When configuring site-to-site VPNs between a FortiGate unit and another vendor's VPN gateway, you should only configure one non-contiguous subnet per Phase 2 tunnel. Although the FortiGate can associate multiple subnets (aka "proxy IDs") with a single phase 2 SA, most other vendors do not support this. Also, some vendors will not support an IP range as a selector/proxyID. Be sure to define your firewall address as a subnet not a range.
Example: IPsec VPN between Fortigate and Cisco PIX
Example: IPsec VPN between Fortigate and Cisco PIX
- Several subnets are hosted behind the PIX and the FortiGate (eg. 10.1.1.0/24 and 10.1.2.0/24 behind the FortiGate, and 192.168.1.0/24 and 192.168.2.0/24 behind the PIX).
- Remote subnets (or hosts) are defined in the Fortigate as an Address Group (192.168.1.0/24 and 192.168.2.0/24).
access-list ipsec_vpn permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list ipsec_vpn permit ip 192.168.2.0 255.255.255.0 10.1.2.0 255.255.255.0
Using VPN in policy mode on the Fortinet:
- Create two address groups, one containing your local networks and one containing the remote networks.
- Add a policy with your local group as the source, the remote network group as the destination and the action set to IPSEC. Select the corresponding remote firewall from the drop down list.
- In FortiOS 3.0 you point the firewall policies to a specific firewall rather than towards a phase 2 SA. This allows you to define a single policy and the firewall will automatically determine the appropriate SA to use.
5 comments:
Thanks for your information... =)
It was very useful for my configuration.!!
We have something similair to this setup. Only, instead of one end device (ASA), we have one ip segment going to one device (cisco 1841) and the other segment to the cisco ASA 5505. This setup is based on PBR, which seems the fortigate has difficulty with it. In place, we have had to create static routes using different gateways. Unfortunately, when trying to ping and/or telnet the second phase 2 segment's network, fortigate cannot find the policy needed to assess what the activity can or cannot do even though there is a policy. For this particular situation, there are two static routes to this asa device with different routing costs. Any ideas?
Sounds like a question for the support forums:
http://support.fortinet.com/forum
Great information. Thanks!
It works in your setup but you still have to create 2 phase-2 on the Fortigate if source interfaces are different
eg Internal and wifi in my setup
Your guide gave me some ideas to prepare a complete guide with latest FortiOS and SonicOS, the guide is here, http://www.sysprobs.com/guide-to-setup-vpn-between-sonicwall-and-fortigate-ipsec-site-to-site-vpn
Post a Comment