FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ellenluo
Staff
Staff
Article Id 192625

Description

This case study illustrates how proxy-arp can be used for dealing with overlapping subnets.

In this case study:

  1. The workstation obtains an IP from a DHCP server on the remote site IPSec VPN (DHCP-relay is required)
  2. After obtaining an IP from the DHCP server, the workstation then needs to access a server on the remote site (proxy ARP is used to accomplish this)

This article assumes that it is not possible to modify the subnets to avoid overlap.

For explanation on how hosts in the same subnet communicate over IPSec VPN using VIP, please refer the link below:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD33872

 


Scope

 


Solution

Topology:

                             192.168.101.129          10.0.0.1                         10.0.0.2          192.68.101.1    

DHCP client ---L2 Switch--- internal  60C tunnel_int1 -- VPN --  tunnel-int1 40C internal ---L3 Switch-- DHCP server (.3)

                                                                                                                                                                      -- Server (.4)

DHCP ippool: 192.168.101.130-192.168.101.254

DHCP server: 192.168.1.3

Application Server: 192.168.1.4

In the topology above, Client and Server belong to the same subnet 192.168.101.0/24

Configuration Tips:

1.  Configure DHCP relay on the internal interface of 60C

2. Configure proxy arp for DHCP server on 60C

3. Configure route-based IPSec VPN tunnel on both side

4. Configure host route for client on Fortigate 60C and host route for server on Fortigate 40C

5. Configure proxy arp on both sides.

Note:
In 5.2.2 and earlier, only one IP address can be configured in each proxy-arp entry
Starting in 5.2.3, IP ranges can be added as entries to the proxy-arp configuration, simplifying proxy-arp for a large # of IP addresses.

Configuration Steps:

Step1 ----  Configuration on the FGT60C (Local FortiGate)


config system interface

edit "internal"
        set dhcp-relay-service enable
        set ip 192.168.101.129 255.255.255.0
        set dhcp-relay-ip "192.168.101.3"          #<-- this points to the remote DHCP server
next

edit "dmz"
       set ip 10.0.0.1 255.255.255.0
end

config vpn ipsec phase1-interface
    edit "tunnel-int1"
        set interface "dmz"
        set proposal 3des-sha1 aes128-sha1
        set dhgrp 5
        set remote-gw 10.0.0.2
        set psksecret  12345678
    end

config vpn ipsec phase2-interface
    edit "test1_p2"
        set phase1name "tunnel-int1"
        set proposal 3des-sha1
    next

end

config router static

  edit 1
        set device “tunnel-int1”
        set dst 192.168.101.3 255.255.255.255     #<--- host route for DHCP Server
  edit 2
        set device “tunnel-int1”
        set dst 192.168.101.4 255.255.255.255    #<-- host route for remote Server
end

config firewall policy

edit 1
        set srcintf "internal"
        set dstintf "tunnel-int1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
     next

end

config system proxy-arp

edit 1
     set interface "internal"
     set ip 192.168.1.3       #<-- remote DHCP server
 next

 edit 2
       set interface internal
       set ip 192.168.1.4       #<-- remote Server
next
end

Step2 ----  Configuration on the FGT40C (Remote FortiGate)

config system interface

    edit "internal"
        set ip 192.168.101.1 255.255.255.0
    next

   edit "wan1"
        set ip 10.0.0.2 255.255.255.0
   end

config vpn ipsec phase1-interface

    edit "tunnel-int1"
        set interface "wan1"
        set proposal 3des-sha1 aes128-sha1
        set remote-gw 10.0.0.1
        set psksecret 12345678
    next
end

config vpn ipsec phase2-interface
    edit "test1_p2"
        set phase1name "tunnel-int1"
        set proposal 3des-sha1
    next
end

config router static

edit 1
        set device "tunnel-int1"
        set dst 192.168.101.130 255.255.255.255   #<-- host route for DHCP client
    next

config firewall policy

edit 1
        set srcintf "tunnel-int1"
        set dstintf "internal"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
    next

end

config system proxy-arp

edit 1
        set interface "internal"
        set ip 192.168.101.130   #<-- DHCP client
    next

end    

Packet Capture Showing DHCP-Relay Working

1. DHCP client obtains the IP address 192.168.101.130

Local FortiGate:
FWF60C3G12006101 # diagnose sniffer packet any 'port 67 or port 68' 4

interfaces=[any]

filters=[port 67 or port 68]

45.371041 internal in 0.0.0.0.68 -> 255.255.255.255.67: udp 300
45.373613 tunnel-int1 out 192.168.101.129.67 -> 192.168.101.3.67: udp 311
45.379903 tunnel-int1 in 192.168.101.3.67 -> 192.168.101.129.67: udp 307
45.381496 internal out 192.168.101.129.67 -> 255.255.255.255.68: udp 295
45.382178 internal in 0.0.0.0.68 -> 255.255.255.255.67: udp 318
45.383791 tunnel-int1 out 192.168.101.129.67 -> 192.168.101.3.67: udp 330
45.539679 tunnel-int1 in 192.168.101.3.67 -> 192.168.101.129.67: udp 307
45.541556 internal out 192.168.101.129.67 -> 255.255.255.255.68: udp 295
52.731185 internal in 192.168.101.130.68 -> 255.255.255.255.67: udp 300
52.733945 tunnel-int1 out 192.168.101.129.67 -> 192.168.101.3.67: udp 303
52.738217 tunnel-int1 in 192.168.101.3.67 -> 192.168.101.129.67: udp 304
52.739802 internal out 192.168.101.129.67 -> 255.255.255.255.68: udp 304

Remote FortiGate:
FWF40C3911000235 #  diagnose sniffer packet any 'port 67 or port 68' 4

interfaces=[any]
filters=[port 67 or port 68]
 43.108175 tunnel-int1 in 192.168.101.129.67 -> 192.168.101.3.67: udp 311
43.108423 internal out 192.168.101.129.67 -> 192.168.101.3.67: udp 311
43.113745 internal in 192.168.101.3.67 -> 192.168.101.129.67: udp 307
43.113883 tunnel-int1 out 192.168.101.3.67 -> 192.168.101.129.67: udp 307
43.118330 tunnel-int1 in 192.168.101.129.67 -> 192.168.101.3.67: udp 330
43.118511 internal out 192.168.101.129.67 -> 192.168.101.3.67: udp 330
43.273480 internal in 192.168.101.3.67 -> 192.168.101.129.67: udp 307
43.273646 tunnel-int1 out 192.168.101.3.67 -> 192.168.101.129.67: udp 307
50.468528 tunnel-int1 in 192.168.101.129.67 -> 192.168.101.3.67: udp 303
50.468776 internal out 192.168.101.129.67 -> 192.168.101.3.67: udp 303
50.472119 internal in 192.168.101.3.67 -> 192.168.101.129.67: udp 304
50.472224 tunnel-int1 out 192.168.101.3.67 -> 192.168.101.129.67: udp 304