It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Campus Barracuda Campus
Barracuda SecureEdge
Overview Documentation Training Certification Materials

How to Connect Barracuda SecureEdge to FortiGate via IPsec VPN

  • Last updated on

FortiGate can be integrated with the Barracuda SecureEdge SASE platform. Integration is done via the IPsec VPN and successfully tested using FortiOS 7.6 (VM) and SecureEdge 9.0.3 ( Barracuda Edge Service).

FortiGate will be the active side and responsible for initiating the tunnel.

Step 1. Configure the SecureEdge Side

On Barracuda SecureEdge, do the following:

  1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

  2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to configure the IPsec IKEv2 tunnel for.

  3. Go to Integration > IPsec VPN.

    ipsec-01.png

  4. The IPsec VPN page opens. To add a tunnel, click Add IPsec Tunnel.

  5. The Create IPsec Tunnel window opens.

  6. In the General tab, specify values for the following:

    • Enable – Click to enable.

    • Initiates – Click to disable.

      • In the GENERAL INFORMATION section, specify values for the following: 

        • Name – Enter a unique tunnel name.

      • In the AUTHENTICATION section, specify values for the following: 

        • Shared Secret – Enter the shared secret to use a shared passphrase to authenticate. Note: You must keep the pre-shared secret under 20 characters and must not include the hash symbol (#).

          ipsec-general.png

  7. Click Next.

  8. The Source/Destination tab opens.

    • In the SOURCE section, specify values for the following:

      • Type – Select Edge Service.

      • Peer – Select the peer on which the tunnel will be configured from the drop-down list. For example, in this case, CudaEdge is selected, a Barracuda-hosted Edge Service.

      • Peer Gateways – Automatically added as 20.254.226.88. Note: You required this value in Step 2.

      • Network Addresses – Enter the local network and click +. For example, in this case, enter 10.13.0.4/32. Note: This is imperative to allow DNS forwarding from the Barracuda Edge Service to work. You can substitute this with the local IP of your Private Edge Service or Edge Service for Virtual WAN (Azure).

        ipsec-src.png

Note: On the source side, enter your SecureEdge Access Agent Device IP range subnet via the Access > Settings. If you have not set this manually, you will be required to do so to be able to accurately specify this during the IPsec tunnel creation.

  • In the DESTINATION section, specify values for the following:

    • Remote Gateway – Enter the public IP address of your FortiGate side, e.g., 80.80.80.80

    • Remote ID – Enter the public IP address of your FortiGate side, e.g., 80.80.80.80

    • Network Addresses – Enter any subnet addresses local to your FortiGate that you wish to be accessible through SecureEdge (e.g., server subnets) and click +.

      ipsec-des.png

  1. Click Next.

  2. In the Phases tab, configure the following settings: 

    • You can select your desired Phase 1 and Phase 2 settings. However, note that for evaluation versions of FortiGate, enter the following values:

      • For a FortiGate evaluation license, you must use a low encryption method, such as AES encryption and MD5 hash.

      • Set Proposal Handling to Negotiate on both Phase 1 and Phase 2.

      • Set the Phase 1 Lifetime value to 86400.

      • Set the Phase 2 Lifetime to 43200.

        • Example PHASE 1 

          • Encryption – Select AES.

          • Hash – Select MD5.

          • DH-Group – Select Group 14.

          • Proposal Handling – Select Negotiate

          • Lifetime – Enter 86400

        • Example PHASE 2 

          • Encryption – Select AES

          • Hash – MD5.

          • DH-Group – Select Group 14.

          • Proposal Handling – Select Negotiate.

          • Life time – Enter 43200
            If there are any compatibility issues, see the tested and working settings in the screenshot below:

            ipsec-phases.png

  3. Click Next

  4. The Network blade opens. 

    • In the NETWORK SETTINGS section, specify values for the following: 

      • One VPN Tunnel Per Subnet Pair – Click to enable. 

      • Make sure that you have disabled the following parameters:

        • Universal Traffic Selectors – Click to disable.

        • Force UDP Encapsulation – Click to disable. 

        • IKE Reauthentication – Click to disable.

    • In the DEAD PEER DETECTION section, specify values for following:

      • Action When Detected – Select Restart.

      • Delay – Enter 30.

        ipsec-network.png

  5. Click Save.

  6. Verify that your IPsec tunnel configuration has been created successfully and click Finish.

Step 2. Configure the FortiGate Side

  1. Log into the FortiGate firewall you wish to initiate the IPsec tunnel from to your SecureEdge Edge Service (gateway).

  2. Go to VPN > VPN Tunnels.

    fortigate-01.png

  3. Click Create new and select Custom IPsec tunnel.

    fortigate-02.png

  4. In the Tunnel Settings section, specify values for the following:

    • Name – Enter the name. You must give the tunnel a suitable name to help you identify the tunnel later.

    • IP address – Enter the public IP address of your Barracuda Edge Service, e.g., Peer Gateways: 20.254.226.88, from the source section in your IPsec tunnel on SecureEdge.

    • Interface –Select your WAN/ISP port as the interface.

    • Transport – Ensure that the Transport is set to Auto.

    • Local Gateway – Ensure that Local gateway is toggled OFF.

    • Use Fortinet encapsulation – Ensure that Use Fortinet encapsulation is toggled OFF

      fortigate-03.png

    • NAT traversal – Select Enable.

    • DPD retry interval – Ensure that the DPD retry interval matches with the value you set on the SecureEdge side (Step 1).

    • Pre-shared key – Enter the pre-shared key you set for SecureEdge (Step 1).

    • IKE – Select Version 2.

      fortigate-04.png

  5. In the Phase 1 proposal section, enter the Phase 1 proposal settings to match with the value you set in SecureEdge.

    • Local ID – Enter your FortiGate-side ISP public IP address. E.g., 86.5.81.22.

      fortigate-05.png

  6. Scroll down to Phase 2 selectors and click Create new.

  7. Specify values for the following:

    • Name – Enter a name to identify the first subnet.

    • Local address – Enter the local address as one of your subnets on the FortiGate side.

    • Remote address – Enter the remote address as one of your subnets on the SecureEdge side.

      fortigate-06.png

  8. Match the encryption and authentication settings that you have configured on the SecureEdge side. Note: Ensure that Auto-negotiate is enabled and the Key lifetime matches with the value that you set on the SecureEdge.

    fortigate-07.png

  9. Click OK to save this first subnet and repeat the process until all subnets from both sides have a selector.

    fortigate-08.png

  10. Click OK to save the tunnel. You can now proceed with next step to finish the configuration.

Step 3. Configure FortiGate CLI

The final part of the tunnel configuration uses the FortiGate CLI to alter the parameters that are not visible within the web GUI.

CLI Usage on FortiGate to Resolve the Authentication Issue

During this setup, it was observed that the tunnel would not initiate with the above settings. This was because FortiGate (possibly an OS version issue) cannot identify that the local ID is an IP address and appears to send this as a string. The SecureEdge Edge Service (gateway) is expecting an IP address, rejects the string as the ID, and therefore the pre-shared key combination is incorrect.

Other types of ID can possibly work. However, since FortiGate automatically uses the IP for the peer ID, an IP address for the local ID for this setup was used.

  1. Open the CLI console.

    cli-01.png

  2. Enter the following commands in your terminal:

    • Type config vpn ipsec phase1-interface and press Enter.

    • Type edit your_tunnel_name, e.g., SecureEdge, and press Enter.

    • Type set localid-type address and press Enter.

    • Type end and press Enter

      cli-02.png

  3. Since the SecureEdge side will accept the ID matches with the proposal configured on the SecureEdge side, the tunnel must now initiate.

  4. Exit CLI and proceed with the next step.

Step 4. Configure Firewall Rules and Routing on the FortiGate

Please ensure that rules you create meet your organization's requirements and that these rules are as restrictive as possible. These instructions can only be used as a guidelines for setting your rules.

In the following examples, permissive rules have been used to allow ANY traffic from the LAN interface to the VPN and vice versa. However, the actual allowed flow is governed by routing and Phase II selectors. In addition, it is recommended to use specific subnets in your source and destination networks.

  1. Go to Policies and Objects > Firewall Policy.

  2. Create firewall rules on FortiGate as follows:

    • Create a correct firewall rule to allow traffic FROM your LAN interfaces to the Tunnel interface. Make sure that NAT is disabled on the rule.

    • Create a correct firewall rule, to allow traffic FROM your Tunnel interface to your LAN interfaces. Make sure that NAT is disabled on the rule.

      policy.png

    • Example Rules

      • Rule 1

        rule1.png

      • Rule 2

        rule-2.png

  3. Go to Network > Static Routes.

  4. Add static routes for your SecureEdge Access Agent network and SecureEdge Edge Service IP, e.g., 10.13.0.4/32 for a Barracuda Edge Service to be routed via the Interface with the name of the tunnel you created.

    • Example

staticroute-01.png

staticroute-02.png

After the configuration is complete, the tunnel is established and, if there are suitable resources and Zero Trust Access policies, users can access resources from the FortiGate LAN via SecureEdge.

Further Information