Description
This article describes how to create IPsec tunnel through Enhanced MAC VLANs using public IP in different VDOMs.
Scope
FortiGate.
Solution
1) First create an EMAC interface on the WAN interface and assigned that EMAC to a different VDOM.
2) Assigned the public IP to the EMAC virtual LAN interface. (It is necessary to assign different public IP addresses other than port 1).
CLI configuration :
- Create an EMAC interface in root VDOM and assign that interface in test VDOM:
Gwyn-kvm70 # config global
Gwyn-kvm70 (global) # config system interface
Gwyn-kvm70 (interface) # edit "emac 2"
Gwyn-kvm70 (emac 2) # show
config system interface
edit "emac 2"
set vdom "test" <----- Assigned to VDOM.
set ip 10.9.14.137 255.255.255.0
set allowaccess ping https ssh http
set type emac-vlan
set role lan
set snmp-index 19
set interface "port1"
next
end
3) Open the test VDOM and create an IPsec tunnel phase 1 and 2 using the EMAC interface.
Gwyn-kvm70 (phase1-interface) # show
config vpn ipsec phase1-interface
edit "ipsec3"
set interface "emac 2" <----- Select EMAC interface.
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: ipsec3 (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 10.9.14.161 <----- Remote gateway IP.
end
4) Check the phase 1 and 2 in the test VDOM FortiGate GUI.
