作者michaellai (麦克赖)
看板MIS
标题Re: [请益] SITE TO SITE VPN ROUTE TABLE
时间Thu Jul 23 02:47:28 2015
这事情我常干, 下面以FortiGate 为例
假设你site A - 强国, site B - 不强的国
Site A: 192.168.0.0/24, Forti@254, Client 100~150
Site B: 192.168.128.0/24, Forti@254, WAN IP=1.2.3.4
1. Site B Interface Mode, Site A Tunnel Mode
Site A P1
config vpn ipsec phase1
edit "TO_B_P1"
set interface "wan1"
set mode aggressive
set proposal 3des-sha1
set localid "thisisid"
set remote-gw 1.2.3.4
set psksecret ENC keykeykey
next
Site A P2
edit "TO_B_P2"
set auto-negotiate enable
set keepalive enable
set phase1name "TO_B_P1"
set proposal 3des-sha1
set src-subnet 192.168.128.0 255.255.255.0
next
Site B P1
config vpn ipsec phase1-interface
edit "TO_A_P1"
set type dynamic
set interface "wan1"
set mode aggressive
set peertype one
set proposal 3des-sha1
set peerid "thisisid"
set psksecret ENC keykeykey
next
Site B P2
edit "To_A_P2"
set keepalive enable
set phase1name "TO_A_P1"
set proposal 3des-sha1
next
2. Site A - GEO IP / Client Addr
edit "IP_China"
set type geography
set country CN
next
edit "SITE_A_CLIENT"
set type iprange
set end-ip 192.168.128.100
set start-ip 192.168.128.150
next
3. Site A - Policy TO WAN For China IP
edit xx
set srcintf "internal"
set dstintf "wan1"
set srcaddr "SITE_A_CLIENT"
set dstaddr "IP_China"
set action accept
set schedule "always"
set service "ANY"
set nat enable
next
4. Site A - Policy TO WAN For Non-China IP via VPN
edit xx+1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "SITE_A_CLIENT"
set dstaddr "all"
set action ipsec
set schedule "always"
set service "ANY"
set inbound enable
set outbound enable
set vpntunnel "TO_B_P1"
next
5. Site B - Allow "SITE_A_CLIENT" to go to WAN
edit xx
set srcintf "TO_A_P1"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
set action accept
set status disable
set schedule "always"
set service "ALL"
set nat enable
next
So, 以上, Site A Client 端IP 出WAN的时候
自己会看dst IP 是不是 China, 不是的就跳到Site B 走Internet
5.0 的 Forti GEOIP会自己update, B绕回A的Policy 就自己加一下巴~
P.S. 此帖需配合 DNS 使用, 如果 DNS 已经遭受污染, 那麽Client
就得要有个没污染的 DNS 能查, 跳板都通了应该不难 :)
P.S.2 命令不完整, 意思到了就好了~
--
※ 发信站: 批踢踢实业坊(ptt.cc), 来自: 61.219.23.130
※ 文章网址: https://webptt.com/cn.aspx?n=bbs/MIS/M.1437590850.A.ADC.html
1F:推 megasteel: FORTI果然可以,但是很多公司都买二线便宜货... 07/23 07:39
2F:→ michaellai: 发现有小错误,不过不影响理论啦 XD 07/23 08:05
3F:→ tnshoho: 原PO那篇我有推FG可解决,只是好像又回到原点..$$$$$$ 07/23 08:11
4F:→ deadwood: 问题还是$$$吧...用公司内电脑架一台VPN server比较快 07/23 08:28
5F:→ shuinedu: 本来就不一定要一线才能建好vpn呀 只是强国就....... 07/23 08:36
6F:推 trumpete: 讨论串M起来 以後整理到 给强国台劳们参考 07/23 08:45
7F:→ shuinedu: 强国封网的时候 或是一些情况发生 自建的会断断不续续 07/23 08:51
8F:推 liskenny: 真庆幸当初强力要求主管花钱买Forti真是买对了 07/23 09:13
9F:推 megasteel: 用一线是因为设定简单 XD,得考虑人员能不能接手这件事 07/23 09:46
10F:推 shuinedu: 有比一线的设备简单的设定呀 你觉得cisco设定很快吗? 07/23 10:49
11F:→ michaellai: 二手的B代Forti很便宜,能跑4.0就有GeoIP了,可以考虑 07/23 14:28
12F:→ michaellai: 一下! 07/23 14:28
13F:推 megasteel: 感谢提供!! 来提报看看了 07/23 16:45
14F:→ michaellai: 买二手的顺便买备品喔 XD 07/23 16:56
15F:推 megasteel: 总结出来了,还是没办法买,理由用的人、次数少,所以 07/23 18:36
16F:→ megasteel: 用host to client的方式先使用 07/23 18:36