1.1 C
New York
Friday, December 6, 2024
HomeComputer Networking
Computer Networking

ip – Fortigate IPsec site-to-site routing subject

By codesanitize.com
0
7
ip – Fortigate IPsec site-to-site routing subject


Website A wants IPsec with website B.
Website A networks 192.168.20.0/24 and 192.168.50.0/24 want to succeed in Website B community 192.168.1.0/24. And the opposite approach round as properly.
The issue is that Website A has a community 192.168.1.0/24 on its LAN interface, and a path to it as properly.
I can solely modify Website A configuration. I’ve to by some means apply NAT on website B 192.168.1.0/24, in order that computer systems on website A use one-to-one NAT 192.168.250.0/24 to succeed in distant 192.168.1.0/24. 192.168.250.1 is used to entry 192.168.1.1 and and so on. Simply earlier than the visitors is shipped, the vacation spot NAT is carried out from 192.168.250.1 to 192.168.1.1, and so on… And when visitors is acquired, supply NAT is used to translate 192.168.1.1 to 192.168.250.1, and so on…

My first thought was to implement it as follows:

config firewall vip
    edit "SiteB_NAT"
        set extip 192.168.250.0-192.168.250.255
        set mappedip "192.168.1.0-192.168.1.255"
        set extintf "any"
    subsequent
finish

config firewall ippool
    edit "SNAT_SiteB"
        set kind one-to-one
        set startip 192.168.250.0
        set endip 192.168.250.255
    subsequent
finish
finish

config firewall coverage
    edit 53
        set identify "To_SiteB"
        set srcintf "BNET_L2" "VLAN50"
        set dstintf "IPSec_VGGN"
        set motion settle for
        set srcaddr "192.168.20.0/24" "192.168.50.0/24"
        set dstaddr "SiteB_NAT"
        set schedule "at all times"
        set service "ALL"
        set logtraffic all
    subsequent
finish

config firewall coverage
    edit 55
        set identify "From_VGGN"
        set srcintf "IPSec_VGGN"
        set dstintf "BNET_L2" "VLAN50"
        set motion settle for
        set srcaddr "192.168.1.0/24"
        set dstaddr "192.168.20.0/24" "192.168.50.0/24"
        set schedule "at all times"
        set service "ALL"
        set logtraffic all
        set nat allow
        set ippool allow
        set poolname "SNAT_SiteB"
        set feedback "From_VGGN"
    subsequent
finish

However then there’s a drawback, Fortigate first applies coverage, then routing. So it might nonetheless search for a path to 192.168.1.0/24, and it might ahead it to LAN interface, proper?
Easy methods to overcome this, possibly by some means it is potential to make a route just for coverage 53?
Or possibly there’s a totally different, higher resolution for this drawback (I can not modify subnet on SiteB)?

Previous articleNVEagle Launched by NVIDIA: A Tremendous Spectacular Imaginative and prescient Language Mannequin that Is available in 7B, 13B, and 13B Tremendous-Tuned on Chat
Next articleThe GenAI Journey: How Enterprises are Progressing from Basic-Function to Customized LLMs
codesanitize.comhttps://codesanitize.com

Related Articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest Articles

Load more

ABOUT US

Welcome to CodeSanitize, your number one source for all things coding and technology. We’re dedicated to providing you the very best of software development tutorials, tips, and resources, with a focus on clarity, practical examples, and up-to-date content.

© Copyright 2024 - codesanitize.com. All rights reserved