I understand that route based tunnels are preferred to policy based policies.
Can I use an ipsec interface tunnel to biuld a link to a cisco 2911 and merely disregard the interface IP addresses?
We will create a tunnel to an external party for remote support and maintenance, see attached diagram. It will be the first such external tunnel. We have been provided with vpn configuration information containing only proposal, DH group and lifetime for both phase 1 and 2, as well as policy requirements.
Tunnel traffic will be only between server 1 and server 2.
Within our networks we use FGT <> FGT ipsec-interface tunnels widely for ospf so I'm very familiar with this configuration.
I hope the following will work:
Create phase1-interface and phase2-interface with settings to match the cisco;
Make no changes to the interface itself (ie in config sys int);
As far as I remember Ciscos require an address at the tunnel's end. No problem to stuff that in in the CLI ('local-gw'). The tricky part is the NAT device - will it NAT in both directions, i.e. can the FGT 'see' the real IP of the Cisco? If not, you will have to use peer IDs for authentication (the public WAN address of the peer is part of the authentication in IKE).
@ede: Do you mean local-gw = W (interface of FGT), or local-gw = Y (static public IP, and would that work)? For FGT-FGT tunnels we have previously only needed to use local-gw when the interface has secondary-ip enabled, to specify which source IP to use.
We use the above topology for FGT-FGT without any issues, obviously with nat-traversal enabled. The FGT will be able to see the Cisco real IP. Cisco will see the connection from the public IP "Y"
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.