Hi All,
I understand that route based tunnels are preferred to policy based policies.
Can I use an ipsec interface tunnel to biuld a link to a cisco 2911 and merely disregard the interface IP addresses?
We will create a tunnel to an external party for remote support and maintenance, see attached diagram. It will be the first such external tunnel. We have been provided with vpn configuration information containing only proposal, DH group and lifetime for both phase 1 and 2, as well as policy requirements.
Tunnel traffic will be only between server 1 and server 2.
Within our networks we use FGT <> FGT ipsec-interface tunnels widely for ospf so I'm very familiar with this configuration.
I hope the following will work:
Create phase1-interface and phase2-interface with settings to match the cisco;
Make no changes to the interface itself (ie in config sys int);
Add a static route for Z via X;
Add a static route for b.b.b.b via the tunnel;
Create the required policies.
Profit, or relax.
Is this correct? Any tricks to keep in mind?
Thanks in advance
[edit: typo]
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
As far as I remember Ciscos require an address at the tunnel's end. No problem to stuff that in in the CLI ('local-gw'). The tricky part is the NAT device - will it NAT in both directions, i.e. can the FGT 'see' the real IP of the Cisco? If not, you will have to use peer IDs for authentication (the public WAN address of the peer is part of the authentication in IKE).
You don't have to use tunnel interface on Cisco side. Dead peer detection wouldn't work well. We always disable it on FG side.
Thanks for your replies.
@ede: Do you mean local-gw = W (interface of FGT), or local-gw = Y (static public IP, and would that work)? For FGT-FGT tunnels we have previously only needed to use local-gw when the interface has secondary-ip enabled, to specify which source IP to use.
We use the above topology for FGT-FGT without any issues, obviously with nat-traversal enabled. The FGT will be able to see the Cisco real IP. Cisco will see the connection from the public IP "Y"
@Toshi: Thanks, we can disable dpd.
Also you might want to set up IP SLA from Cisco side to keep the tunnel up all the time.
This turned out to be relatively straight forward. For completeness, following settings we don't normally use:
config vpn ipsec phase1-interface
set local-gw W # pretty sure this is not required.
end
config vpn ipsec phase2-interface
set keepalive enable
set auto-negotiate enable
set src-subnet a.a.a.a/32
set dst-subnet b.b.b.b/32
endOther settings (interface, static routes, policies) as planned above.
We left dpd enabled after discussing with remote side.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.