Gateway-to-gateway configurations

Solution for policy-based VPN

As with the route-based solution, users contact hosts at the other end of the VPN using an alternate subnet address. PC1 communicates with PC2 using IP address 10.31.101.10, and PC2 communicates with PC1 using IP address 10.21.101.10.

In this solution however, outbound NAT is used to translate the source address of packets from the 10.11.101.0/24 network to the alternate subnet address that hosts at the other end of the VPN use to reply. Inbound packets from the remote end have their destination addresses translated back to the 10.11.101.0/24 network.

For example, PC1 uses the destination address 10.31.101.10 to contact PC2. Outbound NAT on FortiGate_1 translates the PC1 source address to 10.21.101.10. At the FortiGate_2 end of the tunnel, the outbound NAT configuration translates the destination address to the actual PC2 address of 10.11.101.10. Similarly, PC2 replies to PC1 using destination address 10.21.101.10, with the PC2 source address translated to 10.31.101.10. PC1 and PC2 can communicate over the VPN even though they both have the same IP address.

  • You need to:
  • Configure IPsec Phase 1 as you usually would for a policy-based VPN.
  • Configure IPsec Phase 2 with the use-natip disable CLI option.
  • Define a firewall address for the local private network, 10.11.101.0/24.
  • Define a firewall address for the remote private network:
  • Define a firewall address for 10.31.101.0/24 on FortiGate_1
  • Define a firewall address for 10.21.101.0/24 on FortiGate_2
  • Configure an outgoing IPsec security policy with outbound NAT to map 10.11.101.0/24 source addresses:
  • To the 10.21.101.0/24 network on FortiGate_1
  • To the 10.31.101.0/24 network on FortiGate_2

 

To configure IPsec Phase 2 – CLI

config vpn ipsec phase2 edit “FGT1_FGT2_p2”

set keepalive enable set pfs enable

set phase1name FGT1_to_FGT2

set proposal 3des-sha1 3des-md5 set replay enable

set use-natip disable end

In this example, your Phase 1 definition is named FGT1_to_FGT2. use-natip is set to disable, so you can specify the source selector using the src-addr-type, src-start-ip / src-end-ip or src-subnet keywords. This example leaves these keywords at their default values, which specify the subnet 0.0.0.0/0.

The pfs keyword ensures that perfect forward secrecy (PFS) is used. This ensures that each Phase 2 key created is unrelated to any other keys in use.

 

To define the local private network firewall address

1. Go to Policy & Objects > Addresses and select Create New.

2. Enter the following information and select OK.

Name                                           Enter vpn-local. A meaningful name for the local private network.

Type                                            Subnet

Subnet / IP Range                     10.11.101.0 255.255.255.0

Interface                                     Any

 

To define the remote private network firewall address

1. Go to Policy & Objects > Addresses and select Create New.

2. Enter the following information, and select OK:

Name                                           Enter vpn-remote. A meaningful name for the remote private network.

Type                                            Subnet

Subnet / IP Range                     10.31.101.0 255.255.255.0 on FortiGate_1. 10.21.101.0 255.255.255.0 on FortiGate_2.

Interface                                     Any

 

To configure the IPsec security policy

In the CLI on FortiGate_1, enter the commands:

config firewall policy edit 1

set srcintf “port1” set dstintf “port2”

set srcaddr “vpn-local” set dstaddr “vpn-remote” set action ipsec

set schedule “always” set service “ANY”

set inbound enable set outbound enable

set vpntunnel “FGT1_to_FGT2” set natoutbound enable

set natip 10.31.101.0 255.255.255.0 end

Optionally, you can set everything except natip in the web-based manager and then use the CLI to set natip. Enter the same commands on FortiGate_2, but set natip be 10.21.101.0 255.255.255.0.

This entry was posted in FortiOS 5.4 Handbook and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.