| Description | This article describes how to allow traffic passing from Location A to Location B via FortiGate. |
| Scope | FortiGate. |
| Solution |
Network Topology: Subnet A --------- Firewall A <========= IPsec Tunnel A =======> FortiGate <======== IPsec tunnel B =======> Firewall B-------- Subnet B
From the above diagram, Firewall A and Firewall B are third party Firewalls (it could be FortiGate as well) and between these firewalls the only link is through the FortiGate. To accomplish this, phase2 selector needs to be added on both ends of firewall VPN configuration.
To allow traffic from Subnet A to Subnet B from FortiGate, below is how the configuration on the FortiGate would look like:
config vpn ipsec phase2-interface edit "IPsec A" set phase1name "IPsec A" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 192.168.10.0 255.255.255.0 set dst-subnet 192.168.20.0 255.255.255.0 next edit "Subnet B" set phase1name "IPsec A" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 192.168.30.0 255.255.255.0 set dst-subnet 192.168.20.0 255.255.255.0 end
IPsec Phase 2 configuration for IPsec tunnel B:
config vpn ipsec phase2-interface edit "IPsec B" set phase1name "IPsec B" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 192.168.10.0 255.255.255.0 set dst-subnet 192.168.30.0 255.255.255.0 next edit "Subnet A" set phase1name "IPsec B" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set src-subnet 192.168.20.0 255.255.255.0 set dst-subnet 192.168.30.0 255.255.255.0 end
Static Route:
config router static edit 2 set dst 192.168.20.0 255.255.255.0 set device "IPsec A" next edit 3 set dst 192.168.30.0 255.255.255.0 set device "IPsec B" next end
The firewall policy for this traffic would be from local LAN to tunnels and vice versa along firewall policy between tunnels.
config firewall policy edit 2 set name "To SubnetA" set uuid 42286614-825c-51ef-7929-d2355c1c415a set srcintf "port4" set dstintf "IPsec A" set action accept set srcaddr "192.168.10.0/24" set dstaddr "192.168.20.0/24" set schedule "always" set service "ALL" set logtraffic all next edit 3 set name "From SubnetA" set uuid 453c6f58-825c-51ef-f67b-7f3fb2b84dc4 set srcintf "IPsec A" set dstintf "port4" set action accept set srcaddr "192.168.20.0/24" set dstaddr "192.168.10.0/24" set schedule "always" set service "ALL" set logtraffic all next edit 4 set name "From SubnetB" set uuid 7c8144d4-825c-51ef-8e15-a94a3fce96ec set srcintf "IPsec B" set dstintf "port4" set action accept set srcaddr "192.168.30.0/24" set dstaddr "192.168.10.0/24" set schedule "always" set service "ALL" set logtraffic all set comments " (Copy of To SubnetA) (Reverse of To SubnetA)" next edit 5 set name "To SubnetB" set uuid 933dbe96-825c-51ef-2e7b-8fcc2c3eb06f set srcintf "port4" set dstintf "IPsec B" set action accept set srcaddr "192.168.10.0/24" set dstaddr "192.168.30.0/24" set schedule "always" set service "ALL" set logtraffic all set comments " (Copy of To SubnetA) (Reverse of To SubnetA) (Copy of From SubnetB) (Reverse of From SubnetB)" next edit 6 set name "From SubnetA to SubnetB" set uuid a21c243e-8261-51ef-2743-dea73ce2bd18 set srcintf "IPsec A" set dstintf "IPsec B" set action accept set srcaddr "192.168.20.0/24" set dstaddr "192.168.30.0/24" set schedule "always" set service "ALL" set logtraffic all next edit 7 set name "From SubnetB to SubnetA" set uuid a48f539e-8261-51ef-3ada-d9fd8b817603 set srcintf "IPsec B" set dstintf "IPsec A" set action accept set srcaddr "192.168.30.0/24" set dstaddr "192.168.20.0/24" set schedule "always" set service "ALL" set logtraffic all next end
These changes need to be configured on remote firewalls so that the traffic can be allowed and flow between these tunnels. |
