1) Create globally Inter-VDOM links on both VDOMs#Config global2) On VDOM1, configure an IPSec tunnel over the "VDOM-link1" interface
Config system interface
edit "VDOM-link0"
set vdom "root"
set ip 10.0.0.1 255.255.255.252
set type vdom-link
set snmp-index 14
next
edit "VDOM-link1"
set vdom "VDOM1"
set ip 10.0.0.2 255.255.255.252
set type vdom-link
set snmp-index 15
next
end#config vpn ipsec phase1-interfaceStatic routing
edit "VPN-FGT-A"
set interface "VDOM-link1"
set proposal aes256-sha1
set dhgrp 5
set remote-gw 172.16.1.1
end
#config vpn ipsec phase2-interface
edit "VPN-FGT-A"
set phase1name "VPN-FGT-A"
set proposal aes256-sha1
set dhgrp 5
set src-subnet 10.10.1.0 255.255.255.0
set dst-subnet 192.168.10.0 255.255.255.0
end#config router staticFirewall policies
edit 1
set device "VPN-FGT-A"
set dstaddr "192.168.10.0-24"
next
edit 2
set distance 254
set blackhole enable
set dstaddr "192.168.10.0-24"
end#config firewall policy3) On root VDOM, configure an outgoing NAT policy from src: VDOM-link0---> dst:WAN interface with fixedport enabled to preserve the source ports (500/4500)
edit 1
set name "vpn_VPN-FGT_local"
set srcintf "internal"
set dstintf "VPN-FGT-A"
set srcaddr "10.10.1.0-24"
set dstaddr "192.168.10.0-24"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "vpn_VPN-FGT_remote"
set srcintf "VPN-FGT-A"
set dstintf "internal"
set srcaddr "192.168.10.0-24"
set dstaddr "10.10.1.0-24"
set action accept
set schedule "always"
set service "ALL"
next
end#config firewall policy4) Configure an incoming policy with VIP as a destination address from src:WAN interface ---> dst: VDOM-link0
edit 1
set name "outgoing"
set srcintf "VDOM-link0"
set dstintf "wan1"
set srcaddr "10.0.0.2-IP"
set dstaddr "172.16.1.1-IP"
set action accept
set schedule "always"
set service "IKE"
set fixedport enable
set nat enable
end#config firewall vip
edit " VIP-10.0.0.2"
set extip 172.16.1.1
set extintf "wan1"
set mappedip "10.0.0.2"
next
end
#config firewall policy
edit 2
set name "incoming"
set uuid 17e0cd48-bdf3-51e9-1ff5-3f7995b1c6d7
set srcintf "wan1"
set dstintf "VDOM-link0"
set srcaddr "172.16.1.1-IP"
set dstaddr "VIP-10.0.0.2"
set action accept
set schedule "always"
set service "IKE"
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.