| Fotigate-A | Fotigate-B |
| System Interface | |
| config system interface edit "internal" set vdom "root" set ip 192.168.101.252 255.255.255.0 set allowaccess ping https telnet set type physical next edit "wan1" set vdom "root" set ip 61.61.61.241 255.255.255.0 set allowaccess ping https set type physical next end |
config system interface edit "internal" set vdom "root" set ip 192.168.4.254 255.255.255.0 set allowaccess ping https ssh snmp set type physical next edit "external" set vdom "root" set ip 59.59.59.25 255.255.255.0 set allowaccess ping https ssh snmp set type physical next end |
| Phase1 | |
| config vpn ipsec phase1-interface edit "Taichung" set interface "wan1" set dpd enable set nattraversal enable set dhgrp 2 set proposal 3des-sha1 3des-md5 set remote-gw 59.59.59.25 set psksecret startravel.com next end |
config vpn ipsec phase1-interface edit "Contracts_IDC" set interface "external" set dpd enable set nattraversal enable set dhgrp 2 set proposal 3des-sha1 3des-md5 set remote-gw 61.61.61.241 set psksecret startravel.com next end |
| Phase2 | |
| config vpn ipsec phase2-interface edit "Link_To_Taichung" set dhgrp 2 set keepalive enable set pfs enable set phase1name "Taichung" set proposal 3des-sha1 3des-md5 next end |
config vpn ipsec phase2-interface edit "Contracts_IDC_P2" set dhgrp 2 set keepalive enable set pfs enable set phase1name "Contracts_IDC" set proposal 3des-sha1 3des-md5 next end |
| Firewall Policy | |
| config firewall policy edit 1 set srcintf "internal" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 201 set srcintf "Taichung" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 202 set srcintf "internal" set dstintf "Taichung" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next end |
config firewall policy edit 1 set srcintf "internal" set dstintf "external" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" set nat enable next edit 101 set srcintf "Contracts_IDC" set dstintf "internal" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next edit 102 set srcintf "internal" set dstintf "Contracts_IDC" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ANY" next end |
| Static Route | |
| config router static edit 1 set device "wan1" set gateway 61.61.61.254 next edit 102 set device "Taichung" set dst 192.168.4.0 255.255.255.0 next end |
config router static edit 1 set device "external" set gateway 59.59.59.254 next edit 101 set device "Contracts_IDC" set dst 192.168.101.0 255.255.255.0 next end |
備註:
依照此實際測試結果,當route-base ipsec vpn建立起來時,兩fortigate後面的網段就可相互ping通,但fortigate的internal IP卻無法相互ping通。
全站熱搜
留言列表
