FortiGate
This guide will show you how to connect your FortiGate device to the GoodAccess Gateway via a site-to-site connection using the IPSec protocol.
Step 1 - Creating a new branch connection
Log in to the GoodAccess Control Panel, and go to Network > Clouds & Branches.
Click + Add new, enter the Branch name and subnet, and select Gateway.
Choose IPSec Protocol, fill out the Settings configuration form, and click Save.
You may return to the configuration via the Edit button of your Branch at any time.
Example of configuration (Default preset):
Cloud/Branch subnet - Subnet of your local network
Shared Secret - Create a new strong password
Public IP - IP of your FortiGate
IKE Lifetime (Phase 1) - 8 hours (28800 seconds)
Tunnel Lifetime (Phase 2) - 1 hour (3600 seconds)
Dead Peer Detection Delay - 30 seconds
Encryption (Phase 1) - aes256
Encryption (Phase 2) - aes256
Integrity (Phase 1) - sha256
Integrity (Phase 2) - sha256
Diffie-Hellman Groups (Phase 1) - 16 - modp4096
Diffie-Hellman Groups (Phase 2) - 16 - modp4096
Step 2 - Creating new addresses
Log in to your FortiGate device, and go to Policy & Objects > Addresses. Click Create New and select Address.
Give the address a name and set the configuration as follows:
You have to create two Addresses - local and remote.
Local Address
Type - Subnet
IP/Netmask - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)
Interface - Optional
Click OK to confirm your settings.
Remote Address
Type - Subnet
IP/Netmask - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)
Interface - Optional
Click OK to confirm your settings.
Step 3 - Creating a new IPSec tunnel
Go to VPN > IPsec Tunnels. Click Create New and select IPSec Tunnel.
Give the tunnel a name, select Custom, and click Next.
Edit all the sections as follows:
Network
Remote Gateway - Static IP Address
IP Address - IP of your GoodAccess Gateway
Interface - WAN (depends on your site)
NAT Traversal - Optional
Deed Peer Detection - Optional
Advanced:
Add route - Enabled
Auto discovery sender - Disabled
Auto discovery receiver - Disabled
Exchange interface IP - Disabled
Device creation - Enabled
Authentication
Method - Pre-shared Key
Pre-shared Key - Shared Secret from GoodAccess (Step 1)
IKE Version - 2
Phase 1
Must match configuration from GoodAccess (Step 1).
Phase 2
Must match configuration from GoodAccess (Step 1).
Local/Remote Address - Select Named Address, and choose Local/Remote Address (Step 2)
Click OK to confirm your settings.
Step 4 - Creating a new static route
Go to Network > Static Routes and click Create New.
Set the Destination as Subnet and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).
Click OK to confirm your settings.
Step 5 - Creating a new firewall policy
Go to Policy & Objects > Firewall Policy and click Create New.
Give the policy a name and set the configuration as follows:
Incoming Interface - IPSec Tunnel
Outgoing Interface - LAN (depends on your site)
Source - Remote Address
Destination - Local Address
Schedule and Service - Optional
Action - ACCEPT
Inspection Mode - Flow-based
Click OK to confirm your settings.
You have now successfully connected your device to GoodAccess.
You may check the status of the connection in:
GoodAccess - Control Panel > Clouds & Branches > Edit button > Test connection
FortiGate - Monitor > IPSec Monitor
Last updated
