NETWORK ENGINEER BLOG

Tips and Reviews for Engineers

Fortigate の IPsec 設定方法

Fortigate で VDOM を有効化し、VDOM 上で IPsec を設定する場合の例を紹介します。Hub-and-Spoke ネットワークトポロジーで、Hub 側が「固定IP」、Spoke 側が「不定IP」を想定した IPsec-VPN の設定例になります。

Hub 側 Phase1 の設定

config vdom
edit VDOM-A
config vpn ipsec phase1-interface
edit VDOM-A-IPsec
set interface wan-lag-v10
set mode aggressive
set type dynamic
set psksecret ****
end

Hub 側 Phase2 の設定

config vpn ipsec phase2-interface
edit VDOM-A-IPsec
set phase1name VDOM-A-IPsec
set src-subnet 192.168.100.0 255.255.255.0
set dst-subnet 192.168.200.0 255.255.255.0
end

Hub 側ポリシー設定

config vdom
edit VDOM-A
config firewall policy
edit 1
set srcintf "VDOM-A-IPsec"
set dstintf "any"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set srcintf "any"
set dstintf "VDOM-A-IPsec"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set srcintf "lan-lag-v100"
set dstintf "wan-lag-v10"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end

Spoke 側 Phase1 の設定

config vpn ipsec phase1-interface
edit VDOM-A-IPsec
set interface "wan1"
set mode aggressive
set remote-gw 10.1.1.1
set psksecret ****
end

Spoke 側 Phase2 の設定

config vpn ipsec phase2-interface
edit "VDOM-A-IPsec"
set phase1name "VDOM-A-IPsec"
set src-subnet 192.168.200.0 255.255.255.0
set dst-subnet 192.168.100.0 255.255.255.0
end

Spoke 側ルート設定

config router static
edit 1
set dst 192.168.100.0 255.255.255.0
set device "VDOM-A-IPsec"
end