Steps

Step 1.Configure the interface IP addresses.

1. eth1 is the internal-facing interface, and is associated with the zone named lan.
2. eth3 is the Internet-facing interface, and is associated with the zone named wan.
3. The VPN tunnel interface is named vpntun, and is associated with the zone named vpn.

vpntun is the default interface, which can be referenced only by Sangfor VPN and IPsec VPN tunnels in policy mode. IPsec VPN tunnels in route mode do not support the VPN tunnel interface.

Step 2.Configure an application control policy to allow business traffic from zones associated with the Internet-facing interface, internal-facing interface, and vpntun interface.

Step 3.Enable the VPN service, and add a VPN link.

1. By default, the VPN service is disabled. You need to enable it first, which takes about 10 seconds.

2. Add a VPN link and select eth3 as the interface. In this case, you do not need to pay attention to other settings, which need to be configured only if Sangfor VPN is involved.

Step 4.Create an IPsec VPN tunnel.

1. Configure the basic settings, as shown in the following figure.

2. Click Advanced to configure advanced settings. Specifically, change the DH group to group14 (which is different from the default DH group on the Fortinet firewall).

By default, NAT-T is disabled. NAT-T needs to be enabled only if there is a NAT between the local and peer firewalls. If NAT-T is enabled, you need to further specify the local ID. For the ID type, we recommend that you select ADDR or FQDN. Fortinet does not support other ID types.

3. Click the Policy Mode tab to add an encrypted traffic entry and configure phase-2 settings. Specifically, set Phase 2 Proposal to ESP+AES+SHA1+group14. The default phase 2 proposal in Athena NGFW is different from that in Fortinet. Therefore, you need to modify the settings.