Site-to-Site tunnel with Fortinet Firewall

This document will help you to configure a site-to-site tunnel between UTunnel VPN Server and Fortinet Firewall. Make sure that you have administrator access to both the UTunnel Organization account and Fortinet Firewall.

Login to your UTunnel dashboard. Then navigate to the Site-to-Site tab and click on CREATE TUNNEL button.

Site-to-Site tunnel with Fortinet Firewall create tunnel

Now, select Tunnel with non UTunnel server option and key in the tunnel details.

Tunnel Name: Give a desired name for the tunnel.
Local Server: Select the UTunnel server from the dropdown.
Left ID : This is an optional field. By default, UTunnel uses the server IP address as the Left ID. Use this field to change the default behavior.
Remote IP: Enter the Fortinet endpoint IP address.
Right ID: Enter Fortinet firewall's hostname as Right ID.
PSK: Enter or generate a pre-shared key for authentication.

Site-to-Site tunnel with Fortinet Firewall tunnel details

Once the tunnel is created, you will need to define local and remote encryption domains. Click on the ‘+’ icon and add the remote and local subnets.

Next, login to Fortinet with your admin privileged user. Navigate to VPN >  IPsec Wizard and Choose the Custom option.

Site-to-Site tunnel with Fortinet Firewall Fortinet IPsec wizard

Then configure the tunnel properties as follows,

Name: Give a desired name for the tunnel.
IP Version: IPv4
Remote Gateway: Select Static IP Address from the dropdown.
IP Address: Key-in the UTunnel server IP address.
Interface: Select the respective Interface from the dropdown, most likely this will be your WAN interface.
NAT Traversal: Set to Enable.
Dead Peer Detection: Set to On Demand.

Site-to-Site tunnel with Fortinet Firewall configure tunnel properties

Configure Authentication
Method: Select Pre-shared Key from the dropdown.
Pre-shared key: Key-in the pre-shared key that set up on UTunnel side.
IKE version: 2

Site-to-Site tunnel with Fortinet Firewall configure authentication

Phase-1 Proposal configuration
Encryption : AES256
Authentication : SHA256
Diffe-Hellman Group (DH Group): 14
Local ID: Enter Fortinet Firewall’s host name as Local ID.

Site-to-Site tunnel with Fortinet Firewall phase 1 proposal configuration

Configure Phase-2 Selectors
Local Address: Select Named Address from the dropdown and select the Fortinet Local network. You may need to add Address alias if it doesn’t exist.
Remote Address: Select Named Address from the dropdown and select the UTunnel local network. You may need to add Address alias if it doesn’t exist.

Site-to-Site tunnel with Fortinet Firewall configure phase 2 selectors

Phase-2 Proposal configuration
Encryption : AES256
Authentication: SHA256
DH Group: 14

Site-to-Site tunnel with Fortinet Firewall phase 2 proposal configuration

Next, create inbound and outbound firewall rules for the tunnel interface as seen in the below screenshots.

Site-to-Site tunnel with Fortinet Firewall outbound firewall rules
Site-to-Site tunnel with Fortinet Firewall inbound firewall rules

Create a static route to send packets to the remote encryption domain through the tunnel.

Site-to-Site tunnel with Fortinet Firewall create static route

Now the tunnel is set up but it will be in the inactive state. Select the tunnel and click on ‘Bring Up’ to start the tunnel.

Site-to-Site tunnel with Fortinet Firewall start the tunnel

Popular Support Articles

Setup site-to-site tunnel with AWS Virtual Private Gateway

Set up site-to-site tunnel with Cisco ASA

Setup site-to-site tunnel with Sophos XG Firewall

Setup site-to-site tunnel with Azure Virtual Network Gateway