Vpn IpSec for LAN and DMZ

Tecnologie · ‎05-10-2012

Hi, I have 110c, I create " classic" Vpn IpSec to connect to server in " LAN" . But I want use this VPN to connetct to server in DMZ, it' s possible? I hope!! Thanks Mirko

rwpatterson · ‎05-10-2012

Classic meaning ' ENCRYPT' mode? (Also known as ' policy' mode)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Tecnologie · ‎05-11-2012

Yes, policy-based VPN (only 1 policy) Thanks!!!

rwpatterson · ‎05-11-2012

Should be no issue. On both sides:

Create an additional phase 2 that covers the new subnet(s) (unless you left it wide open with all zeros....not the best plan)

Create the address entity for the new subnet(s) and place it (them) into a policy(s)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Tecnologie · ‎05-14-2012

Wonderfull, thanks! you are more efficient than support!!!! But I want undestand.. LAN [10.98.0.0/16] DMZ [192.168.168.0/24] in attache there are configuration ip of Forticlient, my my phase2. I should create another phase2 and.. sorry I did not understand?

rwpatterson · ‎05-14-2012

Ah, you are referring to Forticlient. I was under the assumption you were using an IPSec tunnel between units. I will have to defer this to someone that actually uses Forticlient. I don' t. I think you would just need to add both subnets to the Forticlient software, and create the policies in the firewall. That' s a guess though.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎05-14-2012

And the right guess, too! In Forticlient, click ' Advanced' . On the panel that opens you can add more subnets ' behind the tunnel' . That' s all you have to do on the client' s side. On the Fortigate, create a second phase2 and put the correct subnets into the Quick Mode Selectors (I see that you use all Zeros - edit that). Create a new policy right below the existing VPN policy and specify the new phase2 there. Honestly, you could make your life a LOT easier if you used interface-based VPNs. Then, the phase2 tunnels are just virtual interfaces, like WAN2 or an SSID. You wouldn' t have to think about how the policies would look like. But it' s feasable with policy based VPNs as well.

Ede Kernel panic: Aiee, killing interrupt handler!

Tecnologie · ‎05-14-2012

Thanks everybody!! This is what I did: I- in FortiClient -> advanced -> acquire virtual IP, I inserted 192.168.168.14 II- in FortiGate, I created a new Phase2 (its Phase1 is the same as the first -MobileW1) and quick mode source -> 10.98.0.0 | destination -> 192.168.168.0 III- and? What policy I create? I have only 1 policy LAN -> WAN1 [encrypt-> MobileW1]... Thanks very very much!!

Tecnologie · ‎05-22-2012

Hi, Ede thank you very much for your help, I reply this post, because I would " make your life a LOT easier" .. so I created a interface-based VPN.. but

I followed the guide ( -create a specific ip for VPN tunnel -enable dhcp ecc..) end the tunnel connects (FCL-FGT), but I can' t arrive at PC in LAN. I can arrive at LAN PC only if I configure in forticlient the same ip mask. If you have any advice.. thank you very much!! Mirko

ede_pfau · ‎05-14-2012

Create just another policy, action=ENCRYPT, with the common phase1 and the new phase2. Like a copy of the existing one, with a different phase2. Watch out for the position: ENCRYPT policies to the top!

Ede Kernel panic: Aiee, killing interrupt handler!

Vpn IpSec for LAN and DMZ

Nominate a Forum Post for Knowledge Article Creation