IPsec Site-to-Site VPN Palo Alto <-> FortiGate

This is a small tutorial for configuring a site-to-site IPsec VPN between a Palo Alto and a FortiGate firewall. I am publishing step-by-step screenshots for both firewalls as well as a few troubleshooting CLI commands.

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–

Lab

This is my basic laboratory for this VPN connection. I am using a Palo Alto PA-200 with PAN-OS 6.1.1 while the FortiWiFi 90D has v5.2.2 installed.

S2S VPN Palo Alto - FortiGate Laboratory

Please note that I am only showing the steps to configure the VPN (phase 1 + phase 2, i.e., IKE and IPsec/ESP), while I am NOT showing the mandatory security policies to actually allow traffic passing the firewalls. You must add appropriate security policies from the VPN zones to the internal zones (and vice versa) by yourself.

Palo Alto

The Palo Alto is configured in the following way. Please refer to the descriptions under the images for detailed information.

(And do not forget the “untrust-untrust” policy that allows ipsec!)

FortiGate

And this is the way for the FortiGate firewall:

Monitoring

Following are a few screenshots and listings from both firewalls concerning the VPN:

Palo Alto CLI:

 

FortiGate CLI:

 

15 thoughts on “IPsec Site-to-Site VPN Palo Alto <-> FortiGate

  1. We followed step by step for this lab set up and the tunnel isn’t even coming up. Do you have any suggestions that might be the reason for this?

    1. ;) You should at least tell me a bit more about your error logs, etc. Simply saying “it is not working – can you tell me the issue” is like “let me look into my crystal ball”…

      Please have a look at the log entries on both firewalls and try to find the issue then.

  2. The above steps are incomplete as you need to define the proxy ID’s, the peer and local id’s on the ike gateway and double check your IKE gateway on both sides, Fortigate does not like to negotiate child SA’s cleanly.

    Takes a while for the Fortigate to play nicely.

    Other than that, the article is a great step-by-step guide

    1. please could you explain more detail. i’m using fortigate. and other site is using paloalto. how can i define the proxy id, peer, local id

      1. ??? What do you mean with more detail? Absolutely everything is explained in the screenshots above. ;)
        You need NOT define any proxy IDs. Everything is done with the routing!
        You also need NOT define the local id, if the VPN is between static IP addresses.

  3. Hi Johannes,

    were there any IPv4 policies created for the Fortigate firewall in your Site-to-Site setup?

  4. I’m also having an issue.

    have setup a VPN from my PA to a Fortigate FW in main mode. no proxy IDs, or local/remote IDs are used.

    here is the error:

    IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: x.x.x.x/32 type IPv4_address protocol 0 port 0, received remote id: x.x.x.x/32 type IPv4_address protocol 0 port 0.

    it feels like I’m hitting a policy-based VPN setup, but I’m assured it is a route-based setup. I’m not sure why it is complaining about the Proxy ID?

    any suggestions?

    1. Hey Justin,

      even if you’re using a “route-based” VPN, proxy IDs of type 0.0.0.0/0 (or ::/0 for IPv6) are announced. That is: Both firewalls implicitly list this 0.0.0.0/0 entry when you’re not configuring anything else.

      Note that your error message looks like you have configured a proxy ID with 0.0.0.0/32. It must be 0.0.0.0/0 to have “any”. If you are not sure, configure a 0.0.0.0/0 on BOTH firewalls.

      And keep on looking at the error logs on both firewalls as well. The better logs are generated at the receiving side, not at the initiating side.

  5. Hey there,

    Nice blog, but this tutorial is thoroughly incomplete. And people are trying to tell you that, yet you seem to be oblivious to it.

    Both the peers need security policies to pass the actual traffic.

    On the fortigate side we need:
    FortiGate-VM64 # show firewall policy
    config firewall policy
    edit 1
    set name “vpn_fgt-pan-test_local”
    set uuid 8458dc14-a089-51e8-514e-a99143ce576e
    set srcintf “port3”
    set dstintf “fgt-pan-test”
    set srcaddr “fgt-pan-test_local”
    set dstaddr “fgt-pan-test_remote”
    set action accept
    set schedule “always”
    set service “ALL”
    set comments “VPN: fgt-pan-test (Created by VPN wizard)”
    next
    edit 2
    set name “vpn_fgt-pan-test_remote”
    set uuid 845b9d1e-a089-51e8-563b-2bdbbf9f2382
    set srcintf “fgt-pan-test”
    set dstintf “port3”
    set srcaddr “fgt-pan-test_remote”
    set dstaddr “fgt-pan-test_local”
    set action accept
    set schedule “always”
    set service “ALL”
    set comments “VPN: fgt-pan-test (Created by VPN wizard)”
    next
    end

    And the palo alto side, we need vpn zone to inside/dmz policies with apps you need.

    admin@PA-FW1# show rulebase security rules vpn-inside
    vpn-inside {
    to inside;
    from ipsec-vpn;
    source any;
    destination any;
    source-user any;
    category any;
    application any;
    service application-default;
    hip-profiles any;
    action allow;
    disabled yes;
    }

    Also you can add selectors to both fortigate and palo alto, on PA they are called proxy id (very stupid name).

    On fortigate they are called phase 2 selectors in phase 2 part of the config.

    If only the peer has selectors and proxy ids are not configured on the PA then you will see

    2018-08-16 13:27:02 [INTERNAL_ERR]: isakmp_quick.c:1994:get_sainfo_r(): can’t find matching selector
    2018-08-16 13:27:02 [PROTO_ERR]: isakmp_quick.c:1209:quick_r1recv(): failed to get sainfo.
    2018-08-16 13:27:02 [INTERNAL_ERR]: ikev1.c:1631:isakmp_ph2begin_r(): failed to pre-process packet.

  6. It would be actually nice to assign/use /30 subnet for Tunnel interfaces ,so that you can enable IPSEC tunnel monitoring . Plus , the static routes would look nicer and cleaner .

    BTW , Palo Alto doesn’t trully support proxy based VPN , it’s a proxy based VPN termination with matching Proxy IDs to match for example Cisco encryption domains .

    For the Fortinet side of things …… People leave quick selectors alone … just 0.0.0.0/0.0.0.0 .. it means I’m encrypting whatever but the source and dest traffic is being controlled by 1. Static routes via Tunnel interface 2. Bidirectional security policies .

  7. I have a PA200 that I am trying to connect to a PFSense router using ipsec VPN. Both are on two different internet connections. PFsense connects fine I can see the IKE connection and it shows on the Palo as connected but the tunnel is red. Can’t see either sides networks. I have a static route to the pfsense side as 192.168.2.x/24 and on the palo side I have the zones setup with the zones and tunnel interface but no traffic flows.

  8. Hello. I have created two VPN tunnels between the two firewalls all is well. but when I want to apply the BFD on the palo alto tunnel it tells me that the tunnel needs a ip adresse. do have any idea aboute This issue. Thanks

    1. Well, for BFD to work you have to use IP addresses on the tunnel interfaces. ;) Fortunately, you can use IP addresses on the tunnel interfaces on both sides, Palo and Forti. However, I don’t know whether or not you can use BFD on the Forti. (Currently, I can’t even use it on the Palo since my PA-220 does not implement it.)

  9. There’s nothing incomplete about this article. It’s a goddamn firewall, of course you need to allow ike and ipsec traffic biderectionally before anything works.

    Thanks for this article. Had to deal with a customer using a Fortigate and the screenshots helped me point them in the right direction.

Leave a Reply to Johannes Weber Cancel reply

Your email address will not be published. Required fields are marked *