######## # FGT1 # ######## config vpn ipsec phase1-interface edit "ipsec-fgt2" set interface "wan2" set localid "fgt1-fgt2" set dhgrp 2 set proposal aes128-sha1 set remote-gw 172.20.141.192 set psksecret next end config vpn ipsec phase2-interface edit "ipsec-fgt2-p2" set phase1name "ipsec-fgt2" set proposal aes128-sha1 set dhgrp 2 next end config system interface edit "wan2" set vdom "root" set ip 10.0.1.1 255.255.255.252 next edit "internal2" set vdom "root" next edit "ipsec-fgt2" set vdom "root" set ip 10.0.0.1 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.0.0.2 255.255.255.255 set interface "wan2" next edit "vxlan-loopback" set vdom "root" set ip 10.1.1.1 255.255.255.255 set allowaccess ping set type loopback next end config firewall policy edit 0 set srcintf "vxlan-loopback" set dstintf "ipsec-fgt2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 0 set srcintf "ipsec-fgt2" set dstintf "vxlan-loopback" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config router static edit 0 set dst 2.2.2.2 255.255.255.255 set gateway 10.0.1.2 set device "wan2" next end config router prefix-list edit "pfx-distribute-list-in" config rule edit 0 set prefix 10.2.2.2 255.255.255.255 unset ge unset le next end next end config router access-list edit "acl-ospf-redist-connected" config rule edit 0 set prefix 10.1.1.1 255.255.255.255 set exact-match disable next end next end config router ospf config ospf-interface edit "to-fgt2" set interface "ipsec-fgt2" set cost 15 set mtu-ignore enable set network-type point-to-point next end config network edit 0 set prefix 10.0.0.0 255.255.255.252 set area 0.0.0.1 next end end config vpn ipsec phase1-interface edit "ipsec-vxlan" set interface "vxlan-loopback" set peertype any set proposal aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 10.1.1.1 set encap-remote-gw4 10.2.2.2 set remote-gw 10.2.2.2 set psksecret password2 next end config vpn ipsec phase2-interface edit "ipsec-vxlan-ph2" set phase1name "ipsec-vxlan" set proposal aes256-sha1 next end config system switch-interface edit "vxlan-switch" set vdom "root" set member "internal2" "ipsec-vxlan" next end config system interface edit "ipsec-vxlan" set vdom "root" set type tunnel set interface "vxlan-loopback" next edit "vxlan-switch" set vdom "root" set type switch next end ######## # FGT2 # ######## config vpn ipsec phase1-interface edit "ipsec-fgt1" set interface "wan2" set localid "fgt2-fgt1" set dhgrp 2 set proposal aes128-sha1 set remote-gw 1.1.1.1 set psksecret password1 next end config vpn ipsec phase2-interface edit "ipsec-fgt1-p2" set phase1name "ipsec-fgt1" set proposal aes128-sha1 set dhgrp 2 next end config system interface edit "wan2" set vdom "root" set ip 10.0.2.1 255.255.255.252 next edit "internal4" set vdom "root" next edit "ipsec-fgt1" set vdom "root" set ip 10.0.0.2 255.255.255.255 set allowaccess ping set type tunnel set remote-ip 10.0.0.1 255.255.255.255 set interface "wan2" next edit "vxlan-loopback" set vdom "root" set ip 10.2.2.2 255.255.255.255 set allowaccess ping set type loopback next end config firewall policy edit 0 set srcintf "vxlan-loopback" set dstintf "ipsec-fgt1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 0 set srcintf "ipsec-fgt1" set dstintf "vxlan-loopback" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config router static edit 0 set dst 1.1.1.1 255.255.255.255 set gateway 10.0.2.2 set device "wan2" next end config router prefix-list edit "pfx-distribute-list-in" config rule edit 0 set prefix 10.1.1.1 255.255.255.255 unset ge unset le next end next end config router access-list edit "acl-ospf-redist-connected" config rule edit 0 set prefix 10.2.2.2 255.255.255.255 set exact-match disable next end next end config router ospf config ospf-interface edit "to-fgt1" set interface "ipsec-fgt1" set cost 15 set mtu-ignore enable set network-type point-to-point next end config network edit 0 set prefix 10.0.0.0 255.255.255.252 set area 0.0.0.1 next end end config vpn ipsec phase1-interface edit "ipsec-vxlan" set interface "vxlan-loopback" set peertype any set proposal aes256-sha1 set encapsulation vxlan set encapsulation-address ipv4 set encap-local-gw4 10.2.2.2 set encap-remote-gw4 10.1.1.1 set remote-gw 10.1.1.1 set psksecret password2 next end config vpn ipsec phase2-interface edit "ipsec-vxlan-ph2" set phase1name "ipsec-vxlan" set proposal aes256-sha1 next end config system switch-interface edit "vxlan-switch" set vdom "root" set member "internal4" "ipsec-vxlan" next end config system interface edit "ipsec-vxlan" set vdom "root" set type tunnel set interface "vxlan-loopback" next edit "vxlan-switch" set vdom "root" set type switch next end