ipsec policy based vpn
A (fortigate 110C) with multiple private zones, say, 10.5.0.0/23
B (netscreen 25) with multiple private zones, say, 172.31.0.0/24
A routable addy block can be part of each these devices.
A's wan/uplink ip addy is different from any routable block it is responsible for.
A's wan ip: 74.85.x.x
B's wan ip: 64.147.y.y
A is responsible for office; B for the data center.
You want to have ur workers connect to machines in 172.31.0.0 from their work machines in 10.5.0.0/23
How to solve this problem:
create a policy based site-to-site vpn.
On A:
vpn --> ipsec --> phase 1 proposal
Add B's wan ip addy, along with authentication (preshared, dsa, rsa), dh group (1,2, 5), symmetric encryption (des, 3des, aes), hash (md5, sha1), key life
outgoing interface: the untrust interface
phase 2 proposal:
10.5.0.0/23 --> 172.31.0.0/24
auth, encr, hash, dh group, key life.
Next create a policy from untrust to trust: with the ip addy blocks on top of the tunnel. Fortinet: encrypt; netscreen: tunnel
make sure that this policy stays on top of others; otherwise, default policy can forward your packets elsewhere, leading to a dead hole.
No comments:
Post a Comment