Aynı network subnetine sahip lokasyonlar arası IPSEC VPN yapılandırılması.

tuncaybas FortiGate

Örnek Uygulama :

Burda önemli olan noktalardan biri PHASE2 de selector kullanılmamasıdır.

Network Diagram

Lokasyon-1 :
local:192.168.1.0/24
NAT out as 20.20.20.0/24
remote:30.30.30.0/24

Lokasyon 2 :
local:192.168.1.0/24
NAT out as 30.30.30.0/24
remote:20.20.20.0/24

 

Cihaz ayarları :

Firewall1 configuration

config system interface

  edit "internal"
    set ip 192.168.1.1 255.255.255.0
  next
  edit "external"    set ip 64.114.95.229 255.255.255.128
  next
end
config vpn ipsec phase1
  edit "FG400"
    set interface "external"
    set nattraversal enable
    set proposal 3des-sha1 3des-md5
    set psksecret 123456
    set remote-gw 64.114.95.228
  next
end
config vpn ipsec phase2
  edit "mytunnel"
    set keepalive enable
    set pfs enable
    set phase1name FG400
    set proposal 3des-sha1 3des-md5
    set replay enable
    set use-natip disable
  next
end
config firewall address
  edit "vpn-remote"
    set subnet 30.30.30.0 255.255.255.0
  next
  edit "vpn-local"
    set subnet 192.168.1.0 255.255.255.0
  next
end
config firewall policy
  edit 2
    set srcintf "internal"
    set dstintf "external"
    set srcaddr "vpn-local"
    set dstaddr "vpn-remote"
    set action ipsec
    set schedule "always"
    set service "ANY"
    set natip 20.20.20.0 255.255.255.0
    set inbound enable
    set outbound enable
    set natoutbound enable
    set vpntunnel "mytunnel"
  next
end

Firewall2 configuration

config system interface
  edit "port1"
    set ip 192.168.1.1 255.255.255.0
  next
  edit "port2"
    set ip 64.114.95.228 255.255.255.128
  next
end

config vpn ipsec phase1
  edit "FG300"
    set interface "port2"
    set nattraversal enable
    set proposal 3des-sha1 3des-md5
    set psksecret 123456
    set remote-gw 64.114.95.229
  next
end

config vpn ipsec phase2
  edit "mytunnel"
    set keepalive enable
    set pfs enable
    set phase1name FG300
    set proposal 3des-sha1 3des-md5
    set replay enable
    set use-natip disable
  next
end

config firewall address
  edit "vpn-remote"
    set subnet 20.20.20.0 255.255.255.0
  next
  edit "vpn-local"
    set subnet 192.168.1.0 255.255.255.0
  next
end

config firewall policy
  edit 2
    set srcintf "port1"
    set dstintf "port2"
    set srcaddr "vpn-local"
    set dstaddr "vpn-remote"
    set action ipsec
    set schedule "always"
    set service "ANY"
    set natip 30.30.30.0 255.255.255.0
    set inbound enable
    set outbound enable
    set natoutbound enable
    set vpntunnel "mytunnel"
  next
end

Test : 

Birinci lokasyondaki PC den 30.30.30.100 e ping atılabilir.

Troubleshooting

diagnose debug enable – enable output on remote console
diagnose debug app ike 2 – display IPSec IKE negotiations
diagnose sniff packets – display packets in/out of interfaces

3,361 total views, 1 views today

tuncaybas