Hi, here is the scenario:
there is an IPsec tunnel between two FortiGate firewalls on two different locations.
Site1 has an AD controller
Site2 does not have an AD controller
Clients from site2 can communicate with AD controller on site 1 and vice versa
So far so good everything works like a charm.
Now firewall on site 2 has to make a fabric connection to AD on site 1. But that is where I get confused.
If Site 2 IPsec Remote address should be IP of AD controller, what should I chose in local IP?
In location 1 IPsec, Local IP will be AD controller's IP and remote will be.... remote peers IP? That IP is used as remote IPsec peer IP....
Same for policies... What source interface of site 2 should be? Or destination interface for site 1?
And one more thing, when you exec ping from web CLI does it ping from the machine IP address that you login to web GUI from?
If anyone gets into my shoes know this to solve the issue:
on site1 add Ipsec connection "LocalADHostIP >> RemoteIPsecInterfaceIP"
on site2 add Ipsec connection "LocalIpsecInterfaceIP >>> RemoteADHostIP"
Go to policies on site 1 and create with settings:
Name: some_name
Incoming Interface: inside
Outgoing Interface: IPsec tunnel
Source: ADHostIP
Destination: RemoteIPsecInterfaceIP
Service: any (or whatever you want)
Nat: Disabled
On site 2:
Name: some_name
Incoming Interface: VLAN Interface to which IPsec interface is assigned
Outgoing Interface: IPsec tunnel
Source: VLAN interface ip (or IPsec interface IP, in my case they are both the same)
destination: RemoteADHostIP
service: any (or whatever you need)
Nat: disabled
Then go to routing on site 1 and make a route for remote IPsec site IP address and as a gateway interface chose IPsec Interface.
Thats it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.