fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
fortigate-ipsec-40-mr3
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Gateway-to-gateway configurations How to work with overlapping subnets<br />
Figure 9: Overlapped subnets example<br />
PC 1<br />
10.11.101.10<br />
Finance network<br />
10.11.101.0/24<br />
(VIP 10.21.101.0/24)<br />
Solution for route-based VPN<br />
Port t 1111<br />
Port 2<br />
172.16.20.1<br />
FortiGate_1<br />
Fo Fo Fo Foo Fort rt rt rtiG tiG<br />
iG iG iG iGatt at at at ateeeee_ e_1<br />
FGT1_to_FGT2<br />
VPN tunnel<br />
Port 2<br />
172.16.30.1<br />
FortiGate_2<br />
Fo Fo FFo Fo Fort rt rt rt rtiG iG iG iGG iGat at at at ateeeee<br />
You need to:<br />
Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In<br />
this example, the resulting IPsec interface is named FGT1_to_FGT2.<br />
Configure virtual IP (VIP) mapping:<br />
the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1<br />
the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2<br />
Configure an outgoing security policy with ordinary source NAT on both FortiGates.<br />
Configure an incoming security policy with the VIP as the destination on both<br />
FortiGates.<br />
Configure a route to the remote private network over the IPsec interface on both<br />
FortiGates.<br />
To configure VIP mapping on both FortiGates<br />
1 Go to Firewall Objects > Virtual IP > Virtual IP.<br />
2 Select Create New, enter the following information, and select OK:<br />
Name Enter a name, for example, my_vip.<br />
External Interface<br />
Select FGT1_to_FGT2.<br />
The IPsec interface.<br />
Type Static NAT<br />
External IP<br />
Address/Range<br />
For the external IP address field enter:<br />
10.21.101.1 when configuring<br />
FortiGate_1, or<br />
10.31.101.1 when configuring<br />
FortiGate_2.<br />
HR network<br />
10.11.101.0/24<br />
(VIP 10.31.101.0/24)<br />
FortiOS Handbook v3: IPsec VPNs<br />
01-434-112804-20120111 77<br />
http://docs.fortinet.com/<br />
PPPo Port 1<br />
PC 2<br />
10.11.101.10