作者michaellai (麥克賴)
看板MIS
標題Re: [請益] SITE TO SITE VPN ROUTE TABLE
時間Thu Jul 23 02:47:28 2015
這事情我常幹, 下面以FortiGate 為例
假設你site A - 強國, site B - 不強的國
Site A: 192.168.0.0/24, Forti@254, Client 100~150
Site B: 192.168.128.0/24, Forti@254, WAN IP=1.2.3.4
1. Site B Interface Mode, Site A Tunnel Mode
Site A P1
config vpn ipsec phase1
edit "TO_B_P1"
set interface "wan1"
set mode aggressive
set proposal 3des-sha1
set localid "thisisid"
set remote-gw 1.2.3.4
set psksecret ENC keykeykey
next
Site A P2
edit "TO_B_P2"
set auto-negotiate enable
set keepalive enable
set phase1name "TO_B_P1"
set proposal 3des-sha1
set src-subnet 192.168.128.0 255.255.255.0
next
Site B P1
config vpn ipsec phase1-interface
edit "TO_A_P1"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype one
set proposal 3des-sha1
set peerid "thisisid"
set psksecret ENC keykeykey
next
Site B P2
edit "To_A_P2"
set keepalive enable
set phase1name "TO_A_P1"
set proposal 3des-sha1
next
2. Site A - GEO IP / Client Addr
edit "IP_China"
set type geography
set country CN
next
edit "SITE_A_CLIENT"
set type iprange
set end-ip 192.168.128.100
set start-ip 192.168.128.150
next
3. Site A - Policy TO WAN For China IP
edit xx
set srcintf "internal"
set dstintf "wan1"
set srcaddr "SITE_A_CLIENT"
set dstaddr "IP_China"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
4. Site A - Policy TO WAN For Non-China IP via VPN
edit xx+1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "SITE_A_CLIENT"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "TO_B_P1"
next
5. Site B - Allow "SITE_A_CLIENT" to go to WAN
edit xx
set srcintf "TO_A_P1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status disable
set schedule "always"
set service "ALL"
set nat enable
next
So, 以上, Site A Client 端IP 出WAN的時候
自己會看dst IP 是不是 China, 不是的就跳到Site B 走Internet
5.0 的 Forti GEOIP會自己update, B繞回A的Policy 就自己加一下巴~
P.S. 此帖需配合 DNS 使用, 如果 DNS 已經遭受汙染, 那麼Client
就得要有個沒汙染的 DNS 能查, 跳板都通了應該不難 :)
P.S.2 命令不完整, 意思到了就好了~
--
※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 61.219.23.130
※ 文章網址: https://www.ptt.cc/bbs/MIS/M.1437590850.A.ADC.html
推 megasteel: FORTI果然可以,但是很多公司都買二線便宜貨... 07/23 07:39
→ michaellai: 發現有小錯誤,不過不影響理論啦 XD 07/23 08:05
→ tnshoho: 原PO那篇我有推FG可解決,只是好像又回到原點..$$$$$$ 07/23 08:11
→ deadwood: 問題還是$$$吧...用公司內電腦架一台VPN server比較快 07/23 08:28
→ shuinedu: 本來就不一定要一線才能建好vpn呀 只是強國就....... 07/23 08:36
推 trumpete: 討論串M起來 以後整理到精華區 給強國台勞們參考 07/23 08:45
→ shuinedu: 強國封網的時候 或是一些情況發生 自建的會斷斷不續續 07/23 08:51
推 liskenny: 真慶幸當初強力要求主管花錢買Forti真是買對了 07/23 09:13
推 megasteel: 用一線是因為設定簡單 XD,得考慮人員能不能接手這件事 07/23 09:46
推 shuinedu: 有比一線的設備簡單的設定呀 你覺得cisco設定很快嗎? 07/23 10:49
→ michaellai: 二手的B代Forti很便宜,能跑4.0就有GeoIP了,可以考慮 07/23 14:28
→ michaellai: 一下! 07/23 14:28
推 megasteel: 感謝提供!! 來提報看看了 07/23 16:45
→ michaellai: 買二手的順便買備品喔 XD 07/23 16:56
推 megasteel: 總結出來了,還是沒辦法買,理由用的人、次數少,所以 07/23 18:36
→ megasteel: 用host to client的方式先使用 07/23 18:36