Fortinet to Meraki site-2-site VPN

It’s not common for me to configure a site to site VPN tunnel between a Fortinet device and a Meraki device. Today I had this kind of case and it’s not so great to find some information about how to make this vpn tunnel working propperly.

In my case, the Fortinet appliance is a virtual machine in an Azure subscription. The Meraki is local, to make the VPN possible you need to create a setup on the Fortinet. On the Meraki site, it’s basic. As this solution for me is temporary I didn’t want to spend a lot of time in troubleshooting with the encryption settings.

It’s a quick an dirty setup Fortigate Configuration:

First step you login to your Fortinet Firewall \ad go to the VPN settings > IPsec Tunnel.
Create a New Tunnel. At the VPN Setup select Custom. Give your VPN tunnel a logical Name.

Ensure you select you WAN interface for the VPN tunnel and the Destination IP address.
NAT Traversal has to be set on Disable. Dead Peer Detection should be disabled. Rest of the settings can be left default.

Fill in you’re Pre-Shared key. Important notification this pre-shared key is needed if you have multiple Meraki devices connecting to your Fortigate Firewall. Later I will explain why.

Phase 1 Proposal setup. In this case is with a low key encryption. (if you have time try to figure out a more suitable encryption method. When I’m able and have more time to figure this out I will make a new post for it.

Encryption is 3DES and SHA1 with Diffie-Hellman Group 2
Key Lifetime (seconds) 28800

Xauth type on Disabled this one isn’t used by a Meraki device.

Phase 2 Selectors. Give your subnets. and remote subnets. In my case in the environment was 3 more networks which had to be accessed at the remote location. Same Encryption as Proposal Phase 1. 3DES and SHA1. Disable PFS and change the Key Life time to 3600 seconds. All other settings are good.

Add a static route in the routing table on the firewall towards the interface of the VPN Tunnel.

You have to create a Policy also which has an inbound as an outbound rule. This is needed for the VPN Tunnel.

If you don’t create these rules there won’t be any traffic flowing between the locations.

What do you need to configure on the Meraki side.
Be aware, earlier I wrote you have to keep the PSK in mind or at a safe location. The configuration you make on the Meraki is Organisation wide. This means that your VPN Configuration is available over more sites with Meraki in your organisation.

Short story. 1 configuration for multiple site. Only the Fortigate firewall has to be changed with it’s configuration if you want to make more VPN tunnels based on Meraki to Fortigate.

When you go to Security & SD-WAN > Site to Site VPN setup and you wan’t to create a VPN to a non-Meraki peer.
The message above is show, it means if you want to make more VPN’s towards 1 location you use the same configuration everywhere.

Basic information to your VPN Tunnel on the Meraki site.

  1. Name the tunnel logical.
  2. Use IKEv1
  3. Keep the security settings Default ( Check Phase 1: 3DES, SHA1, DH-Group 2, Lifetime Seconds.) (Check Phase 2: 3DES, SHA1, PFS-Group Off, Lifetime Seconds 3600.)
  4. Select the public IP of the remote location.
  5. Remote ID can bee empty
  6. Private Subnets, the subnet range of the remote location
  7. Pre-Shared key which you used before.
  8. Availability, All networks which are connected in the organisation are available in the tunnel. It doesn’t mean you have to let all go through on the remote location.

10 thoughts on “Fortinet to Meraki site-2-site VPN”

  1. Thank you!!! I have been searching all over trying to figure this out and this is the first place that’s given me the detailed steps. I was able to get this set up and everything is now working.

  2. I did the static routes and the FW rules both phases up and running in both FW, unfortunately I could never get to communicate to the remote locations.

      1. Can you do diagnose vpn tunnel list on the fortigate?
        I my situation we used an Fortigate Appliance in Azure.Tunnel might be up but you don’t see a traffic flow. It can be the route table in Azure.

        Enable Auto-Negotian and Auto Rekey. THis one we enable by default in the picutre it wasn’t you can give it a try.

        1. Jorge Delgado

          After multiple How-To’s with practically the same content, Auto-Negotiation finally brought the tunnel up. Thanks !!

  3. Hi! I managed to enable Site-to-Site VPN using these instructions, but the tunnel only works one way: I can ping hosts in the local network of the Fortinet from Meraki, but not vice-versa

    I have added static routes to the Meraki subnets, and created the IPv4 policies; the downstream policy shows traffic, while the outbound one is still at 0. The policies don’t have NAT enabled.

  4. Hi!

    Thank you for sharing the useful configuration for setting up a tunnel between a FortiGate and a Maraki.

    We have a tunnel setup between a FortiGate and a maraki. The tunnel comes up and passes traffic and everything works fine but after a random interval of time, tunnel appears down from maraki end, it stops communication. Upon checking logs from FortiGate it gives payload malfunction error in phase-1(phase 1 negotiation error). Resetting the tunnel on either end fixes it temporarily until it happens again.

    All the settings match on both sides. I can’t figure out what’s going on. I am seeing no errors on the maraki side and the below error on the fortigate side which i am not sure what it indicates:

    ACTION:
    Action negotiate
    Status negotiate_error
    Reason peer notification

    EVENT
    Assigned IP N/A
    Cookies 86179f3f3ab933eb/db2c8d5baa837457
    Local Port 4500
    Outgoing Interface port1
    Remote IP x.x.x.x
    Remote Port 4500
    VPN Tunnel Maraki
    Message IPsec phase 1 error

    OTHER:
    Log event original timestamp 1663068657989188400
    Timezone +0300
    Log ID 0101037124
    Type event
    Sub Type vpn
    Alternate User N/A
    Peer Notification PAYLOAD-MALFORMED

    It would be very helpful if you can advise a resolution on above issue.

    Thanks & Regards

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: