Create IPSec Site to Site VPN Between Palo Alto and Fortigate Firewalls

Configure Basic settings of Fortigate Firewall 

More details can be found from this post: https://blog.51sec.org/2022/01/download-and-launch-fortigate-virtual.html

1 Download VM image

2 Import into VMWare Workstation lab environment

3 Configure static ip and http access for mgmt interface and using HTTP to connect to mgmt interface

4 Config LAN/WAN/DMZ interfaces

5 Config basic security policy and nat

6 Test

Configure VPN tunnel in Palo Alto Firewall 

1 Create IKE Crypto Profile

2 Create IPSec Crypto Profile

3 Create IKE Gateway

Assign your IKE Crypto profile to your IKE Gateway

4 Create tunnel interface

You do not have to assign an ip address for your tunnel interface. But if assigned, it can be used to monitor tunnel. 

5 Create IPSec Tunnel

6 Virtual Router Static Route configuration

Depends on how you routing your traffic, after you add your tunnel interface into your virtual router, you might need to create a couple static routes.

7 Create security policy rule to allow VPN networks to access each other.

1 Go to VPN section, choose IPsec Tunnels and click Create New IPsec Tunnel

2 Start VPN setup. Put name, choose template type, if need NAT, and select remote device type

3 Configure Authentication method and remote gateway information

4 Choose local ip segment and configure remote ip segment. This traffic will be your interest traffic which will be sent to VPN tunnel.

5 Review and create tunnel configuration

VPN Template Details for phase 1 and phase 2

You can edit VPN tunnel details to change phase 1 and phase 2 encryption and authentication information.

Note: Trial license only has DES for encryption, not 3DES and AES. 

6 Fortigate VPN Wizard will auto-generate tunnel interface, static route to tunnel, and policy rule to allow traffic between vpn networks.

Test

On Fortigate, 

Check Log & Report – Events – VPN Events