Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
achowdhury
Staff
Staff

Created on ‎08-26-2019 01:44 AM

Article Id 198136

Technical Tip: Explicit proxy traffic over IPsec

Description
This article describes how to pass the explicit proxy traffic over IPsec site-to-site tunnel.
 
    FG(siteA)(10.109.16.117) ====IPSEC==== (10.109.16.152)FG(siteB)
   
    local 10.120.0.0/20< ------------------------>local 10.124.0.0/20
  
    DMZ 10.157.0.0/20 where explicit proxy listen on interface is enabled.

The aim is to forward the traffic from the DMZ to the IPsec interface in order to reach the network host 10.124.0.0/20.

To achieve this, the tunnel interface needs to have an IP address.

Solution
Site A:
# show | grep -f "to 3hd"
# config system interface
    edit "Site A"
        set vdom "root"
        set ip 1.1.1.1 255.255.255.255
        set type tunnel
        set remote-ip 2.2.2.2 255.255.255.255
        set snmp-index 11
        set interface "wan1"
    next
end
# config vpn ipsec phase1-interface
    edit "Site A"
        set interface "wan1"
        set peertype any
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: to 3hd (Created by VPN wizard)"
        set remote-gw 10.109.16.152
        set psksecret ENC r79IGx0WLTiDeKmBwu+Y9hsTeIrLpkEoHCfZoAeGPcAI1vfIsP6R16                                                                                                CWCk/A3Ss4YVkSJ7jpfUKXqYRxDUU5zAwZH03Y1dctRtBvuk/mYGZJJUvD0MoqPeLy+/4BxWThWxkoKc                                                                                                             q9mnWy1K00fZ+IlzR0RABWROjJc+WCPWNVKqDNfw43SLelN90xZxLT0UQPPK+3mg==
    next
end
# config vpn ipsec phase2-interface
    edit "SiteA"
        set phase1name "to 3hd"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
# config router static
    edit 2
      set device "SiteA"          <--- here the destination will be all from this site
        next
   edit 3
        set dst 10.124.0.152 255.255.255.255      <------ this route is needed although the first route should work
        set device "SiteA"
    next
end
# config firewall policy
    edit 2
        set name "vpn_to 3hd_local"
        set uuid b8194926-b38e-51e9-1d4a-af7f59728e1f
        set srcintf "port1"
        set dstintf "SiteA"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set comments "VPN: to 3hd (Created by VPN wizard)"
    next
    edit 3
        set name "vpn_to 3hd_remote"
        set uuid b823f786-b38e-51e9-52b8-d3239cb1219e
        set srcintf "SiteA"
        set dstintf "port1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set comments "VPN: to 3hd (Created by VPN wizard)"
    next
Explicit proxy configuration on Site A:
# config web-proxy explicit
    set status enable
    set http-incoming-port 8080
end
# config system interface
    edit "dmz"
        set vdom "root"
        set ip 10.157.0.117 255.255.240.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
        set explicit-web-proxy enable
        set role dmz
        set snmp-index 2
    next
end
# config firewall proxy-policy
    edit 1
        set uuid 3a36b1c6-b391-51e9-d13e-1bcdb958bcdf
        set proxy explicit-web
        set dstintf "SiteA"
        set srcaddr "all"
        set dstaddr "all"
        set service "webproxy"
        set action accept
        set schedule "always"
    next
end
Site B:
# config system interface
    edit "to100d"
        set vdom "root"
        set ip 2.2.2.2 255.255.255.255
        set type tunnel
        set remote-ip 1.1.1.1 255.255.255.255
        set snmp-index 13
        set interface "port5"
    next
end
# config firewall address
    edit "to100d_local_subnet_1"
        set uuid da74941c-b38e-51e9-1be3-54f808edc4c7
        set allow-routing enable
        set subnet 10.124.0.0 255.255.240.0
    next
    edit "to100d_remote_subnet_1"
        set uuid da7c06f2-b38e-51e9-e818-fdead4da1abf
        set allow-routing enable
        set subnet 10.120.0.0 255.255.240.0
    next
end
# config firewall addrgrp
    edit "to100d_local"
        set uuid da788676-b38e-51e9-6b76-c0618ae98356
        set member "to100d_local_subnet_1"
        set comment "VPN: to100d (Created by VPN wizard)"
        set allow-routing enable
    next
    edit "to100d_remote"
        set uuid da845b2c-b38e-51e9-fd74-f3fc64e40136
        set member "to100d_remote_subnet_1"
        set comment "VPN: to100d (Created by VPN wizard)"
        set allow-routing enable
    next
end
# config vpn ipsec phase1-interface
    edit "to100d"
        set interface "port5"
        set peertype any
        set net-device enable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set comments "VPN: to100d (Created by VPN wizard)"
        set remote-gw 10.109.16.117
        set psksecret ENC 6JhsdtKif7p2SOfM918CPmTrFM/qDqRlRbgmrn0RqgjTkmONCdf/B6                                                                                                             n6RhAIFfXNB0Pu3oHu3Y9v9qPXu6HoSAi1T7zpbBjU5vaSj9qiFHuyWhBI9bn3HTubFel0HawLohXAS9                                                                                                             2DQV7yuL++C1NztyuoWbY8tbikmsXXtqf6SDhaYoGDJCfmkCfqpA4T0yTtlX0F5g==
    next
end
# config vpn ipsec phase2-interface
    edit "tunnel-interface"
        set phase1name "to100d"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
        set comments "to-100d"
    next
end
# config firewall policy
    edit 1
        set name "vpn_to100d_local"
        set uuid daa4d820-b38e-51e9-80d2-06c0a574d108
        set srcintf "port2"
        set dstintf "to100d"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set comments "VPN: to100d (Created by VPN wizard)"
    next
    edit 2
        set name "vpn_to100d_remote"
        set uuid dab63f52-b38e-51e9-c008-4d22b331f815
        set srcintf "to100d"
        set dstintf "port2"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set fsso disable
        set comments "VPN: to100d (Created by VPN wizard)"
    next
end
# config router static
    edit 2
        set dst 1.1.1.1 255.255.255.255      <---- this route only sends traffic to the destination
        set device "to100d"
        set comment "VPN: to100d (Created by VPN wizard)"
    next
    edit 3
        set distance 254
        set comment "VPN: to100d (Created by VPN wizard)"
        set blackhole enable
        set dstaddr "to100d_remote"
    next
end
Results (here site A is 3hd and site B is 100d):

Site A:
# diagnose sniffer packet any "host 10.124.0.152" 4 0 a
interfaces=[any]
filters=[host 10.124.0.152]
2019-08-01 11:26:14.070000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: syn 2119450480
2019-08-01 11:26:14.070000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: syn 4102811922 ack 2119450481
2019-08-01 11:26:14.070000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102811923
2019-08-01 11:26:14.070000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: psh 2119450481 ack 4102811923
2019-08-01 11:26:14.070000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: ack 2119450815
2019-08-01 11:26:14.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: 4102811923 ack 2119450815
2019-08-01 11:26:14.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102813309
2019-08-01 11:26:14.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: 4102813309 ack 2119450815
2019-08-01 11:26:14.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: psh 4102814695 ack 2119450815
2019-08-01 11:26:14.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102814695
2019-08-01 11:26:14.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102815787
2019-08-01 11:26:16.070000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: fin 4102815787 ack 2119450815
2019-08-01 11:26:16.080000 to 3hd out 1.1.1.1.24444 -> 10.124.0.152.80: fin 2119450815 ack 4102815788
2019-08-01 11:26:16.080000 to 3hd in 10.124.0.152.80 -> 1.1.1.1.24444: ack 2119450816
Site B:
# diagnose sniffer packet any "host 1.1.1.1 and not port 53" 4 0 a
interfaces=[any]
filters=[host 1.1.1.1 and not port 53]
2019-08-01 11:26:20.322129 to 100d in 1.1.1.1.24444 -> 10.124.0.152.80: syn 2119450480
2019-08-01 11:26:20.322158 to 100d out 10.124.0.152.80 -> 1.1.1.1.24444: syn 4102811922 ack 2119450481
2019-08-01 11:26:20.322874 to 100d in 1.1.1.1.24444 -> 10.124.0.152.80: ack 4102811923
2019-08-01 11:26:20.322960 to 100d in 1.1.1.1.24444 -> 10.124.0.152.80: psh 2119450481 ack 4102811923

2462
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.