Fortinet to Meraki site-2-site VPN

It’s not common for me to configure a site to site VPN tunnel between a Fortinet device and a Meraki device. Today I had this kind of case and it’s not so great to find some information about how to make this vpn tunnel working propperly.

In my case, the Fortinet appliance is a virtual machine in an Azure subscription. The Meraki is local, to make the VPN possible you need to create a setup on the Fortinet. On the Meraki site, it’s basic. As this solution for me is temporary I didn’t want to spend a lot of time in troubleshooting with the encryption settings.

It’s a quick an dirty setup Fortigate Configuration:

First step you login to your Fortinet Firewall \ad go to the VPN settings > IPsec Tunnel.
Create a New Tunnel. At the VPN Setup select Custom. Give your VPN tunnel a logical Name.

Ensure you select you WAN interface for the VPN tunnel and the Destination IP address.
NAT Traversal has to be set on Disable. Dead Peer Detection should be disabled. Rest of the settings can be left default.

Fill in you’re Pre-Shared key. Important notification this pre-shared key is needed if you have multiple Meraki devices connecting to your Fortigate Firewall. Later I will explain why.

Phase 1 Proposal setup. In this case is with a low key encryption. (if you have time try to figure out a more suitable encryption method. When I’m able and have more time to figure this out I will make a new post for it.

Encryption is 3DES and SHA1 with Diffie-Hellman Group 2
Key Lifetime (seconds) 28800

Xauth type on Disabled this one isn’t used by a Meraki device.

Phase 2 Selectors. Give your subnets. and remote subnets. In my case in the environment was 3 more networks which had to be accessed at the remote location. Same Encryption as Proposal Phase 1. 3DES and SHA1. Disable PFS and change the Key Life time to 3600 seconds. All other settings are good.

Add a static route in the routing table on the firewall towards the interface of the VPN Tunnel.

You have to create a Policy also which has an inbound as an outbound rule. This is needed for the VPN Tunnel.

If you don’t create these rules there won’t be any traffic flowing between the locations.

What do you need to configure on the Meraki side.
Be aware, earlier I wrote you have to keep the PSK in mind or at a safe location. The configuration you make on the Meraki is Organisation wide. This means that your VPN Configuration is available over more sites with Meraki in your organisation.

Short story. 1 configuration for multiple site. Only the Fortigate firewall has to be changed with it’s configuration if you want to make more VPN tunnels based on Meraki to Fortigate.

When you go to Security & SD-WAN > Site to Site VPN setup and you wan’t to create a VPN to a non-Meraki peer.
The message above is show, it means if you want to make more VPN’s towards 1 location you use the same configuration everywhere.

Basic information to your VPN Tunnel on the Meraki site.

  1. Name the tunnel logical.
  2. Use IKEv1
  3. Keep the security settings Default ( Check Phase 1: 3DES, SHA1, DH-Group 2, Lifetime Seconds.) (Check Phase 2: 3DES, SHA1, PFS-Group Off, Lifetime Seconds 3600.)
  4. Select the public IP of the remote location.
  5. Remote ID can bee empty
  6. Private Subnets, the subnet range of the remote location
  7. Pre-Shared key which you used before.
  8. Availability, All networks which are connected in the organisation are available in the tunnel. It doesn’t mean you have to let all go through on the remote location.

7 thoughts on “Fortinet to Meraki site-2-site VPN”

  1. Thank you!!! I have been searching all over trying to figure this out and this is the first place that’s given me the detailed steps. I was able to get this set up and everything is now working.

  2. I did the static routes and the FW rules both phases up and running in both FW, unfortunately I could never get to communicate to the remote locations.

      1. Can you do diagnose vpn tunnel list on the fortigate?
        I my situation we used an Fortigate Appliance in Azure.Tunnel might be up but you don’t see a traffic flow. It can be the route table in Azure.

        Enable Auto-Negotian and Auto Rekey. THis one we enable by default in the picutre it wasn’t you can give it a try.

  3. Hi! I managed to enable Site-to-Site VPN using these instructions, but the tunnel only works one way: I can ping hosts in the local network of the Fortinet from Meraki, but not vice-versa

    I have added static routes to the Meraki subnets, and created the IPv4 policies; the downstream policy shows traffic, while the outbound one is still at 0. The policies don’t have NAT enabled.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: