# FortiGate ## Step 1 - Creating a new branch connection [Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/) Click **+ Add new**, enter a **Name** (e.g., Prague Office), select the required **Gateway**, and define your local **Subnets** (using CIDR notation). Choose **IPSec** **Protocol**, and click **Continue**. Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set on your device in the next steps. Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control. {% hint style="info" %} You may return to the configuration via the **Edit** button of your Branch at any time. {% endhint %} {% hint style="info" %} **Example of configuration (Default preset):** * **Shared Secret** - Create a new strong password * **Public IP** - IP of your FortiGate * **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds) * **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds) * **Dead Peer Detection Delay** - 30 seconds * **Encryption (Phase 1)** - aes256 * **Encryption (Phase 2)** - aes256 * **Integrity (Phase 1)** - sha256 * **Integrity (Phase 2)** - sha256 * **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096 * **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096 {% endhint %} ## Step 2 - Creating new addresses Log in to your FortiGate device, and go to **Policy & Objects** > **Addresses**. Click **Create New** and select **Address**. Give the address a name and set the configuration as follows: {% hint style="info" %} You have to create **two** Addresses - **local** and **remote**. {% endhint %}

Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new address. — Creating a new address

### **Local Address** * **Type** - Subnet * **IP/Netmask** - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0) * **Interface** - Optional

Router's graphical user interface (GUI) showing configuration of the local address. — Creating a local address

Click **OK** to confirm your settings. ### **Remote Address** * **Type** - Subnet * **IP/Netmask** - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0) * **Interface** - Optional

Router's graphical user interface (GUI) showing configuration of the remote address. — Creating a remote address

Click **OK** to confirm your settings. ## Step 3 - Creating a new IPSec tunnel Go to **VPN** > **IPsec Tunnels**. Click **Create New** and select **IPSec Tunnel**. Give the tunnel a name, select **Custom**, and click **Next**. **Edit** all the sections as follows:

Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec tunnel. — Creating a new IPSec tunnel

Router's graphical user interface (GUI) showing first step of the VPN Creation Wizard. — Naming a new IPSec tunnel

Router's graphical user interface (GUI) with arrows highlighting key steps to configuring an IPSec tunnel. — Setting up a new IPSec tunnel

### Network * **Remote Gateway** - Static IP Address * **IP Address** - IP of your GoodAccess Gateway * **Interface** - WAN (depends on your site) * **NAT Traversal** - Optional * **Deed Peer Detection** - Optional * **Advanced:** 1. **Add route** - Enabled 2. **Auto discovery sender** - Disabled 3. **Auto discovery receiver** - Disabled 4. **Exchange interface IP** - Disabled 5. **Device creation** - Enabled

Router's graphical user interface (GUI) showing configuration for the Network section of an IPSec tunnel. — Setting up the network section of a IPSec tunnel

### **Authentication** **Method** - Pre-shared Key **Pre-shared Key** - Shared Secret [(Step 1)](#step-1-creating-a-new-branch-connection) **IKE Version** - 2

Router's graphical user interface (GUI) showing configuration for the Authentication section of an IPSec tunnel. — Setting up the authentication section of a IPSec tunnel

### **Phase 1** {% hint style="info" %} Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection). {% endhint %}

Router's graphical user interface (GUI) showing configuration for the Phase 1 section of an IPSec tunnel. — Setting up the Phase 1 section of a IPSec tunnel

### **Phase 2** {% hint style="info" %} Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-branch-connection). {% endhint %} * **Local/Remote Address** - Select **Named Address**, and choose Local/Remote Address [(Step 2)](#step-2-creating-new-addresses)

Router's graphical user interface (GUI) showing configuration for the Phase 2 section of an IPSec tunnel. — Setting up the Phase 2 section of a IPSec tunnel

Click **OK** to confirm your settings. ## Step 4 - Creating a new static route Go to **Network** > **Static Routes** and click **Create New**. Set the **Destination** as **Subnet** and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0). Click **OK** to confirm your settings.

Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new static route. — Creating a new static route

Router's graphical user interface (GUI) showing configuration of a static route. — Setting up the new static route

You have now successfully connected your device to GoodAccess. {% hint style="warning" %} **Firewall rules** Make sure that your device allows incoming connections from your **GoodAccess Gateway private subnet** on the following ports: * **UDP 500** * **UDP 4500** {% endhint %} {% hint style="info" %} **You may check the status of the connection in:** * **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled). * **FortiGate:** Go to **Monitor > IPSec Monitor**. {% endhint %}