Scribd Logo
Upload

Welcome to Scribd!

  • Hub 1

    Uploaded by

    jeff cometa
    12 views5 pages
    The document configures interfaces, static routes, IPsec VPN phases 1 and 2, VPN interfaces, BGP, static routes, firewall addresses and policies on a FortiGate device. Port1 is configured as the WAN interface with a static IP. Port3 is the LAN interface. An IPsec VPN tunnel is established between port1 and the remote peer using pre-shared key authentication. Route maps tag routes before advertising over BGP. Firewall policies allow traffic between the VPN and LAN interfaces.

    Original Description:

    done

    Original Title

    Hub1

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document configures interfaces, static routes, IPsec VPN phases 1 and 2, VPN interfaces, BGP, static routes, firewall addresses and policies on a FortiGate device. Port1 is configured as the WAN interface with a static IP. Port3 is the LAN interface. An IPsec VPN tunnel is established between port1 and the remote peer using pre-shared key authentication. Route maps tag routes before advertising over BGP. Firewall policies allow traffic between the VPN and LAN interfaces.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    12 views5 pages

    Hub 1

    Uploaded by

    jeff cometa
    The document configures interfaces, static routes, IPsec VPN phases 1 and 2, VPN interfaces, BGP, static routes, firewall addresses and policies on a FortiGate device. Port1 is configured as the WAN interface with a static IP. Port3 is the LAN interface. An IPsec VPN tunnel is established between port1 and the remote peer using pre-shared key authentication. Route maps tag routes before advertising over BGP. Firewall policies allow traffic between the VPN and LAN interfaces.

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as txt, pdf, or txt
    of 5

    ======================

    INTERFACE
    ======================
    config system interface
    edit "port1"
    set mode static
    set ip 192.168.1.100/24
    set allowaccess ping https http ssh ftm
    set alias "WAN1"
    set role wan
    next
    edit "port3"
    set mode static
    set ip 10.1.0.1/24
    set allowaccess ping
    set alias lan
    set role lan
    next
    end

    ======================
    STATIC
    ======================
    config router static
    edit 1
    set dst 0.0.0.0 0.0.0.0
    set gateway 192.168.1.1
    set device port1
    next
    end

    ======================
    PHASE-1
    ======================
    config vpn ipsec phase1-interface
    edit "H1-to-S1"
    set type dynamic
    set interface "port1"
    set proposal des-md5
    set peertype any
    set net-device disable
    set add-route disable
    set psksecret sample
    set auto-discovery-sender enable
    set dpd-retryinterval 5
    set dpd on-idle
    end

    ======================
    VPN INTERFACE
    ======================
    config system interface
    edit "H1-to-S1"
    set vdom root
    set ip 172.16.1.1 255.255.255.255
    set remote-ip 172.16.1.254/24
    set interface port1
    set type tunnel
    next
    end

    ======================
    PHASE-2
    ======================
    config vpn ipsec phase2-interface
    edit "H1-to-S1"
    set phase1name "H1-to-S1"
    set proposal des-md5
    set keepalive enable
    next
    end

    ======================
    ROUTE MAP
    ======================

    config router prefix-list


    edit "Internal"
    config rule
    edit 1
    set prefix 10.1.0.0 255.255.255.0
    unset ge
    unset le
    next
    end
    end

    config router route-map


    edit "LAN_Tag"
    config rule
    edit 1
    set match-ip-address "Internal"
    set set-community "1:2"
    next
    end
    end

    ====================
    BGP
    ====================

    config router bgp


    set as 65100
    set router-id 1.1.1.1
    config neighbor
    edit 172.16.1.3
    set remote-as 65100
    set route-map-out LAN_Tag
    set send-community6 disable
    next
    end
    config network
    edit 1
    set prefix 10.1.0.0 255.255.255.0
    next
    end
    end

    ======================
    STATIC
    ======================
    config router static
    edit 3
    set dst 10.1.1.0 0.0.0.0
    set device "H1-to-S1"
    next
    edit 4
    set dst 10.1.1.0 255.255.255.0
    set distance 254
    set blackhole enable
    next
    end

    ======================
    FIREWALL ADDRESS
    ======================

    ======================
    FIREWALL POLICY
    ======================

    config firewall policy


    edit 1
    set name "Inbound"
    set srcintf "H1-to-S1"
    set dstintf "port3"
    set srcaddr all
    set dstaddr all
    set action accept
    set schedule "always"
    set service "ALL"
    next
    edit 2
    set name "Outbound"
    set srcintf "port3"
    set dstintf "H1-to-S1"
    set srcaddr all
    set dstaddr all
    set action accept
    set schedule "always"
    set service "ALL"
    next
    end
    Spoke1#diagnose vpn tunnel up H25_0_0
    Spoke1#diagnose vpn tunnel list name H25_0
    Spoke1#get ipsec tunnel list

    Login to Spoke1 GUI - to check VPN

    Spoke2#diagnose vpn tunnel up H25_0_0


    Spoke2#diagnose vpn tunnel list name H25_0
    Spoke2#get ipsec tunnel list

    Login to Spoke2 GUI - to check VPN

    Spoke1#diagnose vpn tunnel up H25_0_0


    Login to Spoke1 GUI - to check VPN
    Spoke1#get router info routing-table all

    Spoke2#diagnose vpn tunnel up H25_0_0


    Login to Spoke2 GUI - to check VPN
    Spoke2#get router info routing-table all

    NGFW-1#get router info routing-table all


    NGFW-1#get router info bgp network
    NGFW-1#diagnose system virtual-wan-link service 4

    Spoke1#diagnose vpn tunnel list name H25_0


    Spoke1#get ipsec tunnel list

    Spoke2#diagnose vpn tunnel list name H25_0


    Spoke2#get ipsec tunnel list

    You might also like