Fabric connection via IPsec

Question

Hi, here is the scenario:there is an IPsec tunnel between two FortiGate firewalls on two different locations.Site1 has an AD controllerSite2 does not have an AD controllerClients from site2 can communicate with AD controller on site 1 and vice versaSo far so good everything works like a charm.Now firewall on site 2 has to make a fabric connection to AD on site 1. But that is where I get confused. If Site 2 IPsec Remote address should be IP of AD controller, what should I chose in local IP?In location 1 IPsec, Local IP will be AD controller's IP and remote will be.... remote peers IP? That IP is used as remote IPsec peer IP....Same for policies... What source interface of site 2 should be? Or destination interface for site 1? And one more thing, when you exec ping from web CLI does it ping from the machine IP address that you login to web GUI from?

giorgi_rekhviashvili · Answer

If anyone gets into my shoes know this to solve the issue:

on site1 add Ipsec connection "LocalADHostIP >> RemoteIPsecInterfaceIP"

on site2 add Ipsec connection "LocalIpsecInterfaceIP >>> RemoteADHostIP"

Go to policies on site 1 and create with settings:

Name: some_name

Incoming Interface: inside

Outgoing Interface: IPsec tunnel

Source: ADHostIP

Destination: RemoteIPsecInterfaceIP

Service: any (or whatever you want)

Nat: Disabled

On site 2:

Name: some_name

Incoming Interface: VLAN Interface to which IPsec interface is assigned

Outgoing Interface: IPsec tunnel

Source: VLAN interface ip (or IPsec interface IP, in my case they are both the same)

destination: RemoteADHostIP

service: any (or whatever you need)

Nat: disabled

Then go to routing on site 1 and make a route for remote IPsec site IP address and as a gateway interface chose IPsec Interface.

Thats it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded