Links
Comment on page

FortiGate

This guide will show you how to connect your FortiGate device to the GoodAccess Gateway via a site-to-site connection using the IPsec protocol.

Step 1 - Creating a new branch connection

Click + Add new, enter the Branch name and subnet, and select Gateway.
Choose IPSec Protocol, fill out the Settings configuration form, and click Save.
You may return to the configuration via the Edit button of your Branch at any time.

Step 2 - Creating new addresses

Log in to your FortiGate device, and go to Policy & Objects > Addresses. Click Create New and select Address.
Give the address a name and set the configuration as follows:
You have to create two Addresses - local and remote.
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new address.
Creating a new address

Local Address

  • Type - Subnet
  • IP/Netmask - Subnet of FortiGate's local network and mask (e.g. 131.31.231.0/255.255.255.0)
  • Interface - Optional
Router's graphical user interface (GUI) showing configuration of the local address.
Creating a local address
Click OK to confirm your settings.

Remote Address

  • Type - Subnet
  • IP/Netmask - Subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0)
  • Interface - Optional
Router's graphical user interface (GUI) showing configuration of the remote address.
Creating a remote address
Click OK to confirm your settings.

Step 3 - Creating a new IPSec tunnel

Go to VPN > IPsec Tunnels. Click Create New and select IPSec Tunnel.
Give the tunnel a name, select Custom, and click Next.
Edit all the sections as follows:
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new IPSec tunnel.
Creating a new IPSec tunnel
Router's graphical user interface (GUI) showing first step of the VPN Creation Wizard.
Naming a new IPSec tunnel
Router's graphical user interface (GUI) with arrows highlighting key steps to configuring an IPSec tunnel.
Setting up a new IPSec tunnel

Network

  • Remote Gateway - Static IP Address
  • IP Address - IP of your GoodAccess Gateway
  • Interface - WAN (depends on your site)
  • NAT Traversal - Optional
  • Deed Peer Detection - Optional
  • Advanced:
    1. 1.
      Add route - Enabled
    2. 2.
      Auto discovery sender - Disabled
    3. 3.
      Auto discovery receiver - Disabled
    4. 4.
      Exchange interface IP - Disabled
    5. 5.
      Device creation - Enabled
Router's graphical user interface (GUI) showing configuration for the Network section of an IPSec tunnel.
Setting up the network section of a IPSec tunnel

Authentication

Method - Pre-shared Key
Pre-shared Key - Shared Secret from GoodAccess (Step 1)
IKE Version - 2
Router's graphical user interface (GUI) showing configuration for the Authentication section of an IPSec tunnel.
Setting up the authentication section of a IPSec tunnel

Phase 1

Must match configuration from GoodAccess (Step 1).
Router's graphical user interface (GUI) showing configuration for the Phase I section of an IPSec tunnel.
Setting up the Phase I section of a IPSec tunnel

Phase 2

Must match configuration from GoodAccess (Step 1).
  • Local/Remote Address - Select Named Address, and choose Local/Remote Address (Step 2)
Router's graphical user interface (GUI) showing configuration for the Phase II section of an IPSec tunnel.
Setting up the Phase II section of a IPSec tunnel
Click OK to confirm your settings.

Step 4 - Creating a new static route

Go to Network > Static Routes and click Create New.
Set the Destination as Subnet and enter the subnet of your GoodAccess Gateway and mask (e.g. 124.24.0.0/255.255.252.0).
Click OK to confirm your settings.
Router's graphical user interface (GUI) with arrows highlighting key steps to creating a new static route.
Creating a new static route
Router's graphical user interface (GUI) showing configuration of a static route.
Setting up the new static route

Step 5 - Creating a new firewall policy

Go to Policy & Objects > Firewall Policy and click Create New.
Give the policy a name and set the configuration as follows:
  • Incoming Interface - IPSec Tunnel
  • Outgoing Interface - LAN (depends on your site)
  • Source - Remote Address
  • Destination - Local Address
  • Schedule and Service - Optional
  • Action - ACCEPT
  • Inspection Mode - Flow-based
Click OK to confirm your settings.
Router's graphical user interface (GUI) showing configuration of a firewall policy.
Creating a new firewall policy
You have now successfully connected your device to GoodAccess.
You may check the status of the connection in:
  • GoodAccess - Control Panel > Clouds & Branches > Edit button > Test connection
  • FortiGate - Monitor > IPSec Monitor
Last modified 4mo ago