Netskope IPSec with Fortinet FortiGate

Netskope IPSec with Fortinet FortiGate

This guide illustrates how to configure a VPN IPSec tunnel between Netskope and a FortiGate firewall device. This configuration example uses a FortiGate device running FortiOS version 6.4.3. It can work for all FortiOS versions.

Configuring IPSec Tunnels in FortiGate

There’re two options to accomplish the configuration: CLI and GUI. The CLI is faster.

FortiGate CLI Configuration

  1. Create a VPN for IPsec Phase 1:
    config vpn ipsec phase1-interface     edit "NSKP-POP-XXXXX"         set interface "wan1"             << change for your wan interface         set ike-version 2         set keylife 86400         set peertype any         set net-device disable         set mode-cfg disable         set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1         set localid "XXXXX@XXXXXX"       << change for your localid         set dhgrp 16 15 14         set remote-gw 163.116.XXXX.38    << change for your selected POP         set psksecret XXXXXXX            << change for your preshared     next end
  2. Create a VPN for IPsec Phase 2:
    config vpn ipsec phase2-interface     edit "NSKP-POP-XXXXX"         set phase1name "NSKP-POP-XXXXX"         set proposal aes256gcm aes128gcm aes128-sha1 aes256-sha1         set dhgrp 16 15 14         set auto-negotiate enable         set keylifeseconds 7200     next end
  3. Create at least one policy with VPN interface associated:
    config firewall policy     edit 999         set srcintf "internal"         set dstintf "NSKP-POP-XXXXX"         set srcaddr "all"         set dstaddr "all"         set action accept         set schedule "always         set service "HTTP" "HTTPS"         set logtraffic all         set nat enable     next end
  4. Create a static route to push VPN into RIB:
    config router static     edit 999         set priority 10         set device "NSKP-POP-XXXXX"     next end
    A static route must exist in the routing information base (RIB) before you can use it in policy-based routing.
  5. Create a policy-based router to redirect web traffic to Netskope:
    config router policy     edit 998         set input-device "internal"                 << incoming interface         set src "172.16.100.0/255.255.255.0"        << LAN network         set dst "0.0.0.0/0.0.0.0"         set protocol 6         set start-port 443         set end-port 443         set output-device "NSKP-POP-XXXXX"     next     edit 999         set input-device "internal"                 << incoming interface         set src "172.16.100.0/255.255.255.0"        << LAN network         set dst "0.0.0.0/0.0.0.0"         set protocol 6         set start-port 80         set end-port 80         set output-device "NSKP-POP-XXXXX" end

FortiGate GUI Configuration

  1. Click + Create New and then IPsec Tunnel.
    image6.png
  2. Under VPN Setup:
    • Name: Enter a name for the tunnel.
    • Template type: Select Custom.
    image7.png
  3. In the Network section, configure the IP address and interface information:
    Fortinet-FortiGate-Remote-Gateway.png
  4. In the Authentication section, configure the pre-shared key and select IKEv2:
    Fortinet-FortiGate-Authentication.png
  5. In the Phase 1 Proposal section, configure the following:

    Note

    The Local ID must be entered.Netskope recommends usingan email format as a local ID, such as xxxx@xxxx.xxx. It must be the same as the source identity in your Netskope tenant.

  6. In the Phase 2 Proposal section, configure the following:
    Fortinet-FortiGate-Phase-2-Proposal.png
  7. Click OK.

Creating a Policy with an Associated VPN Interface

To create at least one policy with a VPN interface associated:

  1. Go to Policy & Objects > Firewall Policy.
  2. Click + Create New.
    image11.png
  3. In the Edit Policy window, configure the following fields:
    image12.png
    image13.png

Creating a Route to Push VPN into RIB

A static route must exist in the routing information base (RIB) before you can use it in policy-based routing.

To create a static route that pushes the VPN into RIB:

  1. Go to Network > Static Routes.
  2. Click + Create New and then OK.
    image14.png
  3. Ensure the Administrative Distance is the same as the original default route but with a higher Priority. For example:
    config router static
         edit 3
            set distance 5
            set priority 10
            set device "NSKP-POP-XXXXX"
        next
    end

    To learn more about Administrative Distance and Priority: Fortinet documentation.

  4. Enter the following commands and ensure there are two static routes installed:
    get router info routing-table static
    Routing table for VRF=0
    S*      0.0.0.0/0 [5/0] via 192.168.1.1, wan1
                      [5/0] is directly connected, NSKP-POP-Milan, [10/0]

    If both routes aren’t displaying, your original default route might be obtained through DHCP. In the CLI, edit the original default route and set dynamic-gateway enable, and add values for the following:

    config router static
        edit 2
            set distance 5
            set priority 5
            set device "wan1"
            set dynamic-gateway enable
        next
        edit 3
            set distance 5
            set priority 10
            set device "NSKP-POP-XXXXX"
        next
    end

    Verify your two static routes.

Creating a Policy-Based Router to Redirect Web Traffic to Netskope

By default, policy-based routing (PBR) isn’t enabled in the FortiGate GUI, so you must implement a policy-based router to redirect traffic to the Netskope proxy.

  1. Go to System > Feature Visibility.
  2. Under Core Features, enable Advanced Routing and click Apply. You don’t need to reboot. This change doesn’t affect production.
    image18.png
  3. Go to Network > Policy Routes.
  4. Click + Create New.
    image19.png
  5. Create at least two PBRs (one for HTTP and another for HTTPS).
    image20.png

Configuring IPSec Tunnels in Netskope

To create the IPSec VPN tunnels for FortiGate in the Netskope UI, see Creating an IPSec Site.

Troubleshooting

Following are some helpful commands for troubleshooting the configuration:

  • Enter the following command to enable debug for an IPSec connection:
    diagnose debug application ike -1
    diagnose debug enable
  • Enter the following command to obtain the whole routing table:
    get router info routing-table all
    FortiGate-CLI-Routing-Table.png
  • Enter the following command to obtain an IPSec tunnel summary:
    get vpn ipsec tunnel summary
    FortiGate-CLI-IPSec-Tunnel-Summary.png
  • Enter the following command to obtain the IPSec tunnel details:
    get vpn ipsec tunnel name NSKP-POP-XXXXXX
    FortiGate-CLI-VPN-IPSec-Tunnel-Name.png
Share this Doc

Netskope IPSec with Fortinet FortiGate

Or copy link

In this topic ...