FortiGate IPSec and Perimeter 81 Network Subnet Setup Guide

Step 0 - Taking a Backup

Before making any changes to FortiGate, please backup the configuration to your computer to ensure we have a recovery option.

Once logged into Fortigate, click on your username in the upper right corner.
Hover over Configuration and select Backup
Choose a file format of FortiOS
Password Mask OFF
Encryption ON and create a password for this file.

Step 1 - Create Network Address Objects

Policy & Objects > Addresses

Create New > Address

Name: LAN_[Location Name]

Type: Subnet

Interface Any

Static Route Configuration ON

Add the newly created address to the Address Group "SH_OnPrem_Networks"

Step 2 - Create IPSec Tunnel

VPN > IPSec Tunnels

+ Create New > IPSec Tunnel

Name the IPSec Tunnel
Select the template type "Custom".
Enter a IPSec Tunnel Name (e.g. UES170, ManBeach1000, Gramercy)
You will be brought to a VPN Tunnel Editing page

The following IPSec Tunnel settings are standard when connecting to a Meraki MX firewall.

Network

IP Version IPV4

Remote Gateway Dynamic DNS

Dynamic DNS [Unique Meraki DDNS Hostname]

Interface WAN 1

Local Gateway OFF

Mode Config OFF

NAT Traversal Disable

Dead Peer Detection On-Demand

DPD retry count 3

DPD retry interval 20 s

Forward Error Correction OFF

Add route Enabled

Auto discovery sender Disabled

Auto discovery receiver Disabled

Exchange interface IP Disabled

Device creation Disabled

Authentication

Method Pre-shared Key

Pre-shared Key [Located within LastPass]

IKE Version 2

Phase 1 Proposal

Encryption AES256 Authentication SHA256

Diffie-Hellman Group 14

Key Lifetime (seconds) 28800

Phase 2 Selectors

Name Azure [Location name]

Local Address Named Address > Azure_VNET_Group

Remote Address Named Address > LAN_[Location Name]

Advanced Settings

Encryption AES256 Authentication SHA256
Enable Replay Detection ON
Enable Perfect Forward Secrecy (PFS) ON
Local, Remote, & Protocol ON
Auto-negotiate OFF
Autokey Keep Alive OFF
Key Lifetime Seconds
Seconds 3600

------

Name P81 [Location name]

Local Address Named Address > P81

Remote Address Named Address > LAN_[Location Name]

Advanced Settings

Encryption AES256 Authentication SHA256
Enable Replay Detection ON
Enable Perfect Forward Secrecy (PFS) ON
Local, Remote, & Protocol ON
Auto-negotiate OFF
Autokey Keep Alive OFF
Key Lifetime Seconds
Seconds 3600

Step 3 - Adding Static Routes

Navigate to Network > Static Routes
Click + Create New
Enter the following information:

Automatic Gateway Retrieval OFF

Destination Named Address > LAN_[Location Name]

Interface [Location IPSec Tunnel]

Administrative Distance 10

Status Enabled

Save

Create a second Static Route

Automatic Gateway Retrieval OFF

Destination Named Address > LAN_[Location Name]

Interface Blackhole

Administrative Distance 254

Status Enabled

Save

Step 4 - Adding IPSec Tunnel to Firewall Policies

The following Firewall Policies are required:

Allow_OnPremVPNs_to_Azure (42)
Allow_OnPrem_to_OnPrem (17)
Allow_SSLVPN_to_SH (41)
Allow_Azure_to_OnPremVPNs (43)

Navigate to Policy & Objects > Firewall Policy
Locate each policy one at a time from the list above.
Add the newly created IPSec Tunnel Interface to the firewall policy alongside other IPSec Tunnels.
Some policies include Named Addresses such as LAN_[Location Name]. Locate the newly created Named Address created in Step 1 of this article.
Once located, add it to the firewall policy alongside the other similar objects.
Save each time a firewall policy is modified.

Step 5 - Adding the new subnet to Meraki and Perimeter 81

Login to Perimeter 81
Go to Networks then click Sollis Main
Click the ... to open the settings page for the Tunnel "AzureFortiGate"
On the Routing Subnets section, ensure the location's LAN subnet is listed. If not, add it in this format xxx.xxx.xxx.xxx/xx (/xx = subnet mask)
Update the tunnel.

Step 6 - Confirming the Configuration

At this point the IPSec tunnel should be active, indicated by a green arrow. To check this, open VPN > IPSec Tunnels and locate the tunnel.

To confirm this on the Meraki side:

Launch Meraki and navigate to Security & SD-WAN > VPN Status.
Click on 1 Non-Meraki peer.
Confirm there is a green icon under the status section.

To confirm this on the Perimeter 81 side:

Go to Monitor and Logs then click Tunnels Status
Look for recent events indicating the AzureFortiGate Tunnel is up for the network Sollis Main.
If the connection is not up, please wait 2 minutes and check again.
If the connection is still down, double check all networks listed in the Perimeter 81 routing subnets match the P81 tunnel in the FortiGate Firewall. These have to be identical for the connection to come up.

Also, check Networks > Sollis Main > Tunnels and confirm the tunnel is green and has dots flowing to indicate network traffic.

Confirming the number of referenced items.

Navigate to VPN > IPSec Tunnels
Look on the right-hand side of the list of IPSec tunnels.
Confirm the newly created IPSec tunnel has a Ref. value of 8.