4/16/2017 Site­to­site IPsec VPN with two FortiGates ­ Fortinet Cookbook

FortiOS 5.6 is now available: Release Notes | What's New | Upgrade Path

EDUCATION / ENTERPRISE / FORTIOS 5.4 / FORTIOS 5.4.0 / FORTIOS 5.4.1 / FORTIOS 5.4.2 / FORTIOS 5.4.3 / VPNS

Site­to­site IPsec VPN with two FortiGates
Posted on January 27, 2016 by Adam Bristow

Share this post:

In this example, you will allow transparent communication between two networks that are located
behind different FortiGates at different of𠈁ces using route-based IPsec VPN. The VPN will be created
on both FortiGates by using the VPN Wizard’s Site to Site – FortiGate template.

In this example, one of𠈁ce will be referred to as HQ and the other will be referred to as Branch.

http://cookbook.fortinet.com/site­to­site­ipsec­vpn­with­two­fortigates­5­4/ 1/5
4/16/2017 Site­to­site IPsec VPN with two FortiGates ­ Fortinet Cookbook

Find this recipe for other FortiOS versions

5.2 | 5.4

1. Configuring the HQ IPsec VPN

On the HQ FortiGate, go to VPN > IPsec Wizard.

Select the Site to Site template, and select FortiGate.

In the Authentication step, set IP Address to the IP of the Branch

FortiGate (in the example, 172.20.120.135). After you enter the gateway, an
available interface will be assigned as the Outgoing Interface. If you wish to
use a different interface, select it from the drop-down menu.

Set a secure Pre-shared Key.

In the Policy & Routing step, set the Local Interface. The Local Subnets will
be added automatically. Set Remote Subnets to the Branch FortiGate’s local
subnet (in the example, 5.5.5.5/24).

A summary page shows the con𠈁guration created by the wizard, including

𠈁rewall addresses, 𠈁rewall address groups, a static route, and security
policies.

2. Configuring the Branch IPsec VPN

On the Branch FortiGate, go to VPN > IPsec Wizard.

Select the Site to Site template, and select FortiGate.

In the Authentication step, set IP Address to the IP of the HQ FortiGate (in

the example, 172.20.121.92). After you enter the gateway, an available
interface will be assigned as the Outgoing Interface. If you wish to use a
different interface, select Change.

Set the same Pre-shared Key that was used for HQ’s VPN.

http://cookbook.fortinet.com/site­to­site­ipsec­vpn­with­two­fortigates­5­4/ 2/5
4/16/2017 Site­to­site IPsec VPN with two FortiGates ­ Fortinet Cookbook

In the Policy & Routing step, set the Local Interface. The Local Subnets will
be added automatically. Set Remote Subnets to the HQ FortiGate’s local
subnet (in the example, 10.10.10.1/24).

A summary page shows the con𠈁guration created by the wizard, including

𠈁rewall addresses, 𠈁rewall address groups, a static route, and security
policies.

3. Results

On either FortiGate, go to Monitor > IPsec Monitor to verify the status of  

the VPN tunnel. Right-click under Status and select Bring Up.

A user on either of the of𠈁ce networks should be able to connect to any address on the other
of𠈁ce network transparently.

If you need to generate traf𠈁c to test the connection, ping the Branch FortiGate’s internal
interface from the HQ’s internal network.

About   Latest Posts

Adam Bristow
Technical Writer at Fortinet

Adam Bristow is a Technical Writer working for the FortiOS technical documentation team.
He has a Honours Bachelor of Arts in English and Minor in Film Studies and a graduate
certi𠈁cate in Technical Writing from Algonquin College. Stay tuned for more FortiOS
Cookbook videos!

Was this helpful?  Yes      No

 authentication, IPsec VPN

http://cookbook.fortinet.com/site­to­site­ipsec­vpn­with­two­fortigates­5­4/ 3/5
4/16/2017 Site­to­site IPsec VPN with two FortiGates ­ Fortinet Cookbook

Leave a Reply

4 Comments on "Site-to-site IPsec VPN with two FortiGates"

Connect with:

Powered by OneAll Social Login

Notify of new follow-up comments Email ›

Join the discussion

Darren Asher Haun

How to do a redundant ISP at home of𠈁ce with remote fortigates (Single ISP). I
have redundant ISP at of𠈁ce, (Different IP networks) and remote clients. How do
you con𠈁gure the remote FG devices to use multiple IP to lookup and connect to
Home Of𠈁ce?

 REPLY  March 6, 2017 10:40 pm

Hakim Mani

Hi, will site-to-site vpn work with older fortios like v4?

 REPLY  December 14, 2016 10:20 am

Kristian Villapando

Hi, will site-to-site ipsec vpn work with different fortiOS? 5.4.1 and 5.2.5?

http://cookbook.fortinet.com/site­to­site­ipsec­vpn­with­two­fortigates­5­4/ 4/5
4/16/2017 Site­to­site IPsec VPN with two FortiGates ­ Fortinet Cookbook

 REPLY  September 14, 2016 12:29 am 

Keith Leroux

Hi Kristian,
Yes it will, and the procedure is nearly identical for both releases.

 REPLY  September 14, 2016 10:09 am

CONTACT |  DOCUMENTATION LIBRARY |  CLI PORTAL  |  FUSE |  VIDEOS |  SUPPORT |  CORPORATE |  LEGAL

© 2017 Fortinet

http://cookbook.fortinet.com/site­to­site­ipsec­vpn­with­two­fortigates­5­4/ 5/5