How to Set up Site-to-Site VPN on FortiGate Firewall

Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

Configuring the tunnel at the FortiGate Management Interface

  1. Open the FortiGate Management Interface
  2. In the left panel, select VPN, then IPsec Tunnels, and select Create New
01 Setting up site-to-site on FortiGate.png
  1. In the VPN Creation Wizard window set the Name to NordLayer (or any other name you desire), the Template Type to Custom tab, and select Next
02 Setting up site-to-site on FortiGate.png
  1. Fill in the following information:

Network Section:

  • IP Version: IPv4
  • Remote Gateway: Static IP Address
  • IP Address: Insert the IP of your NordLayer dedicated server
  • Interface: select your WAN interface
  • Mode Config: unchecked
  • NAT Traversal: Disable
  • Dead Peer Detection: On-Demand

Authentication section:

  • Method: Pre-shared Key
  • Pre-shared Key: Insert the generated Shared Key (we will also need this value on our end)
  • IKE Version: 2
  • Mode: Main (ID protection)

Phase 1 Proposal section:

  • Encryption: AES256
  • Authentication: SHA256
  • Diffie-Hellman Group: 14
  • Key Lifetime (seconds): 3600
  • Local ID: leave blank
  • XAUTH Section: leave disabled

Phase 2 Selectors (+Advanced) section:

  • Name: NordLayer
  • Local Address: Your Local network Subnet
  • Remote Address: 10.6.0.0
  • Enable Replay Detection: Checked
  • Enable Perfect Forward Secrecy (PFS): Checked
  • Diffie-Hellman Group: 14
  • Encryption: AES256
  • Authentication: SHA256
  • Local Port:¬†Checked
  • Remote Port: Checked
  • Protocol: Checked
  • Key Lifetime: Seconds
  • Seconds: 28800

Configuring firewall and static routing

It is necessary to add static routes from the NordLayer subnet (10.6.0.0/20) to the local network and from the local network to the NordLayer subnet (10.6.0.0/20) to the local network through the VPN tunnel gateway.

03 Setting up site-to-site on FortiGate.png
  1. Go to Network -> Routing -> Static Routes -> Create new -> Route
04 Setting up site-to-site on FortiGate.png
  1. Set Destination to 10.6.0.0/20 and the Device: NordLayer (or any other name you chose for the tunnel)
  2. Select OK
  3. It is necessary to add firewall rules to allow traffic from the NordLayer subnet (10.6.0.0/20) to your local network or services you desire
  4. Go to Policy & Objects -> IPv4 Policy and select Create New
  5. Fill in the following information:
  • Name: NordLayer
  • Incoming Interface: NordLayer
  • Outgoing Interface: Your local network object
  • Source: All
  • Destination: All
  • Schedule: Always
  • Service: All
  • NAT: Disabled

If any additional settings appear, leave them in their default status.

  1. Select OK

Make sure the tunnel is up

At the FortiGate Management Interface, go to VPN -> IPSec Tunnels. If the tunnel is up the line will appear in the table:

05 Setting up site-to-site on FortiGate.png

Ending note:

In order to finalize the site-to-site setup on our end, please provide these values via Site-to-site request from in the NordLayer Control Panel:

  • Pre-shared key – you can generate it or we can provide it
  • Encryption¬† details (AES, SHA and DH group) – AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Ref: Setting up site-to-site on FortiGate – Site-to-site on-premises resources (nordlayer.com)