This article discusses how to connect an IPsec site with FortiGate devices in a High Availability (HA) configuration to the Cato Cloud.
This article assumes that you are working in an environment with a FortiGate connected to the Internet with two WAN links that we are going to build the IPsec connections to two Cato PoPs.

The Cato PoP IP can be obtained by allocating a new IP address (or using an old one) from the Cato Management Application in Network > IP Allocations. We recommend that you choose the primary IP for the PoP location that is closest to the site and the secondary IP from a different PoP location.
Note: This configuration in this article was tested with firmware version 7.0.8.
This section explains how to configure the Fortigate appliance for a Cato IPsec IKEv2 site with Cato-initiated routing.
Please connect with SSH to your FortiGate appliance with an administrator account.
To configure the FortiGate appliance to connect to an IKEv2 Cato-initiated site:
-
Enter the settings to define IPsec phase 1:
config vpn ipsec phase1-interface edit “CATO_IPSECV2-1” #[Primary VPN Name] set interface "wan1" #[Local FGT site network WAN interface] set ike-version 2 set keylife 19800 set peertype any set net-device disable set proposal aes256gcm-prfsha512 set comments “Primary VPN To CATO Cloud XCATD01” set dhgrp 16 set remote-gw #[Cato POP 1 IP] set psksecret #[Primary Cato configured PSK] next end config vpn ipsec phase1-interface edit “CATO_IPSECV2-2” #[Secondary VPN Name] set interface "wan2" #[Secondary FGT site network WAN interface – if not available use the same WAN interface] set ike-version 2 set keylife 19800 set peertype any set net-device disable set proposal aes256gcm-prfsha512 set comments “Secondary VPN To CATO Cloud XCATD01” set dhgrp 16 set remote-gw #[Cato POP 2 IP] set psksecret #[Primary Cato configured PSK] next end
-
Enter the settings to define IPsec phase 2:
config vpn ipsec phase2-interface edit "CATO_IPSECV2-1" #[VPN phase 2 Name] set phase1name "CATO_IPSECV2-1" #[VPN phase 1 Name] set proposal aes256gcm set dhgrp 16 set keylifeseconds 86400 nextendconfig vpn ipsec phase2-interface edit "CATO_IPSECV2-2” #[VPN phase 2 Name] set phase1name "CATO_IPSECV2-2” #[VPN phase 1 Name] set proposal aes256gcm set dhgrp 16 set keylifeseconds 86400 next end
-
Route the traffic though the VPN tunnel to the Cato Cloud.
You can do this with static routing or dynamically using BGP. In this example we are using a static routing.
config router static edit #[Local FGT unique route ID] set dst 172.101.0.0 255.255.255.0 #[Remote CATO Networks subnet] set distance 1 set device "CATO_IPSECV2-1" next edit #[Local FGT unique route ID] set dst 172.101.0.0 255.255.255.0 #[Remote CATO Networks subnet] set priority 10 set distance 1 set device "CATO_IPSECV2-2” next edit #[Local FGT unique route ID] set dst 172.101.0.0 255.255.255.0 #[otherwise send to black hole - Remote CATO Networks subnet] set blackhole enable set distance 254 next end
-
(Optional) Create a zone, which makes it easier when creating a new rule or if you need to change the VPN names.
config system zone edit "Cato-Cloud-S2S" #[Zone name] set intrazone allow set interface "CATO_IPSECV2-1" "CATO_IPSECV2-2" #[the 2 IPSEC VPN’s] next
-
Configure the firewall policy with rules that allow the traffic inside the tunnel.
config firewall policy edit #[Local FGT rule ID] set name “CATO Firewall” set srcintf "Virtual Lan" #[Local FGT site network interface] set dstintf "Cato-Cloud-S2S"#[Remote CATO Networks VPN zone] set action accept set srcaddr "all" #[Best practice – filter by local address / group] set dstaddr "all" #[Best practice – filter by CATO address / group] set schedule "always" set service "ALL" next end
This section explains how to configure the Fortigate appliance for a Cato IPsec IKEv1 site where the routing is initiated by the FortiGate appliance to support dynamic public IP address for WAN traffic.
Note: This configuration in this article was tested with firmware version 7.0.8.
To configure the FortiGate appliance to connect to an IKEv1 Firewall-initiated site:
-
Enter the settings to define IPsec phase 1:
config vpn ipsec phase1-interface edit "CATO_Cloud_M1" #[Primary VPN Name] set interface "wan1" #[Local FGT site network WAN interface] set keylife 19800 set mode aggressive set peertype any set net-device disable set proposal aes256-sha512 set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu] set dhgrp 16 set remote-gw #[Cato pop primary IP] set psksecret #[Primary Cato configured PSK] next edit "CATO_Cloud_M2" #[Secondary VPN Name] set interface "wan2" #[Secondary FGT site network WAN interface – if not available use the same WAN interface] set keylife 19800 set mode aggressive set peertype any set net-device disable set proposal aes256-sha512 set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu] set dhgrp 16 set remote-gw #[Cato pop secondary IP] set psksecret #[Secondary Cato configured PSK] next
-
Enter the settings to define IPsec phase 2:
config vpn ipsec phase2-interface edit "CATO_Cloud_M1" #[VPN phase 2 Name] set phase1name "CATO_Cloud_M1" #[VPN phase 1 Name] set proposal aes256-sha256 set dhgrp 16 set auto-negotiate enable set comments "Phase2" set keylifeseconds 86400 next edit "CATO_Cloud_M2" #[VPN phase 2 Name] set phase1name "CATO_Cloud_M2" #[VPN phase 1 Name] set proposal aes256-sha256 set dhgrp 16 set auto-negotiate enable set comments "Phase2" set keylifeseconds 86400 next
-
Route the traffic though the VPN tunnel to the Cato Cloud.
You can do this with static routing or dynamically using BGP. In this example we are using a static routing.
edit #[Local FGT unique route ID] set dst 10.254.254.0 255.255.255.0 #[Remote CATO Networks subnet] set distance 1 set device "CATO_Cloud_M1" next edit #[Local FGT unique route ID] set dst 10.254.254.0 255.255.255.0 #[Remote CATO Networks subnet] set distance 1 set priority 20 #[this will be the backup connection so a higher priority is needed] set device "CATO_Cloud_M2" next edit #[Local FGT unique route ID] set dst 10.254.254.0 255.255.255.0 #[otherwise send to black hole - Remote CATO Networks] set blackhole enable set distance 254 next
-
(Optional) Create a zone, which makes it easier when creating a new rule or if you need to change the VPN names.
config system zone edit "Cato-Cloud-Dial-up" #[Zone name] set intrazone allow set interface " CATO_Cloud_M1" " CATO_Cloud_M2" #[the 2 IPSEC VPN’s] next
-
Configure the firewall policy with rules that allow the traffic inside the tunnel.
config firewall policy edit #[Local FGT rule ID] set name “CATO Firewall” set srcintf "Virtual Lan" #[Local FGT site network interface] set dstintf "Cato-Cloud-Dial-up"#[Remote CATO Networks VPN zone] set action accept set srcaddr "all" #[Best practice – filter by local address / group] set dstaddr "all" #[Best practice – filter by CATO address / group] set schedule "always" set service "ALL" next end
This section explains how to configure FortiOS VS3 for a Cato IPsec IKEv1 site to support dynamic public IP address for WAN traffic.
To configure a FortiOS VS 3 to connect to an IPsec IKEv1 site:
-
Enter the settings to define IPsec phase 1:
config vpn ipsec phase1 edit "Cato" set interface "wan1" set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu] set nattraversal enable set proposal aes256-sha1 set keylife 86400 set mode aggressive set add-gw-route enable set remote-gw <ip> #[Cato PoP for secondary IP] set psksecret #[Primary Cato configured PSK] next end
-
Enter the settings to define IPsec phase 2:
config vpn ipsec phase2 edit "Cato" set keepalive enable set pfs enable set phase1name "Cato" set proposal aes256-sha1 set replay enable set keylifeseconds 3600 set src-subnet 10.230.230.0 255.255.255.0 next
-
Configure the firewall rule:
edit <name> #[the firewall rule name] set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action ipsec set schedule "always" set service "ANY" set logtraffic enable set inbound enable set outbound enable set vpntunnel "Cato" next
-
Configure the routing for the site:
config router static edit X set device "Cato” #[the ipsec name] set dst 10.230.230.0 255.255.255.0 #[Remote CATO Networks subnet] next end config router static edit Y set blackhole enable set dst 10.230.230.0 255.255.255.0 #[Remote CATO Networks subnet] set distance 254 next end
0 comments
Please sign in to leave a comment.