Skip to main content
Connect multiple branch offices: VPN Site-to-Site
Last update:

Connect multiple branch offices: VPN Site-to-Site

A site-to-site VPN is a VPN connection known as a point-to-point connection. In a point-to-point interconnection, two peer hosts communicate directly. A site-to-site VPN provides transparent communication between two networks located in different offices.

A secure site-to-site VPN tunnel allows you to establish secure connections between multiple private networks of remote branch offices or departments. With FortiGate solutions, you can set up an IPsec VPN between your infrastructure in Selectel data centers and the cloud or office where other infrastructure and employee workstations are located. Read about the benefits of a hardware solution at site.

IPsec is a set of protocols that is used to authenticate and encrypt traffic between two peer nodes. The three most commonly used protocols in the suite:

  • Internet Key Exchange (IKE) — Performs "handshake," tunnel maintenance, and disconnection;
  • Encapsulation Security Payload (ESP) — Ensures data integrity and encryption;
  • Authentication Header (AH) — Offers only data integrity, not encryption.

The FortiGate unit uses only ESP to transmit the packet payload. AH is not used by the FortiGate unit.

IKE (The Internet Key Exchange)* — is the standard protocol of the IPsec protocol suite used to secure VPN communications, i.e., IKE establishes an IPsec VPN tunnel.In order for the protocols within IPsec to do their job of protecting the data being transmitted, the IKE protocol establishes a logical connection between the two endpoints — a Security Association (SA). The SA defines the authentication, keys, and settings that will be used to encrypt and decrypt packets.

* IKE defines two phases (Phase 1 and Phase 2):

  • Phase 1 — Agree on the parameters for securely sharing configuration data, which is what happens when each tunnel endpoint connects and begins to configure the VPN. During Phase 1, the participants authenticate each other and agree on the parameters for setting up a special channel needed only to exchange information about the desired encryption algorithms and other details of the future IPsec tunnel, that is:

    • creating a single bidirectional IKE SA to define a secure channel and negotiate settings;
    • Diffie-Hellman algorithm key exchange to be used in Phase 2;
    • authentication of both ends of the tunnel based on a Pre-Shared Key or digital signature (certificate);
  • Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins, where trusted participants agree on how to build the main tunnel to transmit data directly;

  • Phase 2 — negotiate the security parameters of the transmitted traffic between endpoints, negotiating the security parameters for two unidirectional IPsec SAs — not to be confused with IKE SAs. These are the SAs for Phase 2 that ESP already uses to transfer data between networks.

Thus, the participants have obtained an encrypted tunnel with set parameters that they are all satisfied with, and direct the data streams to be encrypted there.

The encryption keys for the main tunnel are periodically updated: participants reconnect to the tunnel established in Phase 1, then go through Phase 2 and reestablish SA.

Each Phase 1 can have multiple Phase 2s, for example, if it is required to use different encryption keys for each subnet whose traffic crosses the tunnel.

When Phase 2 is complete, a VPN connection is established.

To configure a basic site-to-site VPN between two FortiGates

This subsection will cover configuring an IPsec VPN between two FortiGate firewalls.

To create a VPN tunnel on the firewall requires:

  • availability of a configured external interface through which devices will be connected;
  • internal network;
  • Access to the FortiGate web interface.

Customize Brunch

  1. Go to the section VPNIPSec Wizard. There are three steps to go through in the setup wizard: VPN Setup, Authentication, and Policy & Routing.
  2. At the stage VPN Setup set Template Type meaning Site to Site.
  3. Set Remote Device Type meaning FortiGate
  4. Set NAT Configuration meaning No NAT between sites.
  5. Press the button Next to continue with the setting.
  6. At the stage Authentication set Remote device meaning IP Address.
  7. In the field Remote IP Address specify the external address of the other site.
  8. In Outgoing Interface select the external interface (the example uses wan(port1)).
  9. Make sure that in the Authentication Method selected value Pre-shared key.
  10. Specify the key value in the field Pre-shared Key.
  11. Press the button Next to continue with the setting.
  12. At the stage Policy & Routing In Local Interface select the internal interface (the example uses lan(port2)).
  13. The local subnet address will automatically be added to the field Local subnets.
  14. Indicate in Remote Subnets the local subnet address of the other site.
  15. Set Internet Access meaning None.

After the VPN tunnel is created, a summary of the created objects will appear on the screen.

Customize HQ

Make the settings similar to the previous section.

The result:

  • The new tunnel will appear in the list of all IPsec VPN tunnels. HQ to Brunch status Up;
  • in the list of interfaces — a new interface under the external interface through which the connection passes.

A user on either office network will be able to transparently connect to any address on the other office network.

If you need to generate traffic to test the connection, send an echo request to the FortiGate Branch internal interface from the internal HQ network. To do this, set the internal interface for the ping operation in the CLI as the source:

HQ # exec ping-options source 192.168.200.2

HQ # exec ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: icmp_seq=0 ttl=255 time=0.6 ms
64 bytes from 192.168.100.2: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=4 ttl=255 time=0.6 ms

--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.6 ms