Skip to main content

Connecting several branches: VPN Site-to-Site

Last update:

Site-to-site VPN is a VPN connection known as a point-to-point connection. During inter-network communication, two peers communicate directly. Site-to-site VPN provides transparent communication between two networks located in different offices.

A secure site-to-site VPN tunnel allows you to establish secure connections between several private networks of remote branches or departments. Based on FortiGate solutions, you can configure an IPsec VPN between your infrastructure in Selectel data centers and a cloud or office where other infrastructure and employee workstations are located. For information on the advantages of a hardware solution, read on our website.

IPsec is a suite of protocols used to authenticate and encrypt traffic between two peers. The three most commonly used protocols in the suite are:

  • Internet Key Exchange (IKE) — performs the "handshake", tunnel maintenance, and disconnection;
  • Encapsulation Security Payload (ESP) — provides data integrity and encryption;
  • Authentication Header (AH) — offers data integrity only, but not encryption.

FortiGate uses only ESP for payload transmission. AH is not used by FortiGate.

IKE (The Internet Key Exchange) * — a standard protocol in the IPsec protocol suite used to ensure secure interaction in a VPN, i.e., IKE establishes an IPsec VPN tunnel. For the protocols within IPsec to perform their task of protecting transmitted data, the IKE protocol establishes a logical connection between two endpoints — a Security Association (SA). An SA defines the authentication, keys, and settings that will be used to encrypt and decrypt packets.

* IKE defines two phases (Phase 1 and Phase 2):

  • Phase 1 — negotiation of secure data exchange parameters, which occurs when each tunnel endpoint connects and begins configuring the VPN. During Phase 1, the peers authenticate each other and agree on parameters for establishing a special channel required only for exchanging information about the desired encryption algorithms and other details of the future IPsec tunnel, that is:

    • creating a single bidirectional IKE SA for defining a secure channel and negotiating settings;
    • key exchange using the Diffie-Hellman algorithm, which will be used in Phase 2;
    • authentication of both ends of the tunnel based on a Pre-Shared Key or a digital signature (certificate);

  • After a somewhat secure channel and private keys have been established in Phase 1, Phase 2 begins, where the trusted peers agree on how to build the main tunnel for direct data transmission;

  • Phase 2 — negotiation of protection parameters for traffic transmitted between endpoints, where security parameters are defined for two unidirectional IPsec SAs — not to be confused with IKE SA. These are the SA for Phase 2, which ESP already uses for data transmission between networks.

Thus, the participants have obtained an encrypted tunnel with established parameters that they are all satisfied with, and direct data streams that need to be encrypted into it.

Encryption keys for the main tunnel are periodically updated: the participants reconnect to the tunnel established in Phase 1, then go through Phase 2 and re-establish the SAs.

Each Phase 1 can have multiple Phase 2s, for example, if different encryption keys are required for each subnet whose traffic crosses the tunnel.

Once Phase 2 is complete, a VPN connection is established.

Configure a basic Site-to-site VPN between two FortiGates

This subsection covers the configuration of an IPsec VPN between two FortiGate firewalls.

To create a VPN tunnel on a firewall, you need:

  • having a configured external interface through which devices will connect;
  • an internal network;
  • access to the FortiGate web interface.

Configure the Branch

  1. Go to the VPNIPSec Wizard section. In the setup wizard, you will need to go through three steps: VPN Setup, Authentication and Policy & Routing.
  2. At the VPN Setup step, set Template Type to Site to Site.
  3. Set Remote Device Type to FortiGate
  4. Set NAT Configuration to No NAT between sites.
  5. Click the Next button to continue the configuration.
  6. At the Authentication step, set Remote device to IP Address.
  7. In the Remote IP Address field, specify the external address of the other site.
  8. In Outgoing Interface, select the external interface (the example uses **wan(port1) **). .
  9. Ensure that Authentication Method is set to Pre-shared key.
  10. Specify the key value in the Pre-shared Key field.
  11. Click the Next button to continue the configuration.
  12. At the Policy & Routing step, in Local Interface, select the internal interface (the example uses **lan(port2) **). .
  13. The local subnet address will be automatically added to the Local subnets field.
  14. Specify the local subnet address of the other site in Remote Subnets.
  15. Set Internet Access to None.

After creating the VPN tunnel, a summary of the created objects will appear on the screen.

Configure the HQ

Perform the settings by analogy with the previous section.

As a result:

  • in the list of all IPsec VPN tunnels, a new HQ to Branch will be displayed with the status Up;
  • in the interface list, there will be a new interface under the external one via which the connection passes.

A user in any of the office networks will be able to connect transparently to any address in the other office network.

If you need to generate traffic to test the connection, send an echo request to the internal interface of the Branch FortiGate from the HQ internal network. To do this, set the internal interface as the source for the ping operation in the CLI:

HQ # exec ping-options source 192.168.200.2

HQ # exec ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: icmp_seq=0 ttl=255 time=0.6 ms
64 bytes from 192.168.100.2: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=4 ttl=255 time=0.6 ms

--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.6 ms