vpn site to site entre fortigates
Publicado: 02 Nov 2010, 20:32
hola amigos,
el dia de hoy tengo otro problemilla, tengo dos fortigates uno en la ciudad A y otro en la ciudad B, kiero hacer una vpn entre ellos uno de los equipos si cuenta con ip publica fija (equipo de la ciudad A), el otro equipo esta configurado con dyndns, pero por alguna razon no se levanta segui la guia de configuración de vpn basada en politicas les dejo la config de ambos equipos y si necesitan algo mas de información me dicen, ambos tienen firmware 4.0 mr1 y son fortigate 50b y 60b respectivamente
gracias por su ayuda
--------------------------------
config forti ciudad A
config vpn ipsec phase1
edit "VPN-A-B"
set type ddns
set interface "wan1"
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 5
set proposal 3des-sha1 aes128-sha1
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode main
set remotegw-ddns "ejemplo.dyndns.org"
set dpd-retrycount 3
set dpd-retryinterval 5
set psksecret ENC Xt2jTZ3HqPgS6S/CALxARrRkTWQOgWeeLCKBlYg4SGo7T9IV0q41JMv+flAI5tj0abPjohEgHx+en4Ws3i9eUI+W3VaXp9xBdHOBvdEoD/A11wg/
set keepalive 10
next
end
config vpn ipsec phase2
edit "VPN-A-B-Phase2"
set auto-negotiate enable
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "VPN-A-B"
set proposal 3des-sha1 aes128-sha1
set protocol 0
set replay enable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dhgrp 5
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
--------------------------------------------------
config forti ciudad B
config vpn ipsec phase1
edit "VPN-A-B"
set type static
set interface "wan1"
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 5
set proposal 3des-sha1 aes128-sha1
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode main
set add-gw-route disable
set remote-gw 1.1.1.1
set psksecret ENC Dy4YYc5hNRsp8EDYRnGXp673fi55p/2gpbcNk7DZn33BNcDF8CAAz4do6Zzl3SBVRMv67e07UjnC0/a8E1f/R0m/lW60Vrm6uWwyp69DQvLcahFr
set dpd-retrycount 3
set dpd-retryinterval 5
set keepalive 10
next
end
config vpn ipsec phase2
edit "VPN-A-B-Phase2"
set auto-negotiate enable
set dhgrp 5
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "VPN-A-B"
set proposal 3des-sha1 3des-md5
set protocol 0
set replay enable
set route-overlap use-new
set selector-match auto
set single-source disable
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
-------------------------------------------
el dia de hoy tengo otro problemilla, tengo dos fortigates uno en la ciudad A y otro en la ciudad B, kiero hacer una vpn entre ellos uno de los equipos si cuenta con ip publica fija (equipo de la ciudad A), el otro equipo esta configurado con dyndns, pero por alguna razon no se levanta segui la guia de configuración de vpn basada en politicas les dejo la config de ambos equipos y si necesitan algo mas de información me dicen, ambos tienen firmware 4.0 mr1 y son fortigate 50b y 60b respectivamente
gracias por su ayuda
--------------------------------
config forti ciudad A
config vpn ipsec phase1
edit "VPN-A-B"
set type ddns
set interface "wan1"
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 5
set proposal 3des-sha1 aes128-sha1
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode main
set remotegw-ddns "ejemplo.dyndns.org"
set dpd-retrycount 3
set dpd-retryinterval 5
set psksecret ENC Xt2jTZ3HqPgS6S/CALxARrRkTWQOgWeeLCKBlYg4SGo7T9IV0q41JMv+flAI5tj0abPjohEgHx+en4Ws3i9eUI+W3VaXp9xBdHOBvdEoD/A11wg/
set keepalive 10
next
end
config vpn ipsec phase2
edit "VPN-A-B-Phase2"
set auto-negotiate enable
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "VPN-A-B"
set proposal 3des-sha1 aes128-sha1
set protocol 0
set replay enable
set selector-match auto
set src-addr-type subnet
set src-port 0
set use-natip enable
set dhgrp 5
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
--------------------------------------------------
config forti ciudad B
config vpn ipsec phase1
edit "VPN-A-B"
set type static
set interface "wan1"
set local-gw 0.0.0.0
set localid ''
set dpd enable
set nattraversal enable
set dhgrp 5
set proposal 3des-sha1 aes128-sha1
set keylife 28800
set authmethod psk
set peertype any
set xauthtype disable
set mode main
set add-gw-route disable
set remote-gw 1.1.1.1
set psksecret ENC Dy4YYc5hNRsp8EDYRnGXp673fi55p/2gpbcNk7DZn33BNcDF8CAAz4do6Zzl3SBVRMv67e07UjnC0/a8E1f/R0m/lW60Vrm6uWwyp69DQvLcahFr
set dpd-retrycount 3
set dpd-retryinterval 5
set keepalive 10
next
end
config vpn ipsec phase2
edit "VPN-A-B-Phase2"
set auto-negotiate enable
set dhgrp 5
set dst-addr-type subnet
set dst-port 0
set keepalive disable
set keylife-type seconds
set pfs enable
set phase1name "VPN-A-B"
set proposal 3des-sha1 3des-md5
set protocol 0
set replay enable
set route-overlap use-new
set selector-match auto
set single-source disable
set src-addr-type subnet
set src-port 0
set use-natip enable
set dst-subnet 0.0.0.0 0.0.0.0
set keylifeseconds 1800
set src-subnet 0.0.0.0 0.0.0.0
next
end
-------------------------------------------