# show | grep -f "to 3hd"Explicit proxy configuration on Site A:
# config system interface
edit "Site A"
set vdom "root"
set ip 1.1.1.1 255.255.255.255
set type tunnel
set remote-ip 2.2.2.2 255.255.255.255
set snmp-index 11
set interface "wan1"
next
end
# config vpn ipsec phase1-interface
edit "Site A"
set interface "wan1"
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: to 3hd (Created by VPN wizard)"
set remote-gw 10.109.16.152
set psksecret ENC r79IGx0WLTiDeKmBwu+Y9hsTeIrLpkEoHCfZoAeGPcAI1vfIsP6R16 CWCk/A3Ss4YVkSJ7jpfUKXqYRxDUU5zAwZH03Y1dctRtBvuk/mYGZJJUvD0MoqPeLy+/4BxWThWxkoKc q9mnWy1K00fZ+IlzR0RABWROjJc+WCPWNVKqDNfw43SLelN90xZxLT0UQPPK+3mg==
next
end
# config vpn ipsec phase2-interface
edit "SiteA"
set phase1name "to 3hd"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
# config router static
edit 2
set device "SiteA" <--- here the destination will be all from this site
next
edit 3
set dst 10.124.0.152 255.255.255.255 <------ this route is needed although the first route should work
set device "SiteA"
next
end
# config firewall policy
edit 2
set name "vpn_to 3hd_local"
set uuid b8194926-b38e-51e9-1d4a-af7f59728e1f
set srcintf "port1"
set dstintf "SiteA"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set comments "VPN: to 3hd (Created by VPN wizard)"
next
edit 3
set name "vpn_to 3hd_remote"
set uuid b823f786-b38e-51e9-52b8-d3239cb1219e
set srcintf "SiteA"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set comments "VPN: to 3hd (Created by VPN wizard)"
next
# config web-proxy explicitSite B:
set status enable
set http-incoming-port 8080
end
# config system interface
edit "dmz"
set vdom "root"
set ip 10.157.0.117 255.255.240.0
set allowaccess ping https ssh http telnet fgfm
set type physical
set explicit-web-proxy enable
set role dmz
set snmp-index 2
next
end
# config firewall proxy-policy
edit 1
set uuid 3a36b1c6-b391-51e9-d13e-1bcdb958bcdf
set proxy explicit-web
set dstintf "SiteA"
set srcaddr "all"
set dstaddr "all"
set service "webproxy"
set action accept
set schedule "always"
next
end
# config system interfaceResults (here site A is 3hd and site B is 100d):
edit "to100d"
set vdom "root"
set ip 2.2.2.2 255.255.255.255
set type tunnel
set remote-ip 1.1.1.1 255.255.255.255
set snmp-index 13
set interface "port5"
next
end
# config firewall address
edit "to100d_local_subnet_1"
set uuid da74941c-b38e-51e9-1be3-54f808edc4c7
set allow-routing enable
set subnet 10.124.0.0 255.255.240.0
next
edit "to100d_remote_subnet_1"
set uuid da7c06f2-b38e-51e9-e818-fdead4da1abf
set allow-routing enable
set subnet 10.120.0.0 255.255.240.0
next
end
# config firewall addrgrp
edit "to100d_local"
set uuid da788676-b38e-51e9-6b76-c0618ae98356
set member "to100d_local_subnet_1"
set comment "VPN: to100d (Created by VPN wizard)"
set allow-routing enable
next
edit "to100d_remote"
set uuid da845b2c-b38e-51e9-fd74-f3fc64e40136
set member "to100d_remote_subnet_1"
set comment "VPN: to100d (Created by VPN wizard)"
set allow-routing enable
next
end
# config vpn ipsec phase1-interface
edit "to100d"
set interface "port5"
set peertype any
set net-device enable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: to100d (Created by VPN wizard)"
set remote-gw 10.109.16.117
set psksecret ENC 6JhsdtKif7p2SOfM918CPmTrFM/qDqRlRbgmrn0RqgjTkmONCdf/B6 n6RhAIFfXNB0Pu3oHu3Y9v9qPXu6HoSAi1T7zpbBjU5vaSj9qiFHuyWhBI9bn3HTubFel0HawLohXAS9 2DQV7yuL++C1NztyuoWbY8tbikmsXXtqf6SDhaYoGDJCfmkCfqpA4T0yTtlX0F5g==
next
end
# config vpn ipsec phase2-interface
edit "tunnel-interface"
set phase1name "to100d"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "to-100d"
next
end
# config firewall policy
edit 1
set name "vpn_to100d_local"
set uuid daa4d820-b38e-51e9-80d2-06c0a574d108
set srcintf "port2"
set dstintf "to100d"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set comments "VPN: to100d (Created by VPN wizard)"
next
edit 2
set name "vpn_to100d_remote"
set uuid dab63f52-b38e-51e9-c008-4d22b331f815
set srcintf "to100d"
set dstintf "port2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set fsso disable
set comments "VPN: to100d (Created by VPN wizard)"
next
end
# config router static
edit 2
set dst 1.1.1.1 255.255.255.255 <---- this route only sends traffic to the destination
set device "to100d"
set comment "VPN: to100d (Created by VPN wizard)"
next
edit 3
set distance 254
set comment "VPN: to100d (Created by VPN wizard)"
set blackhole enable
set dstaddr "to100d_remote"
next
end
# diagnose sniffer packet any "host 10.124.0.152" 4 0 aSite B:
interfaces=[any]
filters=[host 10.124.0.152]
2019-08-01 11:26:14.070000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: syn 2119450480
2019-08-01 11:26:14.070000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: syn 4102811922 ack 2119450481
2019-08-01 11:26:14.070000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102811923
2019-08-01 11:26:14.070000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: psh 2119450481 ack 4102811923
2019-08-01 11:26:14.070000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: ack 2119450815
2019-08-01 11:26:14.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: 4102811923 ack 2119450815
2019-08-01 11:26:14.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102813309
2019-08-01 11:26:14.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: 4102813309 ack 2119450815
2019-08-01 11:26:14.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: psh 4102814695 ack 2119450815
2019-08-01 11:26:14.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102814695
2019-08-01 11:26:14.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102815787
2019-08-01 11:26:16.070000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: fin 4102815787 ack 2119450815
2019-08-01 11:26:16.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: fin 2119450815 ack 4102815788
2019-08-01 11:26:16.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: ack 2119450816
# diagnose sniffer packet any "host 1.1.1.1 and not port 53" 4 0 a
interfaces=[any]
filters=[host 1.1.1.1 and not port 53]
2019-08-01 11:26:20.322129 to 100d in 1.1.1.1.24444 -> 10.124.0.152.80: syn 2119450480
2019-08-01 11:26:20.322158 to 100d out 10.124.0.152.80 -> 1.1.1.1.24444: syn 4102811922 ack 2119450481
2019-08-01 11:26:20.322874 to 100d in 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102811923
2019-08-01 11:26:20.322960 to 100d in 1.1.1.1.24444 -> 10.124.0.152.80: psh 2119450481 ack 4102811923
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.