Solution for route-based VPN
You need to:
• Configure IPsec Phase 1 and Phase 2 as you usually would for a route-based VPN. In this example, the resulting IPsec interface is named FGT1_to_FGT2.
• Configure virtual IP (VIP) mapping:
• the 10.21.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_1
• the 10.31.101.0/24 network mapped to the 10.11.101.0/24 network on FortiGate_2
• Configure an outgoing security policy with ordinary source NAT on both FortiGates.
• Configure an incoming security policy with the VIP as the destination on both FortiGates.
• Configure a route to the remote private network over the IPsec interface on both FortiGates.
To configure VIP mapping on both FortiGates
1. Go to Policy & Objects > Objects > Virtual IPs and select Create New.
2. Enter the following information, and select OK:
Name | Enter a name, for example, my_vip. |
External Interface | Select FGT1_to_FGT2. The IPsec interface. |
Type | Static NAT |
External IP Address/Range | For the external IP address field enter: • 10.21.101.1 when configuring FortiGate_1, or • 10.31.101.1 when configuring FortiGate_2. |
Mapped IP Address/Range | For the Mapped IP Address enter 10.11.101.1. For the Range enter 10.11.101.254. |
Port Forwarding | Disable |
Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the outbound security policy on both FortiGates
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and select OK:
Incoming Interface | Select Port 1. |
Source Address | Select all. |
Outgoing Interface | Select FGT1_to_FGT2. The IPsec interface. |
Destination Address | Select all. |
Action | Select ACCEPT |
Enable NAT | Enable |
Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the inbound security policy on both FortiGates
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information, and then select OK:
Incoming Interface | Select FGT1_to_FGT2. |
Source Address | Select all. |
Outgoing Interface | Select Port 1. The IPsec interface. |
Destination Address | Select my-vip. |
Action | Select ACCEPT |
Enable NAT | Disable |
Repeat this procedure on both FortiGate_1 and FortiGate_2.
To configure the static route for both FortiGates
1. Go to Router > Static > Static Routes and select Create New.
For low-end FortiGate units, go to System > Network > Routing and select Create New.
2. Enter the following information, and then select OK:
Destination IP / Mask | Enter 10.31.101.0/24 when configuring FortiGate_1. Enter 10.21.101.0/24 when configuring FortiGate_2. |
Device | Select FGT1_to_FGT2. |
Gateway | Leave as default: 0.0.0.0. |
Distance (Advanced) | Leave at default. If you have advanced routing on your network, you may have to change this value |