To configure the central site FortiGate unit
1. Add firewall addresses
# set address set firewall address external remote_dialup_lan subnet 172.20.253.0 255.255.255.240 set firewall address internal corporate_lan subnet 172.20.248.0 255.255.255.0 set firewall address dmz/ha dmz_lan subnet 172.20.255.32 255.255.255.224
2. Configure Phase 1
# set vpn ipsec phase1 set vpn ipsec phase1 fg300 type dynamic proposal 3des-sha1 3des-md5 keylife 28800 dhgrp 5 authmethod PSK 'EncwCwHb4XQAV9tiDJPLbpnOi36bdCc/yZAF2C3/djuEbWdRAm2NjefrCBByselNyBxJ8MO8sT9VW9qVC9FIPjj-ysuWZzitoFZw7dsp+r5lVybGqWJn' mode aggressive keepalive 5 dpd enable dpdidleworry 10 dpdretrycount 3 dpdretryinterval 5 dpdidlecleanup 300 peertype one peerid raph xauthtype disable
3. Configure Phase 2
# set vpn ipsec phase2 set vpn ipsec phase2 mytunnel phase1name fg300 proposal 3des-sha1 3des-md5 keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none
4. Configure internal firewall policy
# set firewall policy set firewall policy srcintf internal dstintf external policyid 1 srcaddr corporate_lan dstaddr remote_dialup_lan schedule Always service ANY action encrypt vpntunnel mytunnel inbound allow outbound allow
4. Configure DMZ firewall policy
#set firewall policy srcintf dmz/ha dstintf external policyid 3 srcaddr dmz_lan dstaddr remote_dialup_lan schedule Always service ANY action encrypt vpntunnel mytunnel inbound allow outbound allow
To configure the dialup FortiGate unit
1. Add firewall addresses
# set address set firewall address internal corporate_lan subnet 172.20.253.0 255.255.255.240 set firewall address external remote_internal_la subnet 172.20.248.0 255.255.255.0 set firewall address external remote_dmz_lan subnet 172.20.255.32 255.255.255.224
2. Configure Phase 1
# set vpn ipsec phase1 set vpn ipsec phase1 fg300 type static gw 195.143.97.61 proposal 3des-sha1 3des-md5 keylife 28800 dhgrp 5 authmethod PSK 'Enc SCUcftvuZOEb9htB5HxkYiR7W6AEAQajHlqUNwJPvJvGxz0zelqeupOxAWRejqffdQX7gok3RNrJHHCbFNtTODmd-7qrdahSCauDRALJeE1Zax1M+' mode aggressive keepalive 5 dpd enable dpdidleworry 10 dpdretrycount 3 dpdretryinterval 5 dpdidlecleanup 300 localid raph peertype any xauthtype disable
3. Configure Phase 2
# set vpn ipsec phase2 set vpn ipsec phase2 tunnelToRemoteCorpoLan phase1name fg300 proposal 3des-sha1 3des-md5 keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none
set vpn ipsec phase2 TunnelToDMZLan phase1name fg300 proposal 3des-sha1 3des-md5 keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none
3. Configure firewall policies
# set firewall policy set firewall policy srcintf internal dstintf external policyid 2 srcaddr corporate_lan dstaddr remote_dmz_lan schedule Always service ANY action encrypt vpntunnel TunnelToDMZLan inbound allow outbound allow set firewall policy srcintf internal dstintf external policyid 1 srcaddr corporate_lan dstaddr remote_internal_la schedule Always service ANY action encrypt avwebfilter Scan vpntunnel tunnelToRemoteCorpoLan inbound allow outbound allow
# set vpn ipsec phase1 set vpn ipsec phase1 fg300 type static gw 195.143.97.61 proposal 3des-sha1 3des-md5 keylife 28800 dhgrp 5 authmethod PSK 'Enc SCUcftvuZOEb9htB5HxkYiR7W6AEAQajHlqUNwJPvJvGxz0zelqeupOxAWRejqffdQX7gok3RNrJHHCbFNtTODmd7q-rdahSCauDRALJeE1Zax1M+' mode aggressive keepalive 5 dpd enable dpdidleworry 10 dpdretrycount 3 dpdretryinterval 5 dpdidlecleanup 300 localid raph peertype any xauthtype disable
# set vpn ipsec manualkey # set vpn ipsec phase2 set vpn ipsec phase2 tunnelToRemoteCorpoLan phase1name fg300 proposal 3des-sha1 3des-md5 keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none
set vpn ipsec phase2 TunnelToDMZLan phase1name fg300 proposal 3des-sha1 3des-md5 keylifeseconds 1800 dhgrp 5 replay enable pfs enable keepalive enable concentrator none # set firewall policy set firewall policy srcintf internal dstintf external policyid 2 srcaddr corporate_lan dstaddr remote_dmz_lan schedule Always service ANY action encrypt vpntunnel TunnelToDMZLan inbound allow outbound allow
set firewall policy srcintf internal dstintf external policyid 1 srcaddr corporate_lan dstaddr remote_internal_la schedule Always service ANY action encrypt avwebfilter Scan vpntunnel tunnelToRemoteCorpoLan inbound allow outbound allow
|