里歐's 布拉格

Fotigate-A
Fotigate-B


System Interface


config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.101.252 255.255.255.0
        set allowaccess ping https telnet
        set type physical
    next
    edit "wan1"
        set vdom "root"
        set ip 61.61.61.241 255.255.255.0
        set allowaccess ping https
        set type physical
    next
end

config system interface
    edit "internal"
        set vdom "root"
        set ip 192.168.4.254 255.255.255.0
        set allowaccess ping https ssh snmp
        set type physical
    next
    edit "external"
        set vdom "root"
        set ip 59.59.59.25 255.255.255.0
        set allowaccess ping https ssh snmp
        set type physical
    next
end


Phase1


config vpn ipsec phase1-interface
    edit "Taichung"
        set interface "wan1"
        set dpd enable
        set nattraversal enable
        set dhgrp 2
        set proposal 3des-sha1 3des-md5
        set remote-gw 59.59.59.25
        set psksecret startravel.com
    next
end
config vpn ipsec phase1-interface
    edit "Contracts_IDC"
        set interface "external"
        set dpd enable
        set nattraversal enable
        set dhgrp 2
        set proposal 3des-sha1 3des-md5
        set remote-gw 61.61.61.241
        set psksecret startravel.com
    next
end


Phase2


config vpn ipsec phase2-interface
    edit "Link_To_Taichung"
        set dhgrp 2
        set keepalive enable
        set pfs enable
        set phase1name "Taichung"
        set proposal 3des-sha1 3des-md5
    next
end
config vpn ipsec phase2-interface
    edit "Contracts_IDC_P2"
        set dhgrp 2
        set keepalive enable
        set pfs enable
        set phase1name "Contracts_IDC"
        set proposal 3des-sha1 3des-md5
    next
end


Firewall Policy


config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
        set nat enable
    next
    edit 201
        set srcintf "Taichung"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 202
        set srcintf "internal"
        set dstintf "Taichung"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end
config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "external"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
        set nat enable
    next
    edit 101
        set srcintf "Contracts_IDC"
        set dstintf "internal"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
    edit 102
        set srcintf "internal"
        set dstintf "Contracts_IDC"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
    next
end


Static Route


config router static
    edit 1
        set device "wan1"
        set gateway 61.61.61.254
    next
    edit 102
        set device "Taichung"
        set dst 192.168.4.0 255.255.255.0
    next
end
config router static
    edit 1
        set device "external"
        set gateway 59.59.59.254
    next
    edit 101
        set device "Contracts_IDC"
        set dst 192.168.101.0 255.255.255.0
    next
end

Example Fortigate IPSec VPN Gateway-to-Gateway Configuration
The following example demonstrates how to set up a basic gateway-to-gateway IPSec VPN that uses preshared keys to authenticate the two VPN peers.
Example gateway-to-gateway configuration 

**************************Fortigate-3600 2.80,build489,051027*****************************
config vpn ipsec phase1
    edit "Kaohs"
        set dpd enable
        set nattraversal enable
        set proposal des-sha1
        set keylife 28800
        set remotegw 219.81.1.1
        set psksecret 123456
    next
end
config vpn ipsec phase2
    edit "Link_To_Kaohs"
        set keepalive enable
        set pfs enable
        set phase1name "Kaohs"
        set proposal des-sha1
        set replay enable
    next
end
config firewall policy
    edit 170
        set srcintf "WWW"
        set dstintf "TFN_Ext"
        set srcaddr "WWW_All"
        set dstaddr "Kaohs_VPN_All"
        set action encrypt
        set schedule "always"
        set service "any"
        set inbound enable
        set outbound enable
        set vpntunnel "Link_To_Kaohs"
    next
***************************Fortigate-60B 3.00-b0750(MR7 Patch 7)****************************
config vpn ipsec phase1
    edit "To_IDC"
        set interface "external"
        set dpd enable
        set nattraversal enable
        set proposal des-sha1
        set keylife 28800
        set remote-gw 61.31.1.1
        set psksecret 123456
    next
end
config vpn ipsec phase2
    edit "Link_To_IDC"
        set dst-addr-type name
        set keepalive enable
        set pfs enable
        set phase1name "To_IDC"
        set proposal des-sha1
        set replay enable
        set src-addr-type name
        set dst-name "VPN_All_Group"
        set src-name "Kaohs_VPN_All"
    next
end
config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "external"
            set srcaddr "Kaohs_VPN_All"
            set dstaddr "VPN_All_Group"
        set action ipsec
        set schedule "always"
            set service "ANY"
        set inbound enable
        set outbound enable
        set vpntunnel "To_IDC"
    next