Connect multiple branch offices: VPN Site-to-Site
Site-to-site VPN — A VPN connection known as a point-to-point connection. In internetworking, two peer nodes communicate directly. A site-to-site VPN provides transparent communication between two networks located in different offices.
A secure site-to-site VPN tunnel enables secure connections between multiple private networks of remote branch offices or departments. With FortiGate solutions, you can set up an IPsec VPN between your infrastructure in Selectel data centers and the cloud or office where other infrastructure and employee workstations are located. Read about the benefits of the hardware solution at website.
IPsec is a set of protocols that is used to authenticate and encrypt traffic between two peer nodes. The three most commonly used protocols in the set:
- Internet Key Exchange (IKE) — Performs "handshake," tunnel maintenance, and disconnection;
- Encapsulation Security Payload (ESP) — Ensures data integrity and encryption;
- Authentication Header (AH) — Offers only data integrity, not encryption.
The FortiGate uses only ESP to transmit the packet payload. AH is not used by the FortiGate.
IKE (The Internet Key Exchange)* is a standard protocol of the IPsec protocol suite used to secure communication in a VPN, that is, IKE establishes an IPsec VPN tunnel.In order for the protocols within IPsec to do their job of protecting the data being transmitted, the IKE protocol establishes a logical connection between the two endpoints — a Security Association (SA). The SA defines the authentication, keys, and settings that will be used to encrypt and decrypt packets.
* IKE defines two phases (Phase 1 and Phase 2):
-
Phase 1 — Reconciliation of Secure Configuration Data Exchange parameters, which is what happens when each tunnel endpoint connects and begins to configure the VPN. During Phase 1, participants authenticate each other and agree on the parameters for setting up a special channel needed only to exchange information about the desired encryption algorithms and other details of the future IPsec tunnel, that is:
- creating a single bidirectional IKE SA to define a secure channel and negotiate settings;
- Diffie-Hellman algorithm key exchange to be used in Phase 2;
- authentication of both ends of the tunnel based on a Pre-Shared Key or digital signature (certificate);
-
Once Phase 1 has established a somewhat secure channel and private keys, Phase 2 begins, where trusted participants agree on how to build the main tunnel to transmit data directly;
-
Phase 2 — reconciliation of the security parameters of the transmitted traffic between endpoints, security parameters for two unidirectional IPsec SAs — not to be confused with IKE SAs — are reconciled. These are SAs for Phase 2, which ESP already uses to transfer data between networks.
Thus, the participants have obtained an encrypted tunnel with set parameters that they are all satisfied with, and direct the data streams to be encrypted there.
The encryption keys for the main tunnel are periodically updated: participants reconnect to the tunnel established in Phase 1, then go through Phase 2 and reestablish SA.
Each Phase 1 can have multiple Phase 2s, for example, if it is required to use different encryption keys for each subnet whose traffic crosses the tunnel.
When Phase 2 is complete, a VPN connection is established.
To configure a basic site-to-site VPN between two FortiGate
This subsection will cover configuring an IPsec VPN between two FortiGate firewalls.
To create a VPN tunnel on the firewall requires:
- availability of a configured external interface through which devices will be connected;
- internal network;
- Access to the FortiGate web interface.
Customize Brunch
- Go to VPN → IPSec Wizard. There are three steps to go through in the setup wizard: VPN Setup, Authentication, and Policy & Routing.
- In the VPN Setup step, set Template Type to Site to Site.
- Set Remote Device Type to FortiGate
- Set NAT Configuration to No NAT between sites.
- Press the Next button to continue with the setting.
- In the Authentication step, set Remote device to IP Address.
- In the Remote IP Address field, enter the external address of the other site.
- In Outgoing Interface, select the external interface (the example uses wan(port1)).
- Make sure that Pre-shared key is selected in Authentication Method.
- Specify the key value in the Pre-shared Key field.
- Press the Next button to continue with the setting.
- In the Policy & Routing step, in Local Interface, select the internal interface (the example uses lan(port2)).
- The local subnet address will automatically be added to the Local subnets field.
- Specify the local subnet address of the other site in Remote Subnets.
- Set Internet Access to None.
After the VPN tunnel is created, a summary of the created objects will appear on the screen.
Customize HQ
Make the settings similar to the previous section.
The result:
- The list of all IPsec VPN tunnels will show the new HQ to Brunch with a status of Up;
- in the list of interfaces — a new interface under the external interface through which the connection passes.
A user on either office network will be able to transparently connect to any address on the other office network.
If you need to generate traffic to test the connection, send an echo request to the Branch FortiGate internal interface from the internal HQ network. To do this, set the internal interface for the ping operation in the CLI as the source:
HQ # exec ping-options source 192.168.200.2
HQ # exec ping 192.168.100.2
PING 192.168.100.2 (192.168.100.2): 56 data bytes
64 bytes from 192.168.100.2: icmp_seq=0 ttl=255 time=0.6 ms
64 bytes from 192.168.100.2: icmp_seq=1 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=2 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=3 ttl=255 time=0.4 ms
64 bytes from 192.168.100.2: icmp_seq=4 ttl=255 time=0.6 ms
--- 192.168.100.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.6 ms