FortiGate Next Generation Firewall

To configure the tunnel in the FortiGate Next Generation Firewall Management Portal:

  1. Log in to the FortiGate Next Generation Firewall Management Portal.

  2. Go to VPN > IPSec Tunnels.

  3. Click Create New.

    The VPN Creation Wizard window appears.

  4. In the Name field, enter a name for the tunnel.

  5. Set Template Type to Custom.

  6. Click Next.

  7. In the Network section:

    Field

    Enter

    IP Version IPv4

    Remote Gateway

    		 Static IP Address
    IP Address Public IP address of the location server.
    Interface Your WAN interface.
    Mode Config

    Clear

    NAT Traversal

    Disable

    Note - If the tunnel stops to respond while its status is active, change the settings to Enable.

    Dead Peer Detection

    On-Demand

  8. In the Authentication section:

    Field

    Enter

    Method Pre-shared key

    Pre-shared Key

    		 Secret key specified in Configuring the Tunnel in the Harmony SASE Administrator Portal.
    IKE Version 2
    Mode Main (ID Protection).

  9. In the Phase 1 Proposal section:

    Field

    Enter

    Encryption AES256

    Authentication

    		 SHA256
    Diffie-Hellman Group 21
    Key Lifetime (seconds) 28800

    Local ID

    Blank

    XAUTH

    Blank

  10. In the Phase 2 Selectors (+Advanced) section:

    Field

    Enter

    Name Harmony SASE

    Local Address

    		 Your local network subnet
    Remote Address Harmony SASE network subnet (10.255.0.0/255.255.0.0)
    Enable Replay Detection Select

    Enable Perfect Forward Secrecy (PFS)

    Select

    Diffie-Gellman Group

    21

    Encryption

    AES256

    Authentication

    SHA256

    Local Port

    Select

    remote Port

    		 Select

    Protocol

    		 Select

    Key Lifetime

    Seconds

    Seconds

    3600

  11. Add static routes from the Harmony SASE subnet (10.256.0.0/16) to the local network and vice versa through the VPN tunnel gateway:

    1. Click Network > Routing.

    2. Click Create new and select Route.

    3. In the Destination field, enter 10.255.0.0/16.

    4. From the Device list, select Harmony SASE.

    5. Click OK.

  12. Add firewall rules to allow traffic from the Harmony SASE subnet (10.255.0.0/16) to your local network or services:

    1. Go to Policy & Objects > IPv4 Policy.

    2. Click Create New and enter these:

      Field

      Enter

      Name Harmony SASE

      Incoming Interface

      		 Harmony SASE
      Outgoing Interface Your local network object.
      Source All

      Destination

      All

      Schedule

      Always

      Service

      All

      NAT

      Disabled

      Leave the rest of the fields to default settings.

    3. Click OK.

  13. To verify that the tunnel is up, go to VPN > IPSec Tunnels. If the tunnel is listed in the table, then the tunnel is up.