Site-to-Site VPN Between SonicWALL and Fortigate

We acquired another business and would like to setup a site-to-site VPN between the two. They have an existing SonicWALL TZ215 and we have a Fortigate 100D. We do site-to-site VPNs to our other locations but they all have the 100D in place. Due to some software conversions that need to be done, we aren't going to put a 100D in there for another month or two. Does anyone have any experience doing this or is there any documentation anywhere?

We have a company that monitors and makes changes to our Fortigate, so they may be setting up the VPN on the Fortigate side and I'll be doing the SonicWALL side. After they setup everything in the Fortigate, what information do I need from that to setup the SonicWALL correctly?

Thanks.
itgolferAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kash2nd Line EngineerCommented:
shouldn't be difficult.
Ask the company which handles your firewall to setup the VPN (ipsec) etc and give you the details.

once you have the details, just copy the same settings on the sonicwall firewall.
all it is, is a VPN nowt else
1
Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
Ideally I would want a fortigate in there, it will work with a sonicwall but why would we do this to ourselves?

If we are using fortigates accross vpn sites and having one sonicwall in amongst them is a potential nightmare especially with dell now charging for support, get the sonic out and put a fortigate in there.

my 2c
1
itgolferAuthor Commented:
Thanks for the comments. I will have them get me the info they setup in the Fortigate and that should help explain what I need to setup in the Sonicwall.

Mark, I completely agree. However, we're converting them over to our systems in mid-December so we didn't want to put in a new firewall until that was done. They only need to connect and communicate with our main location so the others shouldn't matter. It will be much easier once we get the Fortigate in there and everything is the same.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

Mark BillExchange, AD, SQL, VMware, HPE, 3PAR, FUD, Anti MS Tekhnet, Pro EE, #1Commented:
what i would do is this, ive done this before and there are no issues if you get it right. someone who can firewall properly.

analyze the sonic and document the config, set a fortigate up with the exact same config as you see fit, go over there out of hours and pull the sonicwall out and put the fortigate straight in pre configured.
just keep the sonicwall as a backup so you can just put it in place if the migration fails.

Once the fortigate is in and interfaces are up everything looks normal run a number of tests on it, web access from a workstation, internal and external mail access, whatever else they are dependent on.  will be grand. or wait till december :) GL

Ye you have the right idea and know what your doing already, its fine to put a sonic in there with a vpn to a fortigate however there is no point especially if we have fortigate support already even without that this is a different piece of hardware and software sonicwall that is, just not worth the pain potential pains.
0
itgolferAuthor Commented:
OK, here is the config from the Fortigate. I'm assuming I just use a shared pre-shared key method in the sonicwall?
Config.png
0
Blue Street TechLast KnightCommented:
Hi itgolfer,

Here is the configuration for both units:

CONFIGURE THE FORTIGATE DEVICE

1. Configure the Phase1 & Phase 2 VPN settings

Configure the Phase1 settings
1. Go to VPN > IPSec > Phase 1.
2. Select Create New and enter the following:
(default values shown can be changed by admin)
    • Gateway Name: SonicWALL
    • Remote Gateway: Static IP
    • IP Address: ip address
    • Mode: Main
    • Authentication Method: Preshared Key
    • Pre-shared Key: preshared key
3. Select Advanced and enter the following:
    • Encryption: 3DES
    • Authentication: SHA1
    • DH Group: 2
    • Keylife: 28800
Leave all other settings as their default.
4. Select OK.

Configure the Phase 2 settings
1. Go to VPN > IPSec > Phase 2.
2. Select Create New and enter the following:
    • Tunnel Name: SonicWall
    • Remote Gateway: Select SonicWall
3. Select Advanced and enter the following:
    (default values shown can be changed by admin)
    • Encryption: 3DES
    • Authentication: SHA1
    • DH group: 2
    • Keylife: 28800
**Quick Mode Identities: add source and destination networks as SonicWall will require this in building the Security Associations
4. Select OK.

2. Add a Firewall Policy

Add an the source and destination addresses and add an internal to external policy that includes these source and destination addresses to permit the traffic flow.

To add the addresses
1. Go to Firewall > Address.
2. Select Create New.
3. Enter a name for the address, for example FortiGate_network.
4. Enter the FortiGate IP address and subnet.
5. Select OK.
6. Select Create New.
7. Enter the name for the address, for example SonicWall_network.
8. Enter the SonicWall IP address and subnet.
9. Select OK.

To create a firewall policy for the VPN traffic going from the FortiGate unit to the SonicWALL device
1. Go to Firewall > Policy.
2. Select Create New and set the following:
    • Source Interface: Internal
    • Source Address: FortiGate_network
    • Destination Interface: SonicWall_network
    • Destination Address: WAN1 (or External)
    • Schedule: always
    • Service: ANY
    • Action: Encrypt
    • VPN Tunnel: SonicWall
    • Select Allow inbound
    • Select Allow outbound
3. Select OK.

To create a firewall policy for the VNP traffic going from the SonicWALL device to the FortiGate unit.
1. Go to Firewall > Policy.
2. Select Create New and set the following:
    • Source Interface: WAN1 (or external)
    • Source IP address: SonicWall_network
    • Destination Interface: Internal
    • Destination Address Name: FortiGate_network
    • Schedule: always
    • Service: ANY
    • Action: Encrypt
    • VPN Tunnel: SonicWall
    • Select Allow inbound
    • Select Allow outbound
3. Select OK.

CONFIGURE THE SONICWALL DEVICE

3. Create the Address Object

Create the address object for the FortiGate unit to identify the FortiGate unit's IP address for the VPN Security Association (SA).

To create an address entry
1. Go to Network > Address Objects.
2. Select Add and enter the following:
    • Name: FortiGate_network
    • Zone Assignment: VPN
    • Type: Network
    • Network: FortiGate IP address
    • Netmask: FortiGate netmask
3. Select OK.

4. Configure the VPN Settings


1. To configure the VPN, go to VPN.
2. Ensure Enable VPN is selected in the VPN Global Settings section.
3. Select Add in the VPN Policies area.
4. Select the General tab and configure the following:
    • IPSec Keying Mode: IKE using Preshared Secret.
    • Name: FortiGate_network
    • IPSec primary Gateway Name or Address: IPSec gateway IP address
    • Shared Secret: Preshared
    • Local IKE ID: IP Address (address left empty)
    • Peer IKE ID: IP Address (address left empty)
5. Select the Network tab and configure the following:
    • For the Local Networks, select Choose local network from list and select LAN Primary Subnet.
    • For the Destination Networks, select Choose destination network from list and select FortiGate_network.
6. Select the Proposals tab and configure the following:
    • IKE (Phase1) Proposal
    • Exchange: Main Mode
        • DH Group: Group 2
        • Encryption: 3DES
        • Authentication: SHA1
        • Life Time: 28800
    • IKE (Phase2) Proposal
        • Protocol: ESP
        • Encryption: 3DES
        • Authentication: SHA1
        • DH Group: Group 2
        • Life Time: 28800
7. Select the Advanced tab and select Enable Keep Alive.
8. Select OK.Start here as your baseline. This baseline has been tested by both companies to work successfully. Then once you have successfully configured them and the tunnel is up you can start enhancing the encryption to better standards.

Let me know how it goes!
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.