Source 10.221.1.0/24 <<<<<<<<>>>>>>>>> Destination 192.168.22.0/24Now, administrator has a requirement to build a new IPsec VPN tunnel IPsec_B with another 3rd party provider (3rd Part2) with the same Phase 2 selectors.
4) Configure firewall addresses on “root”:#config firewall address
edit "10.221.1.0/24"
set allow-routing enable
set subnet 10.221.1.0 255.255.255.0
next
edit "192.168.22.0/24"
set allow-routing enable
set subnet 192.168.22.0 255.255.255.0
next
edit "192.168.220.0/24"
set subnet 192.168.220.0 255.255.255.0
next
end
5) Configure IPSEC VPN with 3rd Part2 on “root”:#config vpn ipsec phase1-interface6) Assign vrf id 10 to INT-root0 and IPsec_B on VDOM “root”:
edit "3rd Part2"
set interface "wan1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes256-sha1
set remote-gw y.y.y.y
set psksecret ENC <encrypted_PSK>
next
end
#config vpn ipsec phase2-interface
edit "3rd Part2"
set phase1name "3rd Part2"
set proposal aes128-sha256 aes256-sha256 aes256gcm
set src-addr-type name
set dst-addr-type name
set src-name "10.221.1.0/24"
set dst-name "192.168.22.0/24"
next
end#config system interface7) Configure static routes on VDOM “root” (these routes will be effective within VRF 10):
edit "INT-root0"
set vdom "root"
set vrf 10 <---
set ip 30.30.30.1 255.255.255.0
set type vdom-link
next
edit "IPSEC_B"
set vdom "root"
set vrf 10 <---
set type tunnel
set interface "wan1"
next
end#config router staticNote: Static routes 4 and 5 will be effective within VRF 10 as the interfaces used in these routes are set for this VRF.
edit 4
set device "IPSEC_B"
set comment "VPN: IPSEC_B via vrf 10"
set dstaddr "192.168.22.0/24"
next
edit 5
set gateway 30.30.30.2
set device "INT-root0"
set comment "route to 10.221.1.0/24 for vrf 10"
set dstaddr "10.221.1.0/24"
next
edit 6
set dst 192.168.220.0 255.255.255.0
set gateway 20.20.20.2
set device "root-INT0"
next
8) Configure policy which allows connection from 10.221.1.0/24 to 192.168.220.0/24 and vice versa on VDOM “root”:#config firewall policy9) Configure routes in VDOM “INT-NAT”:
edit 4
set name "vpn_IPSEC_B_local"
set srcintf "INT-root0"
set dstintf "IPSEC_B"
set srcaddr "10.221.1.0/24"
set dstaddr "192.168.22.0/24"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
edit 5
set name "vpn_IPSEC_B_remote"
set srcintf "IPSEC_B"
set dstintf "INT-root0"
set srcaddr "192.168.22.0/24"
set dstaddr "10.221.1.0/24"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
edit 6
set srcintf "lan"
set dstintf "root-INT0"
set srcaddr "10.221.1.0/24"
set dstaddr "192.168.220.0/24"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
end#config router static10) Configure VIP in VDOM “INT-NAT” for 1-to-1 DNAT:
edit 1
set dst 10.221.1.0 255.255.255.0
set gateway 20.20.20.1
set device "root-INT1"
next
edit 2
set dst 192.168.22.0 255.255.255.0
set gateway 30.30.30.1
set device "INT-root1"
next#config firewall vip11) Configure firewall policies in VDOM “INT-NAT”:
edit "VIP-220-22"
set extip 192.168.220.1-192.168.220.254
set extintf "root-INT1"
set mappedip "192.168.22.1-192.168.22.254"
next
end#config firewall policyAs a result, routing table for VDOM “root” will be as follows:
edit 1
set srcintf "root-INT1"
set dstintf "INT-root1"
set srcaddr "10.221.1.0/24"
set dstaddr "VIP-220-22"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
edit 2
set srcintf "INT-root1"
set dstintf "root-INT1"
set srcaddr "192.168.22.0/24"
set dstaddr "10.221.1.0/24"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
next
end# get router info routing-table allDebug flow for ICMP ping from 10.220.1.10 to 192.168.22.130:
Routing table for VRF=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0 [10/0] via z.z.z.z, wan1
C a.b.c.d/20 is directly connected, wan1
C 10.221.1.0/24 is directly connected, lan
C 20.20.20.0/24 is directly connected, root-INT0
S 192.168.22.0/24 [10/0] is directly connected, IPSEC_A
S 192.168.220.0/24 [10/0] via 20.20.20.2, root-INT0
Routing table for VRF=10
S 10.221.1.0/24 [10/0] via 30.30.30.2, INT-root0
C 30.30.30.0/24 is directly connected, INT-root0
S 192.168.22.0/24 [10/0] is directly connected, IPSEC_Bid=20085 trace_id=4 func=print_pkt_detail line=5519 msg="vd-root:0 received a packet (proto=1, 10.221.1.10:1->192.168.22.130:2048) from lan. type=8, code=0, id=1, seq=699."Debug flow when ICMP ping from 10.220.1.10 to 192.168.220.130:
id=20085 trace_id=4 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-0000065e, original direction"
id=20085 trace_id=4 func=npu_handle_session44 line=1129 msg="Trying to offloading session from lan to IPSEC_A, skb.npu_flag=00000400 ses.state=00010200 ses.npu_state=0x03040000"
id=20085 trace_id=4 func=ip_session_install_npu_session line=352 msg="npu session installation succeeded"
id=20085 trace_id=4 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-IPSEC_A"
id=20085 trace_id=4 func=esp_output4 line=897 msg="IPsec encrypt/auth"
id=20085 trace_id=4 func=ipsec_output_finish line=532 msg="send to 10.109.16.100 via intf-wan1"
id=20085 trace_id=5 func=print_pkt_detail line=5519 msg="vd-root:0 received a packet (proto=1, 192.168.22.130:1->10.221.1.10:0) from IPSEC_A. type=0, code=0, id=1, seq=699."FG100E-2 (global) # id=20085 trace_id=9 func=print_pkt_detail line=5519 msg="vd-root:0 received a packet (proto=1, 10.221.1.10:1->192.168.220.130:2048) from lan. type=8, code=0, id=1, seq=714."
id=20085 trace_id=9 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-00000904, original direction"
id=20085 trace_id=9 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-20.20.20.2 via root-INT0"
id=20085 trace_id=10 func=print_pkt_detail line=5519 msg="vd-INT-NAT:0 received a packet (proto=1, 10.221.1.10:1->192.168.220.130:2048) from root-INT1. type=8, code=0, id=1, seq=714."
id=20085 trace_id=10 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-00000905, original direction"
id=20085 trace_id=10 func=ipv4_fast_cb line=53 msg="enter fast path"
id=20085 trace_id=10 func=ip_session_run_all_tuple line=6777 msg="DNAT 192.168.220.130:8->192.168.22.130:1"
id=20085 trace_id=11 func=print_pkt_detail line=5519 msg="vd-root:10 received a packet (proto=1, 10.221.1.10:1->192.168.22.130:2048) from INT-root0. type=8, code=0, id=1, seq=714."
id=20085 trace_id=11 func=resolve_ip_tuple_fast line=5599 msg="Find an existing session, id-00000906, original direction"
id=20085 trace_id=11 func=vf_ip_route_input_common line=2591 msg="find a route: flag=00000000 gw-192.168.22.130 via IPSEC_B"
id=20085 trace_id=11 func=ipsecdev_hard_start_xmit line=692 msg="enter IPsec interface-IPSEC_B"
id=20085 trace_id=11 func=esp_output4 line=897 msg="IPsec encrypt/auth"
id=20085 trace_id=11 func=ipsec_output_finish line=532 msg="send to 10.109.16.174 via intf-wan1"Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.