Solution for route-based VPN
You need to:
- Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In this example, the resulting IPsec interface is named FGT1_to_FGT2.
- Configure virtual IP (VIP) mapping:
- the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1
- the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2
- Configure an outgoing security policy with ordinary source NAT on both FortiGates.
- Configure an incoming security policy with the VIP as the destination on both FortiGates.
- Configure a route to the remote private network over the IPsec interface on both FortiGates.
To configure VIP mapping on both FortiGates
1. Go to Policy & Objects > Virtual IPs and select Create New.
2. Enter the following information, and select OK:
Name Enter a name, for example, my_vip.
External Interface Select FGT1_to_FGT2. The IPsec interface.
Type Static NAT
External IP Address/Range For the External IP Address field enter:
10.21.101.1 when configuring FortiGate_1, or 10.31.101.1 when configuring FortiGate_2.
Mapped IP Address/Range For the Mapped IP Address enter 10.11.101.1.
For the Range enter 10.11.101.254.
Port Forwarding Disable
3. Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the outbound security policy on both FortiGates
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface Select Port 1.
Source Address Select all.
Outgoing Interface Select FGT1_to_FGT2.
The IPsec interface.
Destination Address Select all.
Action Select ACCEPT
Enable NAT Enable
4. Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the inbound security policy on both FortiGates
1. Go to Policy & Objects > IPv4 Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and then select OK:
Incoming Interface Select FGT1_to_FGT2.
Source Address Select all.
Outgoing Interface Select Port 1.
The IPsec interface.
Destination Address Select my–vip.
Action Select ACCEPT
Enable NAT Disable
4. Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the static route for both FortiGates
1. Go to Network > Static Routes and select Create New.
2. Enter the following information, and then select OK:
Destination IP / Mask Enter 10.31.101.0/24 when configuring FortiGate_1.
Enter 10.21.101.0/24 when configuring FortiGate_2.
Device Select FGT1_to_FGT2.
Gateway Leave as default: 0.0.0.0.
Distance (Advanced) Leave at default.
If you have advanced routing on your network, you may have to change this value
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!