Reenvio multicast en LAN extendida mediante VPN StS.

Para temas relacionados con el enrutamiento (estatico, basado en politicas, RIP, OSPF,...)
mariotc
Mensajes: 1
Registrado: 21 Jul 2016, 18:17

Reenvio multicast en LAN extendida mediante VPN StS.

Mensaje por mariotc »

Buen día estimados.
Estoy buscando la solución a este problema hace bastante tiempo, lo que necesito es extender una subred en la cual existe trafico multicast mediante una VPN StS. He conseguido extender la red LAN sin problemas utilizando IPs virtuales y NAT, el problema está en que no logro hacer pasar el multicast.
Necesito extender la red LAN ya que no cuento con acceso a la administración del router al que se conecta la mencionada LAN, y por dicho motivo me obligo a extender la misma.
Envio diagrama de un laboratorio que tengo montado en el que realizo las pruebas. Los segmentos de IP colocados son de prueba, así también la estructura. En ambos extremos del StS utilizo equipos Fortigate 60C.

Adjunto config resumida cada equipo forti de mi laboratorio y diagrama.


Desde ya muchas gracias.
Saludos att.
Mario.


Código: Seleccionar todo

Config FORTIGATE "LOCAL"

#global_vdom=1
config system global
    set fgd-alert-subscription advisory latest-threat
    set gui-antivirus disable
    set gui-application-control disable
    set gui-endpoint-control disable
    set gui-local-in-policy enable
    set gui-multicast-policy enable
    set gui-wan-load-balancing disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "LOCAL"
    set internal-switch-mode interface
    set timezone 04
end
config system interface
    edit "dmz"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https http fgfm capwap
        set type physical
        set snmp-index 1
    next
    edit "wan2"
        set vdom "root"
        set mode dhcp
        set allowaccess ping fgfm auto-ipsec
        set type physical
        set snmp-index 2
    next
    edit "wan1"
        set vdom "root"
        set ip 182.33.1.1 255.255.255.252
        set allowaccess ping https ssh http
        set type physical
        set alias "Internet"
        set snmp-index 3
    next
    edit "modem"
        set vdom "root"
        set mode pppoe
        set type physical
        set snmp-index 4
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 7
    next
    edit "internal1"
        set vdom "root"
        set ip 10.22.33.54 255.255.255.0
        set allowaccess ping
        set type physical
        set alias "CONSOLAS"
        set device-identification enable
        set snmp-index 8
    next
    edit "internal2"
        set vdom "root"
        set type physical
        set snmp-index 9
    next
    edit "internal3"
        set vdom "root"
        set type physical
        set snmp-index 10
    next
    edit "internal4"
        set vdom "root"
        set type physical
        set snmp-index 11
    next
    edit "internal5"
        set vdom "root"
        set type physical
        set snmp-index 12
    next
    edit "STS"
        set vdom "root"
        set type tunnel
        set snmp-index 5
        set interface "wan1"
    next
end
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end
config system session-helper
    edit 1
        set name pptp
        set protocol 6
        set port 1723
    next
    edit 2
        set name h323
        set protocol 6
        set port 1720
    next
    edit 3
        set name ras
        set protocol 17
        set port 1719
    next
    edit 4
        set name tns
        set protocol 6
        set port 1521
    next
    edit 5
        set name tftp
        set protocol 17
        set port 69
    next
    edit 6
        set name rtsp
        set protocol 6
        set port 554
    next
    edit 7
        set name rtsp
        set protocol 6
        set port 7070
    next
    edit 8
        set name rtsp
        set protocol 6
        set port 8554
    next
    edit 9
        set name ftp
        set protocol 6
        set port 21
    next
    edit 10
        set name mms
        set protocol 6
        set port 1863
    next
    edit 11
        set name pmap
        set protocol 6
        set port 111
    next
    edit 12
        set name pmap
        set protocol 17
        set port 111
    next
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
    edit 14
        set name dns-udp
        set protocol 17
        set port 53
    next
    edit 15
        set name rsh
        set protocol 6
        set port 514
    next
    edit 16
        set name rsh
        set protocol 6
        set port 512
    next
    edit 17
        set name dcerpc
        set protocol 6
        set port 135
    next
    edit 18
        set name dcerpc
        set protocol 17
        set port 135
    next
    edit 19
        set name mgcp
        set protocol 17
        set port 2427
    next
    edit 20
        set name mgcp
        set protocol 17
        set port 2727
    next
end
config system ntp
    set ntpsync enable
    set syncinterval 60
end
config system settings
    set multicast-ttl-notchange enable
end
config firewall address
    edit "SSLVPN_TUNNEL_ADDR1"
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
    edit "all"
    next
    edit "none"
        set subnet 0.0.0.0 255.255.255.255
    next
    edit "apple"
        set type fqdn
        set fqdn "*.apple.com"
    next
    edit "dropbox.com"
        set type fqdn
        set fqdn "*.dropbox.com"
    next
    edit "Gotomeeting"
        set type fqdn
        set fqdn "*.gotomeeting.com"
    next
    edit "icloud"
        set type fqdn
        set fqdn "*.icloud.com"
    next
    edit "itunes"
        set type fqdn
        set fqdn "*itunes.apple.com"
    next
    edit "android"
        set type fqdn
        set fqdn "*.android.com"
    next
    edit "skype"
        set type fqdn
        set fqdn "*.messenger.live.com"
    next
    edit "swscan.apple.com"
        set type fqdn
        set fqdn "swscan.apple.com"
    next
    edit "update.microsoft.com"
        set type fqdn
        set fqdn "update.microsoft.com"
    next
    edit "appstore"
        set type fqdn
        set fqdn "*.appstore.com"
    next
    edit "eease"
        set type fqdn
        set fqdn "*.eease.com"
    next
    edit "google-drive"
        set type fqdn
        set fqdn "*drive.google.com"
    next
    edit "google-play"
        set type fqdn
        set fqdn "play.google.com"
    next
    edit "google-play2"
        set type fqdn
        set fqdn "*.ggpht.com"
    next
    edit "google-play3"
        set type fqdn
        set fqdn "*.books.google.com"
    next
    edit "microsoft"
        set type fqdn
        set fqdn "*.microsoft.com"
    next
    edit "adobe"
        set type fqdn
        set fqdn "*.adobe.com"
    next
    edit "Adobe Login"
        set type fqdn
        set fqdn "*.adobelogin.com"
    next
    edit "fortinet"
        set type fqdn
        set fqdn "*.fortinet.com"
    next
    edit "googleapis.com"
        set type fqdn
        set fqdn "*.googleapis.com"
    next
    edit "citrix"
        set type fqdn
        set fqdn "*.citrixonline.com"
    next
    edit "verisign"
        set type fqdn
        set fqdn "*.verisign.com"
    next
    edit "Windows update 2"
        set type fqdn
        set fqdn "*.windowsupdate.com"
    next
    edit "*.live.com"
        set type fqdn
        set fqdn "*.live.com"
    next
    edit "auth.gfx.ms"
        set type fqdn
        set fqdn "auth.gfx.ms"
    next
    edit "autoupdate.opera.com"
        set type fqdn
        set fqdn "autoupdate.opera.com"
    next
    edit "softwareupdate.vmware.com"
        set type fqdn
        set fqdn "softwareupdate.vmware.com"
    next
    edit "firefox update server"
        set type fqdn
        set fqdn "aus*.mozilla.org"
    next
    edit "STS_local_subnet_1"
        set subnet 10.0.0.0 255.0.0.0
    next
    edit "STS_remote_subnet_1"
        set subnet 192.168.1.0 255.255.255.0
    next
    edit "PC1-REMOTA"
        set associated-interface "STS"
        set subnet 192.168.1.55 255.255.255.255
    next
    edit "PC2-REMOTA"
        set subnet 192.168.1.56 255.255.255.255
    next
end
config firewall multicast-address
    edit "all"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
    edit "all_hosts"
        set start-ip 224.0.0.1
        set end-ip 224.0.0.1
    next
    edit "all_routers"
        set start-ip 224.0.0.2
        set end-ip 224.0.0.2
    next
    edit "Bonjour"
        set start-ip 224.0.0.251
        set end-ip 224.0.0.251
    next
    edit "EIGRP"
        set start-ip 224.0.0.10
        set end-ip 224.0.0.10
    next
    edit "OSPF"
        set start-ip 224.0.0.5
        set end-ip 224.0.0.6
    next
    edit "audio PRUEBA"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
end
config firewall addrgrp
    edit "STS_local"
        set member "STS_local_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
    edit "STS_remote"
        set member "STS_remote_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
end

config vpn ipsec phase1-interface
    edit "STS"
        set interface "wan1"
        set comments "VPN: STS (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 182.33.1.2
        set psksecret ENC
      key key
    next
end
config vpn ipsec phase2-interface
    edit "STS"
        set phase1name "STS"
        set comments "VPN: STS (Created by VPN wizard)"
    next
end
config firewall ippool
    edit "PC1_ROMOTA"
        set type one-to-one
        set startip 10.22.33.55
        set endip 10.22.33.55
    next
    edit "PC2-REMOTA"
        set type one-to-one
        set startip 10.22.33.56
        set endip 10.22.33.56
    next
end
config firewall vip
    edit "PC1_ROMOTA"
        set extip 10.22.33.55
        set extintf "internal1"
        set mappedip "192.168.1.55"
    next
    edit "PC2_ROMOTA"
        set extip 10.22.33.56
        set extintf "internal1"
        set mappedip "192.168.1.56"
    next
end
config firewall policy
    edit 3
        set srcintf "internal1"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "PC2_ROMOTA"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 1
        set srcintf "internal1"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "PC1_ROMOTA"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 4
        set srcintf "STS"
        set dstintf "internal1"
        set srcaddr "PC2-REMOTA"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
        set nat enable
        set ippool enable
        set poolname "PC2-REMOTA"
    next
    edit 2
        set srcintf "STS"
        set dstintf "internal1"
        set srcaddr "PC1-REMOTA"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set comments "VPN: STS (Created by VPN wizard)"
        set nat enable
        set ippool enable
        set poolname "PC1_ROMOTA"
    next
end
config firewall multicast-policy
    edit 1
        set logtraffic enable
        set srcintf "internal1"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
    edit 2
        set logtraffic enable
        set srcintf "STS"
        set dstintf "internal1"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
end
config router static
    edit 1
        set gateway 10.22.33.1
        set device "internal1"
    next
    edit 2
        set dst 192.168.1.0 255.255.255.0
        set device "STS"
        set comment "VPN: STS (Created by VPN wizard)"
    next
    edit 3
        set dst 10.0.0.0 255.0.0.0
        set gateway 10.22.33.1
        set distance 1
        set device "internal1"
    next
end
config router multicast
end


Código: Seleccionar todo

Config FORTIGATE "REMOTO"

#global_vdom=1
config system global
    set fgd-alert-subscription advisory latest-threat
    set gui-antivirus disable
    set gui-application-control disable
    set gui-endpoint-control disable
    set gui-multicast-policy enable
    set gui-wan-load-balancing disable
    set gui-webfilter disable
    set gui-wireless-controller disable
    set hostname "REMOTO"
    set internal-switch-mode interface
    set timezone 04
end
config system switch-interface
    edit "sw"
        set vdom "root"
        set member "internal1" "internal2" "internal3" "internal4" "internal5"
        set span enable
        set span-dest-port "internal5"
        set span-source-port "internal1" "internal2"
    next
end
config system interface
    edit "dmz"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https http fgfm capwap
        set type physical
        set snmp-index 1
    next
    edit "wan2"
        set vdom "root"
        set mode dhcp
        set allowaccess ping fgfm auto-ipsec
        set type physical
        set snmp-index 2
    next
    edit "wan1"
        set vdom "root"
        set ip 182.33.1.2 255.255.255.252
        set allowaccess ping
        set type physical
        set alias "Internet"
        set snmp-index 3
    next
    edit "modem"
        set vdom "root"
        set mode pppoe
        set type physical
        set snmp-index 4
    next
    edit "ssl.root"
        set vdom "root"
        set type tunnel
        set alias "SSL VPN interface"
        set snmp-index 7
    next
    edit "internal1"
        set vdom "root"
        set type physical
        set snmp-index 9
    next
    edit "internal2"
        set vdom "root"
        set type physical
        set snmp-index 10
    next
    edit "internal3"
        set vdom "root"
        set type physical
        set snmp-index 11
    next
    edit "internal4"
        set vdom "root"
        set type physical
        set snmp-index 12
    next
    edit "internal5"
        set vdom "root"
        set type physical
        set snmp-index 13
    next
    edit "sw"
        set vdom "root"
        set ip 192.168.1.1 255.255.255.0
        set allowaccess ping https ssh http
        set type switch
        set device-identification enable
        set snmp-index 6
    next
    edit "STS"
        set vdom "root"
        set type tunnel
        set snmp-index 5
        set interface "wan1"
    next
end
config system dns
    set primary 208.91.112.53
    set secondary 208.91.112.52
end
config system session-helper
    edit 1
        set name pptp
        set protocol 6
        set port 1723
    next
    edit 2
        set name h323
        set protocol 6
        set port 1720
    next
    edit 3
        set name ras
        set protocol 17
        set port 1719
    next
    edit 4
        set name tns
        set protocol 6
        set port 1521
    next
    edit 5
        set name tftp
        set protocol 17
        set port 69
    next
    edit 6
        set name rtsp
        set protocol 6
        set port 554
    next
    edit 7
        set name rtsp
        set protocol 6
        set port 7070
    next
    edit 8
        set name rtsp
        set protocol 6
        set port 8554
    next
    edit 9
        set name ftp
        set protocol 6
        set port 21
    next
    edit 10
        set name mms
        set protocol 6
        set port 1863
    next
    edit 11
        set name pmap
        set protocol 6
        set port 111
    next
    edit 12
        set name pmap
        set protocol 17
        set port 111
    next
    edit 13
        set name sip
        set protocol 17
        set port 5060
    next
    edit 14
        set name dns-udp
        set protocol 17
        set port 53
    next
    edit 15
        set name rsh
        set protocol 6
        set port 514
    next
    edit 16
        set name rsh
        set protocol 6
        set port 512
    next
    edit 17
        set name dcerpc
        set protocol 6
        set port 135
    next
    edit 18
        set name dcerpc
        set protocol 17
        set port 135
    next
    edit 19
        set name mgcp
        set protocol 17
        set port 2427
    next
    edit 20
        set name mgcp
        set protocol 17
        set port 2727
    next
end
config system ntp
    set ntpsync enable
    set syncinterval 60
end
config system settings
    set multicast-ttl-notchange enable
end
config firewall address
    edit "SSLVPN_TUNNEL_ADDR1"
        set type iprange
        set start-ip 10.212.134.200
        set end-ip 10.212.134.210
    next
    edit "all"
    next
    edit "none"
        set subnet 0.0.0.0 255.255.255.255
    next
    edit "apple"
        set type fqdn
        set fqdn "*.apple.com"
    next
    edit "dropbox.com"
        set type fqdn
        set fqdn "*.dropbox.com"
    next
    edit "Gotomeeting"
        set type fqdn
        set fqdn "*.gotomeeting.com"
    next
    edit "icloud"
        set type fqdn
        set fqdn "*.icloud.com"
    next
    edit "itunes"
        set type fqdn
        set fqdn "*itunes.apple.com"
    next
    edit "android"
        set type fqdn
        set fqdn "*.android.com"
    next
    edit "skype"
        set type fqdn
        set fqdn "*.messenger.live.com"
    next
    edit "swscan.apple.com"
        set type fqdn
        set fqdn "swscan.apple.com"
    next
    edit "update.microsoft.com"
        set type fqdn
        set fqdn "update.microsoft.com"
    next
    edit "appstore"
        set type fqdn
        set fqdn "*.appstore.com"
    next
    edit "eease"
        set type fqdn
        set fqdn "*.eease.com"
    next
    edit "google-drive"
        set type fqdn
        set fqdn "*drive.google.com"
    next
    edit "google-play"
        set type fqdn
        set fqdn "play.google.com"
    next
    edit "google-play2"
        set type fqdn
        set fqdn "*.ggpht.com"
    next
    edit "google-play3"
        set type fqdn
        set fqdn "*.books.google.com"
    next
    edit "microsoft"
        set type fqdn
        set fqdn "*.microsoft.com"
    next
    edit "adobe"
        set type fqdn
        set fqdn "*.adobe.com"
    next
    edit "Adobe Login"
        set type fqdn
        set fqdn "*.adobelogin.com"
    next
    edit "fortinet"
        set type fqdn
        set fqdn "*.fortinet.com"
    next
    edit "googleapis.com"
        set type fqdn
        set fqdn "*.googleapis.com"
    next
    edit "citrix"
        set type fqdn
        set fqdn "*.citrixonline.com"
    next
    edit "verisign"
        set type fqdn
        set fqdn "*.verisign.com"
    next
    edit "Windows update 2"
        set type fqdn
        set fqdn "*.windowsupdate.com"
    next
    edit "*.live.com"
        set type fqdn
        set fqdn "*.live.com"
    next
    edit "auth.gfx.ms"
        set type fqdn
        set fqdn "auth.gfx.ms"
    next
    edit "autoupdate.opera.com"
        set type fqdn
        set fqdn "autoupdate.opera.com"
    next
    edit "softwareupdate.vmware.com"
        set type fqdn
        set fqdn "softwareupdate.vmware.com"
    next
    edit "firefox update server"
        set type fqdn
        set fqdn "aus*.mozilla.org"
    next
    edit "STS_local_subnet_1"
        set subnet 192.168.1.0 255.255.255.0
    next
    edit "STS_remote_subnet_1"
        set subnet 10.0.0.0 255.0.0.0
    next
end
config firewall multicast-address
    edit "all"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
    edit "all_hosts"
        set start-ip 224.0.0.1
        set end-ip 224.0.0.1
    next
    edit "all_routers"
        set start-ip 224.0.0.2
        set end-ip 224.0.0.2
    next
    edit "Bonjour"
        set start-ip 224.0.0.251
        set end-ip 224.0.0.251
    next
    edit "EIGRP"
        set start-ip 224.0.0.10
        set end-ip 224.0.0.10
    next
    edit "OSPF"
        set start-ip 224.0.0.5
        set end-ip 224.0.0.6
    next
    edit "audio PRUEBA"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
end
config firewall addrgrp
    edit "STS_local"
        set member "STS_local_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
    edit "STS_remote"
        set member "STS_remote_subnet_1"
        set comment "VPN: STS (Created by VPN wizard)"
    next
end
config vpn ipsec phase1-interface
    edit "STS"
        set interface "wan1"
        set comments "VPN: STS (Created by VPN wizard)"
        set wizard-type static-fortigate
        set remote-gw 182.33.1.1
        set psksecret ENC
      KEY.KEY
    next
end
config vpn ipsec phase2-interface
    edit "STS"
        set phase1name "STS"
        set comments "VPN: STS (Created by VPN wizard)"
    next
end

config firewall policy
    edit 1
        set srcintf "sw"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 2
        set srcintf "STS"
        set dstintf "sw"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set comments "VPN: STS (Created by VPN wizard)"
    next
    edit 3
        set srcintf "sw"
        set dstintf "wan1"
        set srcaddr "STS_local_subnet_1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
    next
end
config firewall multicast-policy
    edit 1
        set srcintf "STS"
        set dstintf "sw"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
    edit 2
        set srcintf "sw"
        set dstintf "STS"
        set srcaddr "all"
        set dstaddr "audio PRUEBA"
    next
end
config router static
    edit 1
        set priority 1
        set device "STS"
    next
    edit 2
        set dst 10.0.0.0 255.0.0.0
        set distance 1
        set device "STS"
        set comment "VPN: STS (Created by VPN wizard)"
    next
end
config router multicast
end
No tiene los permisos requeridos para ver los archivos adjuntos a este mensaje.
Responder