Most of the time when you create site-to-site VPN tunnels the Phase 2 Quick Mode Selector just doesn't cut it. In FortiOS 2.8 you were able to choose between manually entering source and destination addresses or selecting objects from a drop-down list. This feature is absolutely essential when creating VPNs that contain discontiguous subnets. A good example:
Source subnets: 172.16.1.0/24 and 192.168.1.0/24, destination subnets: 172.16.99.0/24 and 10.1.1.0/24.
In FortiOS 3.0 up to MR6 the drop-down option no longer exists in the GUI. However you can still pop the hood and get at the internals using the CLI. Here's how:
Source subnets: 172.16.1.0/24 and 192.168.1.0/24, destination subnets: 172.16.99.0/24 and 10.1.1.0/24.
In FortiOS 3.0 up to MR6 the drop-down option no longer exists in the GUI. However you can still pop the hood and get at the internals using the CLI. Here's how:
- In the GUI define the local and remote subnets for the VPN
- Group local and remote subnets into separate address groups (e.g. "encdom-local-remote" and "encdom-remote-local")
- On the CLI
- # config vpn ipsec phase2 (or #config vpn ipsec phase2-interface if you are using interface mode)
- # set src-addr-type name
- # set src-name encdom-local-remote (the address group containing your local subnets)
- # set dst-addr-type name
- # set dst-name encdom-remote-local (the address group containing the remote subnets)
- # end
No comments:
Post a Comment