Sangfor build IPSec VPN with Fortinet/FortiGate

by Aggressive mode

Environment Introduction

Sangfor:
Static public IP, directly connect to internet.
Fortinet/FortiGate:
ADSL, directly connect to internet.
Customer want to side intranet visit each other via IPSec VPN

Configuration:

Fortinet:

1. Confirm interface information.

2. Fortinet use a DDNS benline.fortidyndns.com to resolve IP for ADSL link.

3. Start to build VPN tunnel, chose Custom VPN Tunnel.

4. Must enable IPsec interface mode, don't chose mode config.
Because two side device all directly connect to internet, so we don't chose NAT Traversal.
Because Fortinet link is ADSL, so we should enable Dead Peer Detection to detection other side IP
status.
Sangfor not support IKE version 2, so we chose version 1
Only two side all have static public IP and directly connect to internet can use Main mode, so we
chose aggressive mode here.

Fortinet looks like no peer ID type can chose, it should be FQDN type, we try peer ID
www.sangfor.com
Encryption: sangfor support DES/3DES/AES-128
DH group: sangfor support 1/2/5
Local ID: we type this Fortinet DDNS benline.fortidyndns.com
Phase 2 PFS DH group must keep the same with phase 1

5. After we finish configure two side ,we can see the VPN tunnel status in IPSec Monitor.

6. If some configuration error, we can also check the log in VPN log.

This article not contain security policy.

Sangfor:

1. Confirm interface information.

2.Build VPN WANO interface. Notice Use static internet IP is the interface IP not the Gateway ip.

3. Build VPN LAN interface.

4. Configure Phase 1

5. Configure Phase 2
6. After successfully configuration, we can see the tunnel in the IPSec VPN status.

This article not contain access control policy /zone policy/