Clouds & Branches > Edit button > Test connection

  • FortiGate - Monitor > IPSec Monitor

PreviousCisco MerakiNextMikroTik

Last updated

Was this helpful?