IPsec Site-to-Site VPN Palo Alto FortiGate

This is a small tutorial for configuring a site-to-site IPsec VPN between a Palo Alto and a FortiGate firewall. I am publishing step-by-step screenshots for both firewalls as well as a few troubleshooting CLI commands.

Lab

This is my basic laboratory for this VPN connection. I am using a Palo Alto PA-200 with PAN-OS 6.1.1 while the FortiWiFi 90D has v5.2.2 installed.

Palo Alto

The Palo Alto is configured in the following way. Please refer to the descriptions under the images for detailed information.

(And do not forget the “untrust-untrust” policy that allows ipsec!)

FortiGate

And this is the way for the FortiGate firewall:

Monitoring

Following are a few screenshots and listings from both firewalls concerning the VPN:

Palo Alto CLI:

weberjoh@fd-wv-fw02> show vpn ike-sa gateway fd-wv-fw04

phase-1 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm          Established     Expiration      V  ST Xt Phase2
--------------- ------------           ------------           ---- ---- ---------          -----------     ----------      -  -- -- ------
             10 172.16.1.6             fd-wv-fw04             Resp Main PSK/DH14/A256/SHA256 Jan.20 11:12:57 Jan.20 19:12:57 v1 12  2      1

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.

phase-2 SAs
GwID/client IP  Peer-Address           Gateway Name           Role Algorithm               SPI(in)  SPI(out) MsgID    ST Xt
--------------- ------------           ------------           ---- ---------               -------  -------- -----    -- --
             10 172.16.1.6             fd-wv-fw04             Resp DH14/tunl/ESP/A256/SHA256 A3D05151 C97B0AB3 C5572823  9  1

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

FortiGate CLI:

fd-wv-fw04 # get vpn ike gateway fd-wv-fw02

vd: root/0
name: fd-wv-fw02
version: 1
interface: wan1 6
addr: 172.16.1.6:500 -> 172.16.1.2:500
created: 572s ago
IKE SA  created: 1/1  established: 1/1  time: 70/70/70 ms
IPsec SA  created: 1/1  established: 1/1  time: 90/90/90 ms

  id/spi: 20057 2b5ce64a51119571/defa8a4a3a5f0573
  direction: initiator
  status: established 572-572s ago = 70ms
  proposal: aes-256-sha256
  key: ed29b2dc34c59b46-c587e9daee5d91fb-d83448f2f91bcbae-60505b8efc09fb72
  lifetime/rekey: 28800/27927
  DPD sent/recv: 0000006e/00000000

fd-wv-fw04 #
fd-wv-fw04 #
fd-wv-fw04 # get vpn ipsec tunnel name fd-wv-fw02

gateway
  name: 'fd-wv-fw02'
  type: route-based
  local-gateway: 172.16.1.6:0 (static)
  remote-gateway: 172.16.1.2:0 (static)
  mode: ike-v1
  interface: 'wan1' (6)
  rx  packets: 641  bytes: 65776  errors: 0
  tx  packets: 642  bytes: 168  errors: 1
  dpd: enabled/negotiated  idle: 5000ms  retry: 3  count: 0
  selectors
    name: 'fd-wv-fw02'
    auto-negotiate: disable
    mode: tunnel
    src: 0:0.0.0.0/0.0.0.0:0
    dst: 0:0.0.0.0/0.0.0.0:0
    SA
      lifetime/rekey: 3600/2907
      mtu: 1438
      tx-esp-seq: 280
      replay: enabled
      inbound
        spi: c97b0ab3
        enc:     aes  51128eb018d1ba7bc1e701f2c98689895df63dd1ca0c0252a07b178c5b867652
        auth: sha256  66b3dee1523d2aefd008e3d350a140133b76ebcb768974d6142c4d2f118c0862
      outbound
        spi: a3d05151
        enc:     aes  f168c4dc08b795dc978a4def5979acdc4aa7fbf0bedc1a1c4271bd2cbfe76f40
        auth: sha256  353c678f8ff1e782b3c59eed1628e80a574f2162f4ac5d38cbffe58e538dd064
      NPU acceleration: encryption(outbound) decryption(inbound)