Fortigate で VDOM を有効化し、VDOM 上で IPsec を設定する場合の例を紹介します。Hub-and-Spoke ネットワークトポロジーで、Hub 側が「固定IP」、Spoke 側が「不定IP」を想定した IPsec-VPN の設定例になります。
Hub 側 Phase1 の設定
config vdom edit VDOM-A config vpn ipsec phase1-interface edit VDOM-A-IPsec set interface wan-lag-v10 set mode aggressive set type dynamic set psksecret **** end
Hub 側 Phase2 の設定
config vpn ipsec phase2-interface edit VDOM-A-IPsec set phase1name VDOM-A-IPsec set src-subnet 192.168.100.0 255.255.255.0 set dst-subnet 192.168.200.0 255.255.255.0 end
Hub 側ポリシー設定
config vdom edit VDOM-A config firewall policy edit 1 set srcintf "VDOM-A-IPsec" set dstintf "any" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 2 set srcintf "any" set dstintf "VDOM-A-IPsec" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set srcintf "lan-lag-v100" set dstintf "wan-lag-v10" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
Spoke 側 Phase1 の設定
config vpn ipsec phase1-interface edit VDOM-A-IPsec set interface "wan1" set mode aggressive set remote-gw 10.1.1.1 set psksecret **** end
Spoke 側 Phase2 の設定
config vpn ipsec phase2-interface edit "VDOM-A-IPsec" set phase1name "VDOM-A-IPsec" set src-subnet 192.168.200.0 255.255.255.0 set dst-subnet 192.168.100.0 255.255.255.0 end
Spoke 側ルート設定
config router static edit 1 set dst 192.168.100.0 255.255.255.0 set device "VDOM-A-IPsec" end