This post is to record all steps to configure a ipsec site to site IPSec VPN tunnel between Palo Alto Firewall and Fortigate Firewall,
Online Updated Diagram:
Configure Basic settings of Palo Alto Firewall
More details can be found from following posts:
Download Palo Alto Image
Import Image and Configure VM
Connect to Mgmt Interface
Configure Internal/Internet interfaces.
Configure Security Zone and Virtual Router
Configure Security policy and NAT
Configure Basic settings of Fortigate Firewall
More details can be found from this post: https://blog.51sec.org/2022/01/download-and-launch-fortigate-virtual.html
Download VM image
Import into VMWare Workstation lab environment
Configure static ip and http access for mgmt interface and using HTTP to connect to mgmt interface
Config LAN/WAN/DMZ interfaces
Config basic security policy and nat
Configure VPN tunnel in Palo Alto Firewall
Create IKE Crypto Profile
Create IPSec Crypto Profile
Create IKE Gateway
Assign your IKE Crypto profile to your IKE Gateway
Create tunnel interface
You do not have to assign an ip address for your tunnel interface. But if assigned, it can be used to monitor tunnel.
Create IPSec Tunnel
Virtual Router Static Route configuration
Depends on how you routing your traffic, after you add your tunnel interface into your virtual router, you might need to create a couple static routes.
Create security policy rule to allow VPN networks to access each other.
Configure VPN tunnel in Fortigate Firewall
Go to VPN section, choose IPsec Tunnels and click Create New IPsec Tunnel
Start VPN setup. Put name, choose template type, if need NAT, and select remote device type
Configure Authentication method and remote gateway information
Choose local ip segment and configure remote ip segment. This traffic will be your interest traffic which will be sent to VPN tunnel.
Review and create tunnel configuration
Fortigate VPN Wizard will auto-generate tunnel interface, static route to tunnel, and policy rule to allow traffic between vpn networks.
Check Log & Report – Events – VPN Events
On Palo Alto:
IPSec VPN Tunnel Setup: