Solution for route-based VPN

You need to:

• Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In this example, the resulting IPsec interface is named FGT1_to_FGT2.
• Configure virtual IP (VIP) mapping:
• the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1
• the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2
• Configure an outgoing security policy with ordinary source NAT on both FortiGates.
• Configure an incoming security policy with the VIP as the destination on both FortiGates.
• Configure a route to the remote private network over the IPsec interface on both FortiGates.

 

To configure VIP mapping on both FortiGates

1. Go to Policy & Objects > Virtual IPs and select Create New.

2. Enter the following information, and select OK:

Name                                           Enter a name, for example, my_vip.

External Interface                      Select FGT1_to_FGT2. The IPsec interface.

Type                                            Static NAT

External IP Address/Range     For the External IP Address field enter:

10.21.101.1 when configuring FortiGate_1, or 10.31.101.1 when configuring FortiGate_2.

Mapped IP Address/Range      For the Mapped IP Address enter 10.11.101.1.

For the Range enter 10.11.101.254.

Port Forwarding                        Disable

3. Repeat this procedure on both FortiGate_1 and FortiGate_2.

 

To configure the outbound security policy on both FortiGates

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information, and select OK:

Incoming Interface                   Select Port 1.

Source Address                        Select all.

Outgoing Interface                   Select FGT1_to_FGT2.

The IPsec interface.

Destination Address                 Select all.

Action                                         Select ACCEPT

Enable NAT                                Enable

4. Repeat this procedure on both FortiGate_1 and FortiGate_2.

 

To configure the inbound security policy on both FortiGates

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information, and then select OK:

Incoming Interface                   Select FGT1_to_FGT2.

Source Address                        Select all.

Outgoing Interface                   Select Port 1.

The IPsec interface.

Destination Address                 Select my–vip.

Action                                         Select ACCEPT

Enable NAT                                Disable

4. Repeat this procedure on both FortiGate_1 and FortiGate_2.

 

To configure the static route for both FortiGates

1. Go to Network > Static Routes and select Create New.

2. Enter the following information, and then select OK:

 

Destination IP / Mask               Enter 10.31.101.0/24 when configuring FortiGate_1.

Enter 10.21.101.0/24 when configuring FortiGate_2.

Device                                         Select FGT1_to_FGT2.

Gateway                                     Leave as default: 0.0.0.0.

Distance (Advanced)                Leave at default.

If you have advanced routing on your network, you may have to change this value