Re: [請益] SITE TO SITE VPN ROUTE TABLE

作者michaellai (麥克賴)

看板MIS

標題Re: [請益] SITE TO SITE VPN ROUTE TABLE

時間Thu Jul 23 02:47:28 2015

這事情我常幹, 下面以FortiGate 為例假設你site A - 強國, site B - 不強的國 Site A: 192.168.0.0/24, Forti@254, Client 100~150 Site B: 192.168.128.0/24, Forti@254, WAN IP=1.2.3.4 1. Site B Interface Mode, Site A Tunnel Mode Site A P1 config vpn ipsec phase1 edit "TO_B_P1" set interface "wan1" set mode aggressive set proposal 3des-sha1 set localid "thisisid" set remote-gw 1.2.3.4 set psksecret ENC keykeykey next Site A P2 edit "TO_B_P2" set auto-negotiate enable set keepalive enable set phase1name "TO_B_P1" set proposal 3des-sha1 set src-subnet 192.168.128.0 255.255.255.0 next Site B P1 config vpn ipsec phase1-interface edit "TO_A_P1" set type dynamic set interface "wan1" set mode aggressive set peertype one set proposal 3des-sha1 set peerid "thisisid" set psksecret ENC keykeykey next Site B P2 edit "To_A_P2" set keepalive enable set phase1name "TO_A_P1" set proposal 3des-sha1 next 2. Site A - GEO IP / Client Addr edit "IP_China" set type geography set country CN next edit "SITE_A_CLIENT" set type iprange set end-ip 192.168.128.100 set start-ip 192.168.128.150 next 3. Site A - Policy TO WAN For China IP edit xx set srcintf "internal" set dstintf "wan1" set srcaddr "SITE_A_CLIENT" set dstaddr "IP_China" set action accept set schedule "always" set service "ANY" set nat enable next 4. Site A - Policy TO WAN For Non-China IP via VPN edit xx+1 set srcintf "internal" set dstintf "wan1" set srcaddr "SITE_A_CLIENT" set dstaddr "all" set action ipsec set schedule "always" set service "ANY" set inbound enable set outbound enable set vpntunnel "TO_B_P1" next 5. Site B - Allow "SITE_A_CLIENT" to go to WAN edit xx set srcintf "TO_A_P1" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set status disable set schedule "always" set service "ALL" set nat enable next So, 以上, Site A Client 端IP 出WAN的時候自己會看dst IP 是不是 China, 不是的就跳到Site B 走Internet 5.0 的 Forti GEOIP會自己update, B繞回A的Policy 就自己加一下巴~ P.S. 此帖需配合 DNS 使用, 如果 DNS 已經遭受汙染, 那麼Client 就得要有個沒汙染的 DNS 能查, 跳板都通了應該不難 :) P.S.2 命令不完整, 意思到了就好了~ -- ※ 發信站: 批踢踢實業坊(ptt.cc), 來自: 61.219.23.130 ※ 文章網址: https://www.ptt.cc/bbs/MIS/M.1437590850.A.ADC.html

推 megasteel: FORTI果然可以，但是很多公司都買二線便宜貨... 07/23 07:39

→ michaellai: 發現有小錯誤，不過不影響理論啦 XD 07/23 08:05

→ tnshoho: 原PO那篇我有推FG可解決，只是好像又回到原點..$$$$$$ 07/23 08:11

→ deadwood: 問題還是$$$吧...用公司內電腦架一台VPN server比較快 07/23 08:28

→ shuinedu: 本來就不一定要一線才能建好vpn呀只是強國就....... 07/23 08:36

推 trumpete: 討論串M起來以後整理到精華區給強國台勞們參考 07/23 08:45

→ shuinedu: 強國封網的時候或是一些情況發生自建的會斷斷不續續 07/23 08:51

推 liskenny: 真慶幸當初強力要求主管花錢買Forti真是買對了 07/23 09:13

推 megasteel: 用一線是因為設定簡單 XD，得考慮人員能不能接手這件事 07/23 09:46

推 shuinedu: 有比一線的設備簡單的設定呀你覺得cisco設定很快嗎？ 07/23 10:49

→ michaellai: 二手的B代Forti很便宜，能跑4.0就有GeoIP了，可以考慮 07/23 14:28

→ michaellai: 一下！ 07/23 14:28

推 megasteel: 感謝提供!! 來提報看看了 07/23 16:45

→ michaellai: 買二手的順便買備品喔 XD 07/23 16:56

推 megasteel: 總結出來了，還是沒辦法買，理由用的人、次數少，所以 07/23 18:36

→ megasteel: 用host to client的方式先使用 07/23 18:36