So we currently have some IPsec tunnels that initate both on the inside and on the outside using our outside interface.
We want to move this to a loopback instead, so that our ISP is more free to make changes on our outside interface.
We're using 1800F version 7.2.9.
I'm struggling to understand if I have to do anything after we moved the tunnels to the loopback, so that they can both be initiated from the inside aswell as the outside.
I was thinking if I put the loopback interface in the same zone as outside interface and allow intra-zone traffic, is that a good sulotion that will work?
My other idea would be to create a firewall policy, that allows traffic coming from the outside interface, going into the loopback. Allowing remote VPN address as source.
If so, is it enough to allow IKE traffic on this rule, or do we need ESP aswell?
Thanks you!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So if someone else is looking for this, I finally found an article explaining it.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPSec-between-2-FortiGates-using-a-loopbac...
What they are doing is using firewall policies.
What I'm wondering now is, is it custom to use both src and dst interface/address in the same rule?
Example from the guide:
edit 2
set name "Traffic_for_loopback_IPSEC"
set uuid f5a16342-7b79-51ef-6e44-02c65af6bb78
set srcintf "loopback_FG1" "port1"
set dstintf "loopback_FG1" "port1"
set action accept
set srcaddr "h-10.10.11.1-32" "h-10.10.9.1-32"
set dstaddr "h-10.10.9.1-32" "h-10.10.11.1-32"
set schedule "always"
set service "ESP" "IKE"
next
Doesn't this also allow 10.10.11.1-32 to speak to 10.10.11.1.32 aswell?
And port1 to speak to port1?
Maybe this isn't an issue, but wouldn't it be better to split them into two separate policies?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.