Firewall implementation and site to site VPN

We want to implement the firewall to create the site to site VPN on our HQ office and to our branch office. Please advise what the thing are and how to configure in the both site firewall and router.
Our HQ Office have static internet IP: 124.66.159.81 configure in our router and LAN is 192.168.1.0
Branch Office is using dynamic IP :<xxx.xxx.xxx.xxx>  configure in our router and LAN is 192.168.2.0
YaYangTeahAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
You need a static IP in the Branch office, or else investigate the use of DynDNS.

Then put in two hardware VPN router boxes - one at each end. Juniper Netscreen or Cisco RVxx routers. Set up an IPsec tunnel and make the connection.

Assuming standard DSL, look at making MTU in the WAN connection at each end 1492 or a bit less. Default is 1500 and is not good for VPN.

Firewall setup can be normal setups at each. There is nothing special for VPN except that the firewall setup needs to allow the internal address range at each end.
0
YaYangTeahAuthor Commented:
We will use fortiget 60d for both office.for the HQ office how to configure the firewall ?
0
JohnBusiness Consultant (Owner)Commented:
IPsec needs a Phase 1 (3DES, DH Group 2, SHA1), No PFS, Phase 2 (3DES, DH Group 2, SHA1) and a pre-shared key. For site to site, use Main mode and not Aggressive mode, and you may also need to use NAT Traversal.

If you have never set up VPN before, it is not a push button, one setting setup, so you should get some one to help with the VPN setup.
0
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Correction - you need the same settings on both devices, but you are not restricted to the (unrecommended) 3DES encryption. Phase 2 DH = PFS, so above is not correct.

If you can't manage to use DynDNS or similar for your branch office, you'll have to use Aggressive Mode, and the branch needs to initiate VPN tunnel negotiation all time. Usually that is nothing you would like much to do, because if there are issues, you can't trigger a connection from HQ. And it is less safe, the static IP or dynamic DNS address is used as an additional security means to make sure it is really the "other" side trying to start a connection.

I agree on the point made above - you should expect to spend significant time on configuring, and it is much better to ask someone else to do the initial config. "We will use" sounds as if you do not have experience with FortiNet.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
JohnBusiness Consultant (Owner)Commented:
Re: Correction.  Yes - I neglected to note you don't use DH Group 2 in Phase 2 if PFS is disabled. Thanks.
0
Natty GregIn Theory (IT)Commented:
Why do you need vpn?
What are you trying to do?

Because if you're not doing site replication and you don't have remote users.

If you're only interested in remote administration of a few pc, then you can save yourself hours and hassle by using VNC server with dynamicdns if you don't have static ip
0
Mike SmithEnterprise VoIP & ISP BrokerCommented:
Have you considered having your ISP provider a cloud-based, managed firewall for both sites, combined?
0
YaYangTeahAuthor Commented:
No
0
JohnBusiness Consultant (Owner)Commented:
@YaYangTeah  - I have client branch office site-to-site tunnels in operation. Have you tried the setup yet?
0
Mike SmithEnterprise VoIP & ISP BrokerCommented:
@YaYangTeah - A network firewall from your ISP might be worth at least taking a look at.  It will be a lot easier to manage (via a web portal no matter where you are located), and you will probably get a higher grade firewall than what you will be able to purchase on your own.
0
YaYangTeahAuthor Commented:
I think i can still can not get answer what i need ,may be my question is not clear .Basically i need to know what are need to change in router site and firewall IP and how to create the site to site VPN.eg port forward ipSec port from router to firewall.

I draw my existing network and new network ,please advice what to do for my site to site is work.Thanks
Existing-Network.PNG
New-Network.PNG
0
JohnBusiness Consultant (Owner)Commented:
Why the extra IP addresses in your new network? I do not think you need them,
Old network looks exactly like any site to site network I have used.

Did you try DynDNS for the dynamic site?
0
YaYangTeahAuthor Commented:
Because we want to put firewall behind the firewall. Don't worry about ddns we have it now we are using for our CCTV.
0
JohnBusiness Consultant (Owner)Commented:
A firewall behind a firewall makes life complicated. Make it work first the way you want and then add a firewall.
0
YaYangTeahAuthor Commented:
I am sorry I mean behind router ,because the router is configure and provided by Internet ISP. We don't 2ant to touch thier devices.
0
JohnBusiness Consultant (Owner)Commented:
What I do is put ISP modems in Bridge mode (all locations) and use the VPN box as the firewall. Have one inside address and one outside address at each place.
0
YaYangTeahAuthor Commented:
That I know ,why I see most people put firewall behind the router ?
0
JohnBusiness Consultant (Owner)Commented:
You can put a firewall behind the ISP modem, but combine your VPN box and firewall into one box. Any box (Fortigate or other will do this).

My point is that it is excessively complicated from a VPN perspective to change 1.2.3.4 to 192.16.1.1 to 10.10.1.1 and expect VPN packets to traverse unimpeded.

You might wish to obtain some local consulting expertise.
0
YaYangTeahAuthor Commented:
That is the reason I asking the question here.
0
JohnBusiness Consultant (Owner)Commented:
We have explained how to do this and I am doing it in several locations so it works fine.

Site 1: External IP -> Modem in Bridge Mode -> VPN router = local IP.

Phase 1 something like 3DES, DH Group 2, SHA1
No PFS
Phase 2 3DES, SHA1
Pre-Shared Key.

Mirror at both sites.

Site 2: External IP or DynDNS -> Modem in Bridge Mode -> VPN router = local IP.

Works.
0
YaYangTeahAuthor Commented:
Today I try to direct plugin Internet connection  from my firewall to the ISP ONT ,my firewall can not get IP from ISP. The ONT must plug in to the ISP router then  an get Internet IP ?
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Usually you need to authenticate on the connection, and your firewall won't do that (because it has no info about it).
0
YaYangTeahAuthor Commented:
How about if using Internet static IP ?
0
JohnBusiness Consultant (Owner)Commented:
direct plugin Internet connection  from my firewall to the ISP ONT ,my firewall can not get IP from ISP

Usually resetting the ISP modem (unplug, wait 10 seconds, plug back in) will fix the ISP connection. If not, call them, and have them reset the modem.
0
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Using dynamic or static Internet IP is not related to having to use a modem device.
0
YaYangTeahAuthor Commented:
I manage to follow the fortiget manual to create the dial-up VPN even in my remote site is using dual NAT .
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.