Last time I had some struggle to connect a FRITZ!Box (7530AX, but should be the same for all newer models) to a Fortigate.
The starting situation is as follows:
Home/Local Site: IP 10.0.0.0/255.255.255.0 (/24), Static IP, Public hostname xxx.home.com
Remote Site: IP 172.31.1.0/255.255.255.0 (/24), Static IP 1.2.3.4
I had found several tutorials but most of them are outdated or did not match my requirements. So I took some time (several hours) to find out the right settings needed.
FRITZ!Box
First i tried to use the FRITZ!Box wizard/GUI but it has only very limited settings. Then I found you can also write config files and import them into the FRITZ!Box router. Thanks to following Websites i could manage to configure the basic config file and “only” needed to adjust them:
https://burth-online.de/cms/pages/dokumentationen/avm-fritzbox/fritzbox—vpn—konfigurationsdatei.php
https://weberblog.net/ipsec-site-to-site-vpn-fortigate-fritzbox/
Now here is the FRITZ!Box config template I configured, you need to adjust to your IP-Addresses and Networks to work (highlighted in grey):
vpncfg {
connections {
enabled = yes;
conn_type = conntype_lan;
name = "company-mgmt";
always_renew = yes;
reject_not_encrypted = no;
dont_filter_netbios = yes;
localip = 0.0.0.0;
local_virtualip = 0.0.0.0;
remoteip = 1.2.3.4;
remote_virtualip = 0.0.0.0;
localid {
fqdn = "xxx.home.com";
}
remoteid {
fqdn = "1.2.3.4";
}
mode = phase1_mode_idp;
phase1ss = "dh14/aes/sha";
keytype = connkeytype_pre_shared;
key = "xyz123456";
cert_do_server_auth = no;
use_nat_t = yes;
use_xauth = no;
use_cfgmode = no;
phase2localid {
ipnet {
ipaddr = 10.0.0.0;
mask = 255.255.255.0;
}
}
phase2remoteid {
ipnet {
ipaddr = 172.31.1.0;
mask = 255.255.255.0;
}
}
phase2ss = "esp-aes256-3des-sha/ah-no/comp-lzs-no/pfs";
accesslist = "permit ip any 172.31.1.0 255.255.255.0";
} ike_forward_rules = "udp 0.0.0.0:500 0.0.0.0:500",
"udp 0.0.0.0:4500 0.0.0.0:4500";
}Fortigate
IPSEC-Phase1-Interface Config
config vpn ipsec phase1-interface
edit "s2s-home"
set type ddns
set interface "wan1"
set keylife 3600
set peertype any
set net-device enable
set proposal aes256-sha1
set localid "1.2.3.4"
set dhgrp 14
set remotegw-ddns "xxx.home.com"
set psksecret xyz123456
next
endIPSEC-Phase2-Interface Config
In this example I use Addr-Type “name”, so you must configure “Address” objects on your fortigate, you can also use direct IP-Addresses.
Object Source-Net: 172.31.1.0/255.255.255.0 (/24)
Object Dst-Net: 10.0.0.0/255.255.255.0 (/24)
config vpn ipsec phase2-interface
edit "s2s-home-net1"
set phase1name "s2s-home"
set proposal aes256-sha1
set dhgrp 14
set auto-negotiate enable
set src-addr-type name
set dst-addr-type name
set keylifeseconds 3600
set src-name "Source-Net"
set dst-name "Dst-Net"
next
endMultiple Remote Networks
Its also possible to connect to multiple phase2 Networks on the remote site, just add further phase2 networks on your fortigate or use address object groups and then on your FRITZ!Box config extend the “phase2remoteid” and “accesslist” options, for example:
phase2remoteid {
ipnet {
ipaddr = 172.31.1.0;
mask = 255.255.255.0;
}
ipnet {
ipaddr = 172.31.2.0;
mask = 255.255.255.0;
}
}
accesslist = "permit ip any 172.31.1.0 255.255.255.0", "permit ip any 172.31.2.0 255.255.255.0";After importing the FRITZ!Box GUI only shows one Remote Network but dont panic, for this example then both are active.