Route-based VPNs:
For a route-based VPN, you create two security policies between the virtual IPsec interface and the interface that connects to the private network. In one policy the virtual interface is the source. In the other policy the virtual interface is the destination. The Action for both policies is Accept. This creates bidirectional policies that ensure traffic will flow in both directions over the VPN.
Policy-based VPNs:
For a policy-based VPN, one security policy enables communication in both directions. You must select IPSEC as the Action and then select the VPN tunnel you defined in the Phase 1 settings. You can then enable inbound and outbound traffic as needed within that policy, or create multiple policies of this type to handle different types of traffic differently. For example HTTPS traffic may not require the same level of scanning as FTP traffic.
In this lab part 1, Route-Based VPNs will be configured between FW1 and FW2.
Topology:
1. Two Fortigate 60Ds - FW1 and FW22. Switch and Router for routing and connections
3. FW1 has WAN1 IP 10.94.32.8/24, Internal IP 10.94.70.4/24
4. FW2 has WAN1 IP 10.94.17.8/24, Internal IP 10.94.66.4/24, WAN2 IP 10.94.64.4/24, DMZ IP 10.94.144.4/24
Object:
Build IPSec Tunnel between FW1 and FW2 for traffic between FW1's Internal network 10.94.70.0/24 and FW2's three internal networks (10.94.66.0/24, 10.94.64.0/24, 10.94.144.0)Devices:
Basic Configuration:
@FW1:
FW2's configuration steps are exactly same as FW1.
a. Interface Configuration:
wan1: 10.94.32.4/24internal: 10.94.70.4/24