On the FGT you will craft a route-base- vpn and specify the SRC/DST subnet like any other route-based vpn solution.
Ensure the proposal matches for FGT and F5 side of things, also don't forget the route for the destination network at the F5 and the target local-subnet.
e.g
config router static
edit 666
set dst 10.52.132.250/32
set dev f5
end
Now on the f5 side of things we need todo the following;
- set up a layer3 forwarding VIP
- define the phase1 parameter ( remote-gw, proposal, df-grps, ask,etc...)
- define a ipse-policy name with the proposal
- and a traffic-selector
Here's these steps;
PHASE1 aka ikeparameters for the IKE-SA
IPSEC-POLICY
TRAFFIC_SELECTOR FOR ENCRYPTION of the SecurityAssociations
NOTE: !!!!!!! The local/remote subnets needs to match the fortigate dat/src-subnets exactly !!!!!!.
Layer3 forwarding VIP
And finally use the local raccoon.log for the diagnostic on the f5 appliance
SPIs are bi-directional the FGT-outbound SA will be the f5-inbound SA and vice-versa.
You can use the WebGUI ipsec-diagnostic for any details & for displaying these diagnostics, but the raccoon.log provides a better diagnostic-details and with tunnel creation times, errors and warnings.
Ken Felix
No comments:
Post a Comment