Solution for route-based VPN

You need to:

• Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In this example, the resulting IPsec interface is named FGT1_to_FGT2.
• Configure virtual IP (VIP) mapping:
• the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1
• the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2
• Configure an outgoing security policy with ordinary source NAT on both FortiGates.
• Configure an incoming security policy with the VIP as the destination on both FortiGates.
• Configure a route to the remote private network over the IPsec interface on both FortiGates.

 

To configure VIP mapping on both FortiGates

1. Go to Policy & Objects > Virtual IPs and select Create New.

2. Enter the following information, and select OK:

Name                                           Enter a name, for example, my_vip.

External Interface                      Select FGT1_to_FGT2. The IPsec interface.

Type                                            Static NAT

External IP Address/Range     For the External IP Address field enter:

10.21.101.1 when configuring FortiGate_1, or 10.31.101.1 when configuring FortiGate_2.

Mapped IP Address/Range      For the Mapped IP Address enter 10.11.101.1.

For the Range enter 10.11.101.254.

Port Forwarding                        Disable

3. Repeat this procedure on both FortiGate_1 and FortiGate_2.

 

To configure the outbound security policy on both FortiGates

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information, and select OK:

Incoming Interface                   Select Port 1.

Source Address                        Select all.

Outgoing Interface                   Select FGT1_to_FGT2.

The IPsec interface.

Destination Address                 Select all.

Action                                         Select ACCEPT

Enable NAT                                Enable

4. Repeat this procedure on both FortiGate_1 and FortiGate_2.

 

To configure the inbound security policy on both FortiGates

1. Go to Policy & Objects > IPv4 Policy and select Create New.

2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.

3. Enter the following information, and then select OK:

Incoming Interface                   Select FGT1_to_FGT2.

Source Address                        Select all.

Outgoing Interface                   Select Port 1.

The IPsec interface.

Destination Address                 Select my–vip.

Action                                         Select ACCEPT

Enable NAT                                Disable

4. Repeat this procedure on both FortiGate_1 and FortiGate_2.

 

To configure the static route for both FortiGates

1. Go to Network > Static Routes and select Create New.

2. Enter the following information, and then select OK:

 

Destination IP / Mask               Enter 10.31.101.0/24 when configuring FortiGate_1.

Enter 10.21.101.0/24 when configuring FortiGate_2.

Device                                         Select FGT1_to_FGT2.

Gateway                                     Leave as default: 0.0.0.0.

Distance (Advanced)                Leave at default.

If you have advanced routing on your network, you may have to change this value

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!