CLI configuration of FortiGate 1 config system interface edit "port1" set ip 198.51.100.1 255.255.255.0 set alias Internet next edit "port2" set ip 10.1.1.254 255.255.255.0 set alias LAN next end config system ipip-tunnel edit "toFG2" set interface "port1" set local-gw 198.51.100.1 set remote-gw 203.0.113.2 next end config firewall policy edit 0 set srcintf "port2" set dstintf "toFG2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 0 set srcintf "toFG2" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config router static edit 0 set device "port1" set gateway 198.51.100.254 set comment "default-route to Internet ISP" next edit 0 set device "toFG2" set dst 10.2.2.0 255.255.255.0 next end |
CLI configuration of FortiGate 2 config system interface edit "port1" set ip 203.0.113.2 255.255.255.0 set alias Internet next edit "port2" set ip 10.2.2.254 255.255.255.0 set alias LAN next end config system ipip-tunnel edit "toFG1" set interface "port1"set local-gw 203.0.113.2 set remote-gw 198.51.100.1 next end config firewall policy edit 0 set srcintf "port2" set dstintf "toFG1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 0 set srcintf "toFG1" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config router static edit 0 set device "port1" set gateway 203.0.113.254 set comment "default-route to Internet ISP" edit 0next set device "toFG1" set dst 10.1.1.0 255.255.255.0 next end |
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 198.51.100.254, port1 C 10.1.1.0/24 is directly connected, port2 S 10.2.2.0/24 [10/0] is directly connected, toFG2 C 198.51.100.0/24 is directly connected, port1 |
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 203.0.113.254, port1 C 10.2.2.0/24 is directly connected, port2 S 10.1.1.0/24 [10/0] is directly connected, toFG1 C 203.0.113.0/24 is directly connected, port1 |
if=toFG1 family=00 type=768 index=20 mtu=1480 link=0 master=0 ref=11 state=off start fw_flags=0 flags=up p2p run noarp multicast |
[...] == [ toFG1 ] name: test ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable scan-botnet-connections: disable explicit-web-proxy: disable explicit-ftp-proxy: disable wccp: disable |
interfaces=[any] filters=[icmp] 2.901412 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request 2.901429 toFG2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request 2.901954 toFG2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply 2.901979 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply |
interfaces=[any] filters=[icmp] 7.241465 toFG1 in 10.1.1.1 -> 10.2.2.2: icmp: echo request 7.241529 port2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request 7.241815 port2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply 7.241836 toFG1 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply |
Related Articles
Technical Tip: Configuring and verifying an IP in IP tunnel
Technical Note: Configuring and verifying an IP in IP over IPsec tunnel
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.