Go to VPN > IPsec > Auto Key (IKE)
Create Phase 1:
Name: local2remote
Remote Gateway: IP of external remote Int
Local Interface: The WAN int you are creating tunnel on
Mode: Main (ID Protection)
Authentication Method: RSA Signature
Certificate Name: Fortinet_Factory
Peer Options: Accept any Peer ID
Advanced: IPsec interface mode should be selected with all other defaults
Create Phase 2:
Name: local2remote2
Phase 1: local2remote
Assign address to your tunnel interfaces
Go to System > Network > Interface
Now you must create addresses for both the local and remote subnets
Go to Firewall > Address > Address
Create New:
Name: remote_subnet
Type: Subnet/IP range
Subnet/IP: 10.10.20.0
Interface: Any
Create New:
Name: local_subnet
Type: Subnet/IP range
Subnet/IP: 10.10.10.0
Interface: Any
Create Firewall Policies to allow VPN traffic
Go to Firewall > Policy > Policy
Create New: Inbound Tunnel
Source Interface: local2remote
Source Address: All
Destination Interface/Zone: Internal Interface(Lan)
Destination Address: local_subnet
Schedule: Always
Service: Any
Action: Accept
Create New: Outbound Tunnel
Source Interface: Internal(Lan)
Source Address: All
Destination Interface/Zone: local2remote
Destination Address: remote_subnet
Schedule: Always
Service: Any
Action: Accept
The last step is to create Policy routes to route only LAN traffic through tunnel
Go to Router > Static > Policy Route
Create New: Send all traffic from LAN to Wan for internet access
Incoming Interface: Internal(LAN)
Source Address/Mask: 0.0.0.0/0.0.0.0
Destination Address/Mask: 0.0.0.0/0.0.0.0
Force Traffic to:
Outgoing Interface: Wan
Create New: Send traffic from LAN to Tunnel for internal resources
Incoming Interface: Internal(LAN)
Source Address/Mask: 0.0.0.0/0.0.0.0
Destination Address/Mask: remote_subnet
Force Traffic to:
Outgoing Interface: local2remote This is the IPsec tunnel
NOTE: When creating Routing Policies be sure that the traffic destined for remote end is higher than traffic heading for internet as Policies take precedence from top to bottom. As is also the case with Firewall Polices
Now just repeat these steps on the remote firewall and bring up your IPsec tunnel:
Go to VPN > IPsec > Monitor
Click Bring Up
reference : http://corafamily.net/wiki5/tiki-index.php?page=Creating+ipsec+tunnel+with+Fortigate
Create Phase 1:
Name: local2remote
Remote Gateway: IP of external remote Int
Local Interface: The WAN int you are creating tunnel on
Mode: Main (ID Protection)
Authentication Method: RSA Signature
Certificate Name: Fortinet_Factory
Peer Options: Accept any Peer ID
Advanced: IPsec interface mode should be selected with all other defaults
Create Phase 2:
Name: local2remote2
Phase 1: local2remote
Assign address to your tunnel interfaces
Go to System > Network > Interface
- Expand the port your tunnel is created on
- Select local2remote and edit
- Assign IP and Remote IP - This can be any address not used on your network ex. 172.2.2.1 and 172.2.2.2
Now you must create addresses for both the local and remote subnets
Go to Firewall > Address > Address
Create New:
Name: remote_subnet
Type: Subnet/IP range
Subnet/IP: 10.10.20.0
Interface: Any
Create New:
Name: local_subnet
Type: Subnet/IP range
Subnet/IP: 10.10.10.0
Interface: Any
Create Firewall Policies to allow VPN traffic
Go to Firewall > Policy > Policy
Create New: Inbound Tunnel
Source Interface: local2remote
Source Address: All
Destination Interface/Zone: Internal Interface(Lan)
Destination Address: local_subnet
Schedule: Always
Service: Any
Action: Accept
Create New: Outbound Tunnel
Source Interface: Internal(Lan)
Source Address: All
Destination Interface/Zone: local2remote
Destination Address: remote_subnet
Schedule: Always
Service: Any
Action: Accept
The last step is to create Policy routes to route only LAN traffic through tunnel
Go to Router > Static > Policy Route
Create New: Send all traffic from LAN to Wan for internet access
Incoming Interface: Internal(LAN)
Source Address/Mask: 0.0.0.0/0.0.0.0
Destination Address/Mask: 0.0.0.0/0.0.0.0
Force Traffic to:
Outgoing Interface: Wan
Create New: Send traffic from LAN to Tunnel for internal resources
Incoming Interface: Internal(LAN)
Source Address/Mask: 0.0.0.0/0.0.0.0
Destination Address/Mask: remote_subnet
Force Traffic to:
Outgoing Interface: local2remote This is the IPsec tunnel
NOTE: When creating Routing Policies be sure that the traffic destined for remote end is higher than traffic heading for internet as Policies take precedence from top to bottom. As is also the case with Firewall Polices
Now just repeat these steps on the remote firewall and bring up your IPsec tunnel:
Go to VPN > IPsec > Monitor
Click Bring Up
reference : http://corafamily.net/wiki5/tiki-index.php?page=Creating+ipsec+tunnel+with+Fortigate
No comments:
Post a Comment