Posted inNetworking

ip – Fortigate IPsec site-to-site routing issue


Site A needs IPsec with site B.
Site A networks 192.168.20.0/24 and 192.168.50.0/24 need to reach Site B network 192.168.1.0/24. And the other way around as well.
The problem is that Site A has a network 192.168.1.0/24 on its LAN interface, and a route to it as well.
I can only modify Site A configuration. I have to somehow apply NAT on site B 192.168.1.0/24, so that computers on site A use one-to-one NAT 192.168.250.0/24 to reach remote 192.168.1.0/24. 192.168.250.1 is used to access 192.168.1.1 and etc. Just before the traffic is sent, the destination NAT is performed from 192.168.250.1 to 192.168.1.1, etc… And when traffic is received, source NAT is used to translate 192.168.1.1 to 192.168.250.1, etc…

My first idea was to implement it as follows:

config firewall vip
    edit "SiteB_NAT"
        set extip 192.168.250.0-192.168.250.255
        set mappedip "192.168.1.0-192.168.1.255"
        set extintf "any"
    next
end

config firewall ippool
    edit "SNAT_SiteB"
        set type one-to-one
        set startip 192.168.250.0
        set endip 192.168.250.255
    next
end
end

config firewall policy
    edit 53
        set name "To_SiteB"
        set srcintf "BNET_L2" "VLAN50"
        set dstintf "IPSec_VGGN"
        set action accept
        set srcaddr "192.168.20.0/24" "192.168.50.0/24"
        set dstaddr "SiteB_NAT"
        set schedule "always"
        set service "ALL"
        set logtraffic all
    next
end

config firewall policy
    edit 55
        set name "From_VGGN"
        set srcintf "IPSec_VGGN"
        set dstintf "BNET_L2" "VLAN50"
        set action accept
        set srcaddr "192.168.1.0/24"
        set dstaddr "192.168.20.0/24" "192.168.50.0/24"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set ippool enable
        set poolname "SNAT_SiteB"
        set comments "From_VGGN"
    next
end

But then there is a problem, Fortigate first applies policy, then routing. So it would still look for a route to 192.168.1.0/24, and it would forward it to LAN interface, right?
How to overcome this, maybe somehow it’s possible to make a route only for policy 53?
Or maybe there is a different, better solution for this problem (I cannot modify subnet on SiteB)?



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *