Cato Cloud to FortiGate via HA IPSec Tunnels (CLI Guide)

This article discusses how to connect an IPsec site with FortiGate devices in a High Availability (HA) configuration to the Cato Cloud.

Overview of Cato to FortiGate VPN with IPsec Sites

This article assumes that you are working in an environment with a FortiGate connected to the Internet with two WAN links that we are going to build the IPsec connections to two Cato PoPs.

image.png

The Cato PoP IP can be obtained by allocating a new IP address (or using an old one) from the Cato Management Application in Network > IP Allocations. We recommend that you choose the primary IP for the PoP location that is closest to the site and the secondary IP from a different PoP location.

Note: This configuration in this article was tested with firmware version 7.0.8.

IKEv2 with Cato-initiated Site - Configuring the FortiGate Applicance

This section explains how to configure the Fortigate appliance for a Cato IPsec IKEv2 site with Cato-initiated routing.

Please connect with SSH to your FortiGate appliance with an administrator account.

To configure the FortiGate appliance to connect to an IKEv2 Cato-initiated site:

  1. Enter the settings to define IPsec phase 1:

    config vpn ipsec phase1-interface
        edit “CATO_IPSECV2-1” #[Primary VPN Name]
            set interface "wan1"  #[Local FGT site network WAN interface]
            set ike-version 2
            set keylife 19800
            set peertype any
            set net-device disable
            set proposal aes256gcm-prfsha512
    	set comments “Primary VPN To CATO Cloud XCATD01”
            set dhgrp 16
            set remote-gw #[Cato POP 1 IP]
            set psksecret  #[Primary Cato configured PSK]
        next
    end
    
    config vpn ipsec phase1-interface
        edit “CATO_IPSECV2-2” #[Secondary VPN Name]
            set interface "wan2" #[Secondary FGT site network WAN interface – if not available use the same WAN interface]
            set ike-version 2
            set keylife 19800
            set peertype any
            set net-device disable
            set proposal aes256gcm-prfsha512
    	set comments “Secondary VPN To CATO Cloud XCATD01”
            set dhgrp 16
            set remote-gw #[Cato POP 2 IP]
            set psksecret #[Primary Cato configured PSK]
         next
    end
  2. Enter the settings to define IPsec phase 2:

    config vpn ipsec phase2-interface
        edit "CATO_IPSECV2-1" #[VPN phase 2 Name]
            set phase1name "CATO_IPSECV2-1" #[VPN phase 1 Name]
            set proposal aes256gcm
            set dhgrp 16
            set keylifeseconds 86400
        nextendconfig vpn ipsec phase2-interface
        edit "CATO_IPSECV2-2” #[VPN phase 2 Name]
            set phase1name "CATO_IPSECV2-2” #[VPN phase 1 Name]
            set proposal aes256gcm
            set dhgrp 16
            set keylifeseconds 86400
        next
    end
  3. Route the traffic though the VPN tunnel to the Cato Cloud.

    You can do this with static routing or dynamically using BGP. In this example we are using a static routing.

    config router static
       edit #[Local FGT unique route ID]
            set dst 172.101.0.0 255.255.255.0 #[Remote CATO Networks subnet]
            set distance 1
            set device "CATO_IPSECV2-1"
        next
       edit #[Local FGT unique route ID]
            set dst 172.101.0.0 255.255.255.0 #[Remote CATO Networks subnet]
    	set priority 10
            set distance 1
            set device "CATO_IPSECV2-2”
        next
        edit #[Local FGT unique route ID]
            set dst 172.101.0.0 255.255.255.0 #[otherwise send to black hole - Remote CATO Networks subnet]
            set blackhole enable
            set distance 254
        next
    end
  4. (Optional) Create a zone, which makes it easier when creating a new rule or if you need to change the VPN names.

    config system zone
        edit "Cato-Cloud-S2S" #[Zone name]
            set intrazone allow
            set interface "CATO_IPSECV2-1" "CATO_IPSECV2-2" #[the 2 IPSEC VPN’s]
        next
  5. Configure the firewall policy with rules that allow the traffic inside the tunnel.

    config firewall policy
        edit #[Local FGT rule ID]
            set name “CATO Firewall”
            set srcintf "Virtual Lan" #[Local FGT site network interface]
            set dstintf "Cato-Cloud-S2S"#[Remote CATO Networks VPN zone]
            set action accept
            set srcaddr "all" #[Best practice – filter by local address / group]
            set dstaddr "all" #[Best practice – filter by CATO address / group]
            set schedule "always"
            set service "ALL"
        next
    end

IKEv1 Aggressive (Firewall Initiated) Site - Configuring the FortiGate Appliance

This section explains how to configure the Fortigate appliance for a Cato IPsec IKEv1 site where the routing is initiated by the FortiGate appliance to support dynamic public IP address for WAN traffic.

Note: This configuration in this article was tested with firmware version 7.0.8.

To configure the FortiGate appliance to connect to an IKEv1 Firewall-initiated site:

  1. Enter the settings to define IPsec phase 1:

    config vpn ipsec phase1-interface
    edit "CATO_Cloud_M1" #[Primary VPN Name]
            set interface "wan1" #[Local FGT site network WAN interface]
            set keylife 19800
            set mode aggressive
            set peertype any
            set net-device disable
            set proposal aes256-sha512
            set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu]
            set dhgrp 16
            set remote-gw  #[Cato pop primary IP]
            set psksecret #[Primary Cato configured PSK]
    next
    edit "CATO_Cloud_M2" #[Secondary VPN Name]
            set interface "wan2" #[Secondary FGT site network WAN interface – if not available use the same WAN interface]
            set keylife 19800
            set mode aggressive
            set peertype any
            set net-device disable
            set proposal aes256-sha512
            set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu]
            set dhgrp 16
            set remote-gw  #[Cato pop secondary IP]
            set psksecret #[Secondary Cato configured PSK]
    next
  2. Enter the settings to define IPsec phase 2:

    config vpn ipsec phase2-interface
        edit "CATO_Cloud_M1" #[VPN phase 2 Name]
            set phase1name "CATO_Cloud_M1" #[VPN phase 1 Name]
            set proposal aes256-sha256
            set dhgrp 16
            set auto-negotiate enable
            set comments "Phase2"
            set keylifeseconds 86400
        next
        edit "CATO_Cloud_M2" #[VPN phase 2 Name]
            set phase1name "CATO_Cloud_M2" #[VPN phase 1 Name]
            set proposal aes256-sha256
            set dhgrp 16
            set auto-negotiate enable
            set comments "Phase2"
            set keylifeseconds 86400
        next
  3. Route the traffic though the VPN tunnel to the Cato Cloud.

    You can do this with static routing or dynamically using BGP. In this example we are using a static routing.

    edit #[Local FGT unique route ID]
            set dst 10.254.254.0 255.255.255.0  #[Remote CATO Networks subnet]
            set distance 1
            set device "CATO_Cloud_M1"
    
    next
    edit #[Local FGT unique route ID]
            set dst 10.254.254.0 255.255.255.0  #[Remote CATO Networks subnet]
            set distance 1
            set priority 20 #[this will be the backup connection so a higher priority is needed]
            set device "CATO_Cloud_M2"
    next
    edit #[Local FGT unique route ID]
            set dst 10.254.254.0 255.255.255.0 #[otherwise send to black hole - Remote CATO Networks]
            set blackhole enable
            set distance 254    
    next
  4. (Optional) Create a zone, which makes it easier when creating a new rule or if you need to change the VPN names.

    config system zone
        edit "Cato-Cloud-Dial-up" #[Zone name]
            set intrazone allow
            set interface " CATO_Cloud_M1" " CATO_Cloud_M2" #[the 2 IPSEC VPN’s]
        next
  5. Configure the firewall policy with rules that allow the traffic inside the tunnel.

    config firewall policy
        edit #[Local FGT rule ID]
            set name “CATO Firewall”
            set srcintf "Virtual Lan" #[Local FGT site network interface]
            set dstintf "Cato-Cloud-Dial-up"#[Remote CATO Networks VPN zone]
            set action accept
            set srcaddr "all" #[Best practice – filter by local address / group]
            set dstaddr "all" #[Best practice – filter by CATO address / group]
            set schedule "always"
            set service "ALL"
        next
    end

IKEv1 Site - Configuring FortiOS VS 3

This section explains how to configure FortiOS VS3 for a Cato IPsec IKEv1 site to support dynamic public IP address for WAN traffic.

To configure a FortiOS VS 3 to connect to an IPsec IKEv1 site:

  1. Enter the settings to define IPsec phase 1:

    config vpn ipsec phase1
        edit "Cato"
            set interface "wan1"
            set localid "<site_name>.<acc_name>" #[Set the local ID - You can get that from Site Configuration -> IPsec menu] 
            set nattraversal enable
            set proposal aes256-sha1
            set keylife 86400
            set mode aggressive
            set add-gw-route enable
            set remote-gw <ip> #[Cato PoP for secondary IP]
            set psksecret #[Primary Cato configured PSK]
         next
    end
  2. Enter the settings to define IPsec phase 2:

    config vpn ipsec phase2
        edit "Cato"
            set keepalive enable
            set pfs enable
            set phase1name "Cato"
            set proposal aes256-sha1
            set replay enable
            set keylifeseconds 3600
            set src-subnet 10.230.230.0 255.255.255.0
        next
    
  3. Configure the firewall rule:

        edit <name> #[the firewall rule name]
            set srcintf "internal"
            set dstintf "wan1"
                set srcaddr "all"
                set dstaddr "all"
            set action ipsec
            set schedule "always"
                set service "ANY"
            set logtraffic enable
            set inbound enable
            set outbound enable
            set vpntunnel "Cato"
       next
  4. Configure the routing for the site:

    config router static
         edit X
            set device "Cato” #[the ipsec name]
            set dst 10.230.230.0 255.255.255.0 #[Remote CATO Networks subnet]
            next
    end
    config router static
        edit Y
            set blackhole enable
            set dst 10.230.230.0 255.255.255.0 #[Remote CATO Networks subnet] 
            set distance 254
        next 
    end 

Was this article helpful?

0 comments

Add your comment