wdarren
Staff
Staff

Description

 

This article describes how to configure the IPSEC+VIP scenario on FortiExtender.

 

topo.jpg

 

Scope

 

For FortiExtender version v7.2.0 build0113,FortiGate version V7.2.0 build1157.
FortiExtender Port4 is directly connected to port9 interface on FortiGate.

 

Solution

 

Use IPSEC+VIP, where a remote user does not need to know the actual IP address for local servers, the user can visit local servers with virtual IP address, and the admin can make any changes on local servers like changing IP address, migrating servers, but not affect remote users to visit local servers through IPSEC VPN.


1) Create VPN Tunnels on the FortiExtender side, with source subnet 10.10.10.0/24 and destination subnet 192.168.10.0/24.

 

vpn-local-1.jpg

 

vpn-local-2.jpg

 

2) Create VPN tunnels on the FortiGate side, with source subnet 192.168.10.0/24 and destination subnet 10.10.10.0/24.

 

vpn-remote.jpg

 

3) Verify VPN Tunnels is set up successfully and status is ON on both FortiExtender and FortiGate.

 

4) On FortiExtender, create 'FireWall Vip', 'Extip':10.10.10.1, 'Mappedip': 192.168.200.100(Server IP address), then create firewall policy with DNAT enabled, and the source interface is the same with firewall VIP external interface.

 

VIP-local.jpg

firewall-local-1.jpg

 

5) The firewall policy for VPN and VIP on FortiExtender looks like:

 

firewall-local-2.jpg

 

6) The networking address on FortiExtender looks like:

 

address-local.jpg

 

7) On FortiExtender GUI, Networking -> Routing, edit the Policy Routes for VPN, change the source to lan and save.

 

route-local.bmp

 

8 ) Now Clients behind FortiGate(192.168.10.0/24) can visit the server(192.168.200.100) behind FortiExtender with IP address 10.10.10.1, all traffic with destination address 10.10.10.1 will be forwarded to server 192.168.200.100.

 

CLI Config:

 

FortiExtender:

 

# config network address

edit lan

set type ipmask
set subnet 192.168.200.0/24

next
edit vpn-a_local_subnet_1

set type ipmask
set subnet 10.10.10.0/24

next
edit vpn-a_remote_subnet_1

set type ipmask
set subnet 192.168.10.0/24

next

end

 

# config vpn ipsec

config phase1-interface

edit vpn-a

set ike-version 2
set keylife 86400
set proposal aes128-sha256 aes256-sha256 3des-sha256 aes128-sha1 aes256-sha1 3des-sha1
set dhgrp 14 5
set interface port4
set type static
set remote-gw 172.30.241.99
set authmethod psk
set psksecret ******
set localid
set peerid
set add-gw-route disable
set dev-id-notification disable

next

end
config phase2-interface

edit vpn-a_p2_1

set phase1name vpn-a
set proposal aes128-sha1 aes256-sha1 3des-sha1 aes128-sha256 aes256-sha256 3des-sha256
set pfs enable
set dhgrp 14 5
set keylife-type seconds
set keylifeseconds 43200
set encapsulation tunnel-mode
set protocol 0
set src-addr-type name
set src-name vpn-a_local_subnet_1
set src-port 0
set dst-addr-type name
set dst-name vpn-a_remote_subnet_1
set dst-port 0

next

end

end

 

# config firewall vip

edit vip-1

set comment
set extip 10.10.10.1
set mappedip 192.168.200.100
set extintf vpn-a
set portforward disable

next
end

 

# config firewall policy

edit vpn_vpn-a_local

set srcintf any
set dstintf vpn-a
set srcaddr vpn-a_local_subnet_1
set dnat disable
set dstaddr vpn-a_remote_subnet_1
set action accept
set status enable
set service ALL
set nat disable

next
edit vpn_vpn-a_remote

set srcintf vpn-a
set dstintf any
set srcaddr vpn-a_remote_subnet_1
set dnat disable
set dstaddr vpn-a_local_subnet_1
set action accept
set status enable
set service ALL
set nat disable

next

edit Rule-vip

set srcintf vpn-a
set dstintf any
set srcaddr all
set dnat enable
set vip vip-1
set action accept
set status enable
set service ALL
set nat disable

next
edit all-nat

set srcintf any
set dstintf any
set srcaddr lan
set dnat disable
set dstaddr all
set action accept
set status enable
set service ALL
set nat enable

next

end

 

# config router policy

edit vpn_vpn-a_remote

set input-device
set srcaddr lan
set dstaddr vpn-a_remote_subnet_1
set service ALL
set target target.vpn-a
set status enable
set comment

next

end

 

FortiGate:

 

# config firewall address

edit "vpn-a_local_subnet_1"

set uuid a0615410-f272-51ec-7960-04d78ee7bd01
set allow-routing enable
set subnet 192.168.10.0 255.255.255.0

next
edit "vpn-a_remote_subnet_1"

set uuid a0738310-f272-51ec-bfbe-6e0d8a3dfe80
set allow-routing enable
set subnet 10.10.10.0 255.255.255.0

next

end

 

# config vpn ipsec phase1-interface

edit "vpn-a"

set interface "wan2"
set ike-version 2
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128gcm-prfsha256 aes256gcm-prfsha384 chacha20poly1305-prfsha256
set comments "VPN: vpn-a (Created by VPN wizard)"
set dhgrp 5 14
set wizard-type static-fortigate
set remote-gw 172.30.241.100
set psksecret ENC DR7FgTqZHG7cYnmifcW/lriO9hl/qiMohOWuJCVUMhVz3wrEMXLG8nBEllVfD2T+R+2wxvGstbRgG6TGM8QhSE6eKjb1ScKqoX+tc4lTtEiHHPvk7VhYP+CHLlTg0VERTXtuCSlWf5AZQ37eAGPXHcxiCMoKp0bwufpWdNcZd9d9cEkv+goh/UqTHpTOHjfEumXYUA==

next

end

 

# config vpn ipsec phase2-interface

edit "vpn-a"

set phase1name "vpn-a"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: vpn-a (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "vpn-a_local"
set dst-name "vpn-a_remote"

next

end