We have launched the new version of the DrayTek website, and this content is no longer being maintained.
You will find more information on our new site; however, we will keep this page for a few months.

Vigor3900 to FortiGate(FortiOS 5.4.0) - IPsec

This note demonstrates how to establish IPsec between Vigor3900/2960 and FortiGate with FortiOS 5.4.0. We take the following network for example. 

(For establishing IPsec VPN between FortiGate and other models, please refer to the article here)


Setting up Vigor3900

1. Go to VPN and Remote Access >> VPN Profiles >> IPsec, click Add to create a VPN profile, give a name of profile and enable it.

2. In Basic tab,

  1. type the LAN IP of Vigor3900 in Local IP/Subnet Mask
  2. type the LAN IP of FortiGate in Remote IP/Subnet Mask
  3. type WAN IP of FortiGate in Remote Host
  4. type the Pre-shared Key

3. Go to Advanced tab, set Phase1 and 2 Key Life Time.


4. Go to Proposal tab, select IKE Proposal. Click Apply to save.




Setting up FortiGate

1. Go to VPN >> IPsec Wizard, give a name of VPN tunnel and select Custom as Template Type, then click Next >


2. In Network settings, type the WAN IP of Vigor3900 in IP address, and select the WAN interface used for VPN as Interface.


3. For Authenticaion settings, type Pre-shared Key and set Key Lifetime to match the configuration in Vigor3900.


4. In Phase 2 settings, type LAN of FortiGate in Local Address and the LAN IP of Vigor3900 in Remote Address.


5. In Phase 2 Proposal setting, disable Relay Detection and Perfect Forward Secrecy(PFS), and set Key Lifetime to match the configuration in Vigor3900. Click OK to finish the setting


6. Create an address profile for policy setting: Go to Policy & Objects >> Addresses >> Create New >> Address, give a name and type the LAN IP of Vigor3900 in Subnet /IP Range, select the IPsec Tunnel we just created as Interface and click OK to apply


7. Create Firewall rules for VPN, Go to Policy & Objects >> IPv4 Policy >> Create New, we need to create two firewall rules in the policy:one is from Internal network segment to Remote network, another is from Remote network to Internal network. Please keep priority of the rule order in mind, because you may need to manual adjust your rule order. Usually, IPSec Traffic will be put on the top of other rules except management rule.


8. Create a Static Route for VPN, go to Network >> Static Routes >> Create New, type the LAN IP of Vigor3900 in Destination and Select the IPsec Tunnel as Device.


Establishing the VPN

Finally, go to VPN and Remote Access >> Connection Management of Vigor3900, select the VPN profile and click Connect


After VPN successfully connected, we can see the VPN Connection Status in VPN and Remote Access >> Connection Management >> Connection Management on Vigor3900.

Was this article helpful?
49Vigor3900 to FortiGate(FortiOS 5.4.0) - IPsec has been viewed------ 49 ------times.