Source subnets: 172.16.1.0/24 and 192.168.1.0/24, destination subnets: 172.16.99.0/24 and 10.1.1.0/24.
In FortiOS 3.0 up to MR6 the drop-down option no longer exists in the GUI. However you can still pop the hood and get at the internals using the CLI. Here's how:
- In the GUI define the local and remote subnets for the VPN
- Group local and remote subnets into separate address groups (e.g. "encdom-local-remote" and "encdom-remote-local")
- On the CLI
- # config vpn ipsec phase2 (or #config vpn ipsec phase2-interface if you are using interface mode)
- # set src-addr-type name
- # set src-name encdom-local-remote (the address group containing your local subnets)
- # set dst-addr-type name
- # set dst-name encdom-remote-local (the address group containing the remote subnets)
- # end
6 comments:
Hey, just wanted to leave an FYI - if you use addr-type name on src or dst, you have to do it for the other. In other words, you can't have a name on one and a static IP/range/subnet on the other... you need to define a nameset. It will unhelpfully not tell you this until you hit end, at which point it will just bomb out and revert your changes. Lame!
The Option 'set src-addr-type name' will let you to enter the group name in the VPN Domain. But his is not always compatiable with the other vendors. Cisco and FGT will not support this option. The Tunnel will be UP but the communication will be possible from ONLY from the first entity of the group from either ends.
Regards,
Niranjana BS
Good point. With VPNs to Cisco I typically end up creating one Phase I and multiple Phase 2 configurations.
If you try to connect a astaro sophos gateway with more than one subnets and a fortigate with more than one subnet, you have also to create seperate phase2 configurations for every combination.
it does not work with one phase2 and a source group and a destination group.
Post a Comment