How do I set up Site-to-Site VPN between a Synology Router and FortiGate device?
Last updated:Invalid date
How do I set up Site-to-Site VPN between a Synology Router and FortiGate device?
Details
Aside from the benefits you may experience when using a Site-to-Site VPN tunnel between two Synology Router products, you may also set up such tunnel between a Synology Router and your existing FortiGate device.
This article guides you through the setup of Site-to-Site VPN (license required1) between a Synology Router and a FortiGate device. Here, we take FortiGate 50E2 for example.
Notes:
- For more information on our licensing plan, please refer to this webpage.
- If you use other FortiGate devices, please make sure they support IPSec.
Environment
Before you proceed with the Site-to-Site VPN setup, please make sure you have already had an adequate environment as described below.
- Set up your Synology Router, and make sure it is running on SRM 1.1.5 or above.
- Install VPN Plus Server 1.2.0 or above.
- In VPN Plus Server, activate the Site-to-Site VPN feature.
This tutorial is based on the scenario described below.
- Synology Router site
- Internal subnet: 19.16.1.0/24
- Gateway: 10.11.50.232
- FortiGate 50E site (firmware: v5.6.2 build 1486)
- Internal subnet: 192.168.10.0/24
- Gateway: 10.11.70.203
- Pre-shared key: 123456789
- Encryption configuration:
- Phase 1:
- Encryption: AES256
- Authentication: SHA-256
- Key life: 14400
- DH Group: 5 (modp 1536)
- DPD (Dead Peer Detection): enable
- Phase 2:
- Encryption: AES256
- Authentication: SHA-256
- Key life: 14400
- DH Group: 5 (modp 1536)
- Phase 1:
Resolution
Site-to-Site VPN configuration on FortiGate 50E
Log in to your FortiGate 50E's configuration interface, and follow the steps below:
- Go to VPN > IPSec Wizard.
- In the VPN Setup tab, complete the setup based on our provided scenario:
- Name: Here, we enter "SynologyRouter".
- Template Type: Select Site to Site.
- Remote Device Type: Select FortiGate.
- NAT configuration: Select No NAT between sites.
- In the Authentication tab, complete the setup based on our provided scenario:
- Remote Device: Select IP Address.
- IP Address: Enter the IP address of the remote device (i.e., Synology Router). Here, we enter 10.11.50.232.
- Outgoing Interface: Assign an available interface as the outgoing interface. Here, we use wan1.
- Authentication Method: Select Pre-shared Key.
- Pre-shared Key: Specify the pre-shared key, and use the same setting on the other site (i.e., Synology Router). Here, we enter 123456789.
- In the Policy & Routing tab, complete the setup based on our provided scenario:
- Local Interface: Here, we select lan.
- Local Subnets: Here, we leave it at default setting.
- Remote Subnets: Specify the internal subnets of the remote site. Here, we enter 19.16.1.0/24.
- Click Create. You will then see the summary page.
- Click Show Tunnel List to see the tunnel you just created.
Site-to-Site VPN configuration on Synology Router
Sign in to SRM on your Synology Router, and follow the steps below.
- Go to VPN Plus Server > Site-to-Site VPN.
- Click Add > Manually.
- In the General tab, configure the following settings:
- Profile name: Enter a customized name for the profile. Here, we enter "FortiGate".
- Pre-shared key: Enter the same pre-shared key as on FortiGate 50E.
- Under Local Site section, configure the following settings:
- Outbound IP: Enter Synology Router's IP address. Here, we enter 10.11.50.232.
- Local ID: You can enter a public IP address or FQDN to specify the Local ID. Here, we enter 10.11.50.232.
- Private subnet: Specify the local network under the private subnet of Synology Router. Here, we select Local Network (19.16.1.0/24).
- Under Remote Site section, configure the following settings:
- IP address/FQDN: Enter FortiGate 50E's IP address. Here, we enter 10.11.70.203.
- Remote ID: You can enter a public IP address or FQDN to specify the Remote ID. Here, we enter 10.11.70.203.
- Private subnet: Specify the local network under the private subnet of FortiGate 50E. Here, we enter 192.168.10.0/24.
- Under Dead Peer Detection section, tick Enable to check at regular interval whether peer is live or not. You can configure the settings after enabling this option. Here, we leave them at default settings.
- In the Encryption tab, make sure the following settings are identical with those on the other site:
- Under Phase 1 section:
- IKE version: Select IKEv1.
- Mode: Select Main mode (ID protection).
- Encryption: Select AES256.
- Authentication: Select SHA-256.
- DH group: Select 5 (modp 1536).
- Key lifetime: Select 14400 seconds.
- Under Phase 2 section:
- Encryption: Select AES256.
- Authentication: Select SHA-256.
- DH group: Select 5 (modp 1536).
- Key lifetime: Select 14400 seconds.
- Tick Enable Perfect Forward Secrecy (PFS) checkbox.
- Under Phase 1 section:
- When the settings are complete, you will see the status of Site-to-Site VPN tunnel on each of the two sites.