Friday, March 12, 2010

vpn between fortigate and netscreen

ipsec policy based vpn

A (fortigate 110C) with multiple private zones, say,
B (netscreen 25) with multiple private zones, say,
A routable addy block can be part of each these devices.

A's wan/uplink ip addy is different from any routable block it is responsible for.

A's wan ip: 74.85.x.x
B's wan ip: 64.147.y.y

A is responsible for office; B for the data center.

You want to have ur workers connect to machines in from their work machines in

How to solve this problem:

create a policy based site-to-site vpn.

On A:

vpn --> ipsec --> phase 1 proposal

Add B's wan ip addy, along with authentication (preshared, dsa, rsa), dh group (1,2, 5), symmetric encryption (des, 3des, aes), hash (md5, sha1), key life
outgoing interface: the untrust interface

phase 2 proposal: -->
auth, encr, hash, dh group, key life.

Next create a policy from untrust to trust: with the ip addy blocks on top of the tunnel. Fortinet: encrypt; netscreen: tunnel

make sure that this policy stays on top of others; otherwise, default policy can forward your packets elsewhere, leading to a dead hole.

No comments: