Let’s look at the topology and work on setting up site-to-site VPN between 2 different firewall vendors.
FortiGate –
VPN -> IPsec Tunnels -> Custom
Assumption is that all the necessary interface IP addressing has been already done on both firewalls.
Enter Peer IP address-
Enter Phase-1 attributes (authentication, encryption, authentication)
For lab purposes we will use the below attributes.
NOTE- In a production network, these parameters will be much more locked down.
Once all the security parameters have been entered, the tunnel will be created.
Next we will create a Static Route.
Network -> Static Routes -> Create New
NOTE – A virtual interface will be created by the FortiGate once the tunnel in created, in our case VPN-to-Site2 is created by FortiGate and that’s the interface we will use for the static route.
Next we will create two firewall policies (incoming and outgoing), in some case only one policy is needed.
Policy & Object -> Firewall Policy.
The incoming/outgoing policies will be created.
We are all finished with the FortiGate side.
Palo Alto-
After the LAN and WAN interfaces have been configured, we will also create a Tunnel Interface and assign it to the external (WAN) Zone.
Network -> Interfaces ->Tunnel -> Add
We will also add the Tunnel interface to the External Zone.
Network -> Zones ->Add or Edit the existing External Zone.
Create a Static Route for the VPN Tunnel.
Network -> Virtual Routers -> Default ->Static Routes ->Add
Next step is to create a security policy and allow the incoming/outgoing traffic from the necessary interfaces.
Policies -> Security -> Add
We will keep everything default for our lab purposes.
Now we will start working on the VPN parameters.
Start with Phase-1 Profile-
Network -> IKE Crypto -> Add
These parameters have to match exactly how they are on the FortiGate side.
Phase-2 Profile-
Network -> IPSec Crypto -> Add
IKE Gateway-
Network -> IKE Gateway ->Add
Last Step is to create the IPsec Tunnel-
Network -> IPsec Tunnel -> Add
As we can see that the Tunnels are up on both sides.
Time to run some tests from both LANs.
Spin up a lab and try it out.