Cato Networks Knowledge Base

Search

Cato Cloud to FortiGate via HA IPSec Tunnels (CLI Guide)

  • Updated

This article discusses how to connect an IPsec site with FortiGate devices in a High Availability (HA) configuration to the Cato Cloud.

Overview of Cato to FortiGate VPN with IPsec Sites

This article assumes that you are working in an environment with a FortiGate connected to the Internet with two WAN links that we are going to build the IPsec connections to two Cato PoPs.

image.png

The Cato PoP IP can be obtained by allocating a new IP address (or using an old one) from the Cato Management Application in Network > IP Allocations. We recommend that you choose the primary IP for the PoP location that is closest to the site and the secondary IP from a different PoP location.

Note: This configuration in this article was tested with firmware version 7.0.8.

IKEv2 with Cato-initiated Site - Configuring the FortiGate Applicance

This section explains how to configure the Fortigate appliance for a Cato IPsec IKEv2 site with Cato-initiated routing.

Please connect with SSH to your FortiGate appliance with an administrator account.

To configure the FortiGate appliance to connect to an IKEv2 Cato-initiated site:

  1. Enter the settings to define IPsec phase 1:

    config vpn ipsec phase1-interface
    edit “CATO_IPSECV2-1” #[Primary VPN Name]
        set interface "wan1"  #[Local FGT site network WAN interface]
        set ike-version 2
        set keylife 19800
        set peertype any
        set net-device disable
        set proposal aes256gcm-prfsha512
	set comments “Primary VPN To CATO Cloud XCATD01”
        set dhgrp 16
        set remote-gw #[Cato POP 1 IP]
        set psksecret  #[Primary Cato configured PSK]
    next
end

config vpn ipsec phase1-interface
    edit “CATO_IPSECV2-2” #[Secondary VPN Name]
        set interface "wan2" #[Secondary FGT site network WAN interface – if not available use the same WAN interface]
        set ike-version 2
        set keylife 19800
        set peertype any
        set net-device disable
        set proposal aes256gcm-prfsha512
	set comments “Secondary VPN To CATO Cloud XCATD01”
        set dhgrp 16
        set remote-gw #[Cato POP 2 IP]
        set psksecret #[Primary Cato configured PSK]
     next
end

  2. Enter the settings to define IPsec phase 2:

    config vpn ipsec phase2-interface
    edit "CATO_IPSECV2-1" #[VPN phase 2 Name]
        set phase1name "CATO_IPSECV2-1" #[VPN phase 1 Name]
        set proposal aes256gcm
        set dhgrp 16
        set keylifeseconds 86400
    nextendconfig vpn ipsec phase2-interface
    edit "CATO_IPSECV2-2” #[VPN phase 2 Name]
        set phase1name "CATO_IPSECV2-2” #[VPN phase 1 Name]
        set proposal aes256gcm
        set dhgrp 16
        set keylifeseconds 86400
    next
end

  3. Route the traffic though the VPN tunnel to the Cato Cloud.

    You can do this with static routing or dynamically using BGP. In this example we are using a static routing.

    config router static
   edit #[Local FGT unique route ID]
        set dst 172.101.0.0 255.255.255.0 #[Remote CATO Networks subnet]
        set distance 1
        set device "CATO_IPSECV2-1"
    next
   edit #[Local FGT unique route ID]
        set dst 172.101.0.0 255.255.255.0 #[Remote CATO Networks subnet]
	set priority 10
        set distance 1
        set device "CATO_IPSECV2-2”
    next
    edit #[Local FGT unique route ID]
        set dst 172.101.0.0 255.255.255.0 #[otherwise send to black hole - Remote CATO Networks subnet]
        set blackhole enable
        set distance 254
    next
end

  4. (Optional) Create a zone, which makes it easier when creating a new rule or if you need to change the VPN names.

    config system zone
    edit "Cato-Cloud-S2S" #[Zone name]
        set intrazone allow
        set interface "CATO_IPSECV2-1" "CATO_IPSECV2-2" #[the 2 IPSEC VPN’s]
    next

  5. Configure the firewall policy with rules that allow the traffic inside the tunnel.

    config firewall policy
    edit #[Local FGT rule ID]
        set name “CATO Firewall”
        set srcintf "Virtual Lan" #[Local FGT site network interface]
        set dstintf "Cato-Cloud-S2S"#[Remote CATO Networks VPN zone]
        set action accept
        set srcaddr "all" #[Best practice – filter by local address / group]
        set dstaddr "all" #[Best practice – filter by CATO address / group]
        set schedule "always"
        set service "ALL"
    next
end

IKEv1 Aggressive (Firewall Initiated) Site - Configuring the FortiGate Appliance

This section explains how to configure the Fortigate appliance for a Cato IPsec IKEv1 site where the routing is initiated by the FortiGate appliance to support dynamic public IP address for WAN traffic.

Note: This configuration in this article was tested with firmware version 7.0.8.

To configure the FortiGate appliance to connect to an IKEv1 Firewall-initiated site:

  1. Enter the settings to define IPsec phase 1:

    config vpn ipsec phase1-interface
edit "CATO_Cloud_M1" #[Primary VPN Name]
        set interface "wan1" #[Local FGT site network WAN interface]
        set keylife 19800
        set mode aggressive
        set peertype any
        set net-device disable
        set proposal aes256-sha512
        set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu]
        set dhgrp 16
        set remote-gw  #[Cato pop primary IP]
        set psksecret #[Primary Cato configured PSK]
next
edit "CATO_Cloud_M2" #[Secondary VPN Name]
        set interface "wan2" #[Secondary FGT site network WAN interface – if not available use the same WAN interface]
        set keylife 19800
        set mode aggressive
        set peertype any
        set net-device disable
        set proposal aes256-sha512
        set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu]
        set dhgrp 16
        set remote-gw  #[Cato pop secondary IP]
        set psksecret #[Secondary Cato configured PSK]
next

  2. Enter the settings to define IPsec phase 2:

    config vpn ipsec phase2-interface
    edit "CATO_Cloud_M1" #[VPN phase 2 Name]
        set phase1name "CATO_Cloud_M1" #[VPN phase 1 Name]
        set proposal aes256-sha256
        set dhgrp 16
        set auto-negotiate enable
        set comments "Phase2"
        set keylifeseconds 86400
    next
    edit "CATO_Cloud_M2" #[VPN phase 2 Name]
        set phase1name "CATO_Cloud_M2" #[VPN phase 1 Name]
        set proposal aes256-sha256
        set dhgrp 16
        set auto-negotiate enable
        set comments "Phase2"
        set keylifeseconds 86400
    next

  3. Route the traffic though the VPN tunnel to the Cato Cloud.

    You can do this with static routing or dynamically using BGP. In this example we are using a static routing.

    edit #[Local FGT unique route ID]
        set dst 10.254.254.0 255.255.255.0  #[Remote CATO Networks subnet]
        set distance 1
        set device "CATO_Cloud_M1"

next
edit #[Local FGT unique route ID]
        set dst 10.254.254.0 255.255.255.0  #[Remote CATO Networks subnet]
        set distance 1
        set priority 20 #[this will be the backup connection so a higher priority is needed]
        set device "CATO_Cloud_M2"
next
edit #[Local FGT unique route ID]
        set dst 10.254.254.0 255.255.255.0 #[otherwise send to black hole - Remote CATO Networks]
        set blackhole enable
        set distance 254    
next

  4. (Optional) Create a zone, which makes it easier when creating a new rule or if you need to change the VPN names.

    config system zone
    edit "Cato-Cloud-Dial-up" #[Zone name]
        set intrazone allow
        set interface " CATO_Cloud_M1" " CATO_Cloud_M2" #[the 2 IPSEC VPN’s]
    next

  5. Configure the firewall policy with rules that allow the traffic inside the tunnel.

    config firewall policy
    edit #[Local FGT rule ID]
        set name “CATO Firewall”
        set srcintf "Virtual Lan" #[Local FGT site network interface]
        set dstintf "Cato-Cloud-Dial-up"#[Remote CATO Networks VPN zone]
        set action accept
        set srcaddr "all" #[Best practice – filter by local address / group]
        set dstaddr "all" #[Best practice – filter by CATO address / group]
        set schedule "always"
        set service "ALL"
    next
end

IKEv1 Site - Configuring FortiOS VS 3

This section explains how to configure FortiOS VS3 for a Cato IPsec IKEv1 site to support dynamic public IP address for WAN traffic.

To configure a FortiOS VS 3 to connect to an IPsec IKEv1 site:

  1. Enter the settings to define IPsec phase 1:

    config vpn ipsec phase1
    edit "Cato"
        set interface "wan1"
        set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu] 
        set nattraversal enable
        set proposal aes256-sha1
        set keylife 86400
        set mode aggressive
        set add-gw-route enable
        set remote-gw <ip> #[Cato PoP for secondary IP]
        set psksecret #[Primary Cato configured PSK]
     next
end

  2. Enter the settings to define IPsec phase 2:

    config vpn ipsec phase2
    edit "Cato"
        set keepalive enable
        set pfs enable
        set phase1name "Cato"
        set proposal aes256-sha1
        set replay enable
        set keylifeseconds 3600
        set src-subnet 10.230.230.0 255.255.255.0
    next

  3. Configure the firewall rule:

        edit <name> #[the firewall rule name]
        set srcintf "internal"
        set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set logtraffic enable
        set inbound enable
        set outbound enable
        set vpntunnel "Cato"
   next

  4. Configure the routing for the site:

    config router static
     edit X
        set device "Cato” #[the ipsec name]
        set dst 10.230.230.0 255.255.255.0 #[Remote CATO Networks subnet]
        next
end
config router static
    edit Y
        set blackhole enable
        set dst 10.230.230.0 255.255.255.0 #[Remote CATO Networks subnet] 
        set distance 254
    next 
end 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.