|
When a local FortiGate sends traffic to a remote server through an IPsec VPN, the source IP address feature is usually available for servers such as LDAP servers, Radius servers, and DNS servers.
For a remote server which doesn't have the source IP option, such as an FTP server, a local FortiGate shows an error in the CLI when the user attempts to send traffic to the server. For example, by backing up a configuration file to the server:
# execute backup config ftp config-backup 192.168.1.2 fortinet fortinet
Connect to ftp server 192.168.1.2
In the above example:
- config-backup: the filename of the configuration backup.
- 192.168.1.2: the FTP server IP.
- fortinet: the username.
- fortinet: the password.
To work around this limitation, configure the IPSec VPN tunnel interface with a local IP address and a remote IP address.
# config system interface
edit <IPSec VPN Phase1-name>
set ip 192.168.10.1 255.255.255.255
set type tunnel
set remote-ip 192.168.10.2 255.255.255.252
end
The addresses used in the block of code above are examples. Any subnet IP which does not overlap with an existing configuration can be used.
In this example, FTP traffic will use the tunnel interface IP 192.168.10.1 as the source IP when sending traffic through VPN tunnel.
Create an IPsec VPN phase2 selector to include the tunnel interface IP 192.168.10.1 in the local subnet and the FTP server IP 192.168.1.2 in the remote subnet. See the documentation for more information on how to configure a phase2 selector.
Additionally, configure the IPSec VPN with policies to allow traffic to and from the subnets, respectively.
In the remote FortiGate:
- Configure the tunnel interface with 192.168.10.2/32 as the local IP and 192.168.10.1/30 as the remote IP.
- Configure the tunnel phase2 to include 192.168.1.2 in the local subnet and 192.168.10.1 in the remote subnet.
- Once more, configure a VPN policy for the above phase2 subnets.
|
