Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 53
73. Lecture-73: Site-to-Site IPsec Policy-Based VPN Lab.
We discuss about two and sorry to third one is policy based and other is based VPN. Right now we done road based VPN with a broad based VPN and two method manually and play the bass. But there is a side to side with byan policy based VPN. What is policy based VPN policy based VPN, which sometimes we call them Actonel. More visible Darnel more Repin. And we need only one policy to create equal work for border protection, and these are the major difference, policy based and our best weapon to really limited and broad based weapon and two different way now and policy based we’ve been it can be available in Najid mode and also in intransparent, which is that our base is not available in transport mode.
So, this is another policy based LWP and is allowed for Bhojpuri is not possible in policy base because we need to assign IP address and policy base, which doesn’t require security policy is required in this one. And no apology, we only need one policy and policy based around, but in this one, we need at least two policy if you have more than you create more policy.
So, this is the major difference between policy based, sweeping and broad based bee. And then we’re done broad based. We’ve been in two different. We’re now going to side to side would be in policy base. We will use the same topology, but you will feel the difference now.
So, we are in the same topology here. This side we have a firewall with one in 1960 and one hundred lane and one one one is when they said have to do two is win and 100 to 150 to 200 Esslin. Both are connected farm management with 100 IP. And here we have one said one 101 one. Here we have server 2.0 here one we have one PC, one that anyone here will have to do to get for these two businesses to that 100 and get ready for these two system is one hundred. This is our Internet reporter here. We have configured one one two. And this we configure two to one.
So, let me remove this VPN.
So, if I tried to remove it, let me go to sleep in this one.
So, they are using four different references. I need to remove differences, then the delete will be available.
So, click on this. References to is using a policy. Yes, we created two policy, created those two policy. Then there is use again in policy to remove that one. Then we are using and tool around. Yes. You remember. And then you can delete start to start phase two and now you can delete this to start with being properly delete. If you go to policy and object, nothing is there. Everything is now either come here either delete everything from one spark. No, let’s go to the other one and delete everything because we need a different type of site to start with beon.
So, let me go to policy. No policy and object. Let me go to VPN. I double click delete is not available. Click on references delete.
Sorry I clicked for me but my mistake.
So, let me go to the city proper to. And click on references to two and then one and delete lead and then to download, which we create delete and then phase two delete and then phase one to delete it and then to choose. And that’s it. Now nothing is there. Again, this PC will be negligible before it was being binya. Look at this. Not bringing the other three just before we tested it was being you know, it’s not working again because there is no doubt. But through VPN, we can make them as a local. This time we need to do policy for phoneys. European wireless policy repin it is not enabled by default. Go to system, go to feature visibility.
Some features are not available and not visible.
So, what the feature visibility and choose your policy based on this one policy based IP VPN. When you click is mentioned here, there’s no object. You will see VPN policy and some many other things.
So, choose this one and apply. Now if you come to VPN you will see I perceptional look at ABC concentrators. Now here, if you go to this one, there is no Albizzi concentrator. Can you see OPIS written. No, because it’s not enabled.
So, quota system click feature visibility and the other side firewall and choose policy based a basically being.
So, now you will see the difference. There is extra thing which is a basic concept concentrator. But how we will configure again, we will use the. Either IPC risen from Danylo will create create new, it will go to visit, so either come hear that from you.
So, what is the difference? I will show you the defense weapon to start to. I see like this is the name of Plebian but again I would use custom and click next up to this one with the last time as wella. But last time this option was not available. You know, we when you move this one policy bestrode and I visit, this option will be neither. Here, let me click and give them any name and next and okay, let me go back to Boston next. Can you see that sentence here? No, but here, look at under the comments, there is another comment.
So, it’s not here because if you enable, then it will come to sitting and sunny future visibility. And when you enable, then you will see that sentence. What is policy based? This one. And okay, and now we know what we’ve been and go to like Piecyk visit and give any name and custom and you click, you will see that sentence is now available.
So, now let’s go to cite one. We know that when you enable policy be so you will see this and IPCA Consultatively two will be visible.
So, I give them the name Rippin to say to now you need to disable this one. To make them as a policy bestrode, then this is a remote IP, so remote IP to door to door to interface is when if you want your local sumai local is one, otherwise you need it. Okay, so this is the public IP to reach through this main interface and this is my local IP again network subunit, disable, get protection, whatever error I already mentioned. Clearly there was no need of anything you should give. One, two, three, four, five, six. Which we the last time as well. Up to this point everything is similar. Mortez, you need to aggressing motormen more. Six figured out three words in one hour then do no need of so many things. Jesus to define and choose BP Helmund five life time and go to face to face to my local subnet is 192 168 1.0 twenty four which will reach two to dark 24. Click on it once. I don’t need so many things, I just need one. Beiste will be encryption and default and people will be five are local for all remote control to pull out of negotiation if you want to enable and just enough time of face to. That’s it.
So, what is the difference, what? What are you doing wrong? The best people are done the same thing here beside I uncheck this one. Done. Now, what the policy would do, I put forward policy and broad based will be and what I done, I create two policy here. I will create only one policy. Atlanta will be in. Are there no need to happen so they learn to read a simple policy, like a normal policy, learn to read so you can specify. Anyway, my guess is it all for this purpose? And but there is a third difference. Before did you see this IPCC? Now there is a IPCC in the policy. Before it was not available. Go back and watch my video. There was not a basic table available, but after a enable policy based in now in policy IPCC.
So, rather than to accept and deny, I will say IPCC. Then they say, if you use the IP, tell me alternately did so I say been to to start to which I just created here. And they said, do you want to allow to initiate traffic from the mall side? Yes, it can be initiated from them, either from US analyzation.
So, this is a third difference between broad based weapon and policy based VPN. I uncheck that one. Then I saw IP concentrator and then in the policy I see a different thing. And also I just created only one policy and road and I created two different policy enoki. That’s it. I don’t need to carry it around. Last time I tried to put out there as well, let me show you one thing more. If I go to interfaces and go to when I did the other one, not like this one. Yeah. Okay, so now this site is almost done. Now let’s do the same thing on the other side.
So, what I really need, I, I already enable.
So, I pick. Okay, one thing more. Go to VPN and click IP concentrated IP should concentrator and create new, give them any name VPN and choose that one which we just created. And okay this is another step to do a policy based site to start with being noticed through this site.
So, would I be safe with it this time? I would say we’ve been to site one custom the next and check this one one change to the opposite IP one one one going through an interface. My local IP is two to two murders, not their deputies. I don’t care. I don’t care about it. Wants anything. But you should give one, two, three, four, five, six. Let me verify. We are using Benmore. I just need one. Beiste and amplifier and five is going be critical. And phase two my local stabilities opposite one and one six year 2.0 24 and Remote Tunnelers 1.0. Click on it once removed all of them. Just choose Dede’s for phase two and choose DEPI Halman five everything and keep everything and ok Woodwell basic concept to create new. Give them any name and choose your one. This one and ok. Now, I just need only one policy or policy, an object and create a new policy plan to win the election on one policy, traffic from land to any source can be anything. Destination can be anything, services can be anything. But action will be IPC. When I choose AP six days, tell me you’re be inserting. I said this one and all station and ok. Let’s see if everything is correct properly that should be paying now. Let me go to Ruth, maybe I done something wrong in the crowd, so let’s go to. Crowd No need of this one. And that one is enough. By the way, let me move to network Statik around Blackwall.
So, maybe I live the last thing, maybe I missed something, so let me go quickly. Yeah, we’ve done this one, okay, interfaces we already configure. Okay, and we’ve been set up, we enable it, then we custommade okay, two to two, we’ve done this part three Shirkey return is okay and then we’ve done phase two. Then we choose from here and we cleared land to win policy. But local government and we need to put, by the way, this local government, I will change it and our traffic to an okay are the other side. I did not allow the local subnet and site to remember.
So, let me go to parties because I’m generating from sorry.
So, that can be the issue.
So, let’s go to policy and object and the policy I created. I forgot to click this one. You remember I told you this one allowed traffic to be initiated, so I’m initiating from the other side, so that’s why that can be the issue.
So, let me quickly do this one and now check. Okay.
So, still, it’s not reachable, so that was not the issue.
So, let’s figure out another issue. We’ve done this one, okay? By the way, this the only thing the only possibility can be these SOAPnet.
So, I will create the subnet quickly and. Okay, let’s see if I lived something, I’m just wondering if I missed something. Because we don’t need around here right away. This is a policy based, so, yeah, that can be the only thing.
So, let’s go to this land to end policy. This instead of on my local subnet, let me create a local subnet.
So, my local supermarket chain, the color, whatever you want. And my local subnet is 192 168 one zero 24. Let me copy this one. And it can come from Lanark and Statik. No need.
So, instead of this all I need to put local subnet and destination. I need to create a new address. This is a remote VPN subnet sold of what will be an A student, a default, and it can be any interference.
So, choose this one, okay, and address all anything. And when it’s ok. Okay. Okay.
Sorry idam. This is inside to pretend to be opposite because this is.
So, this is local.
So, let me change them to my remote as this one. And I’ve done it locally round.
So, this should be like this.
Sorry. Local. Various local. But they did okay, because this is two sides to start to this debate, okay, so let me change it. Well, the local is not foreign to me, so let me clear them this the Driscol just give me two minutes to fix this issue.
So, we created a year here. Let me change them by mistake. Localist to. Okay, and remold is one. It has to be like this, and if I go to policy now. Okay, Linda will no, let me go to them so local this Dylan Lane is this Sabaneta because I’m entitled to and remote is okay. I see that it’s not showing here because maybe we choose not to show.
So, click on this one and showing the interest despite the it has to show and it’s to be when. And any way the word has to show me any more and no less water policy.
So, from land to local, subject to win one, and this one is to know is correct and accept and initiate. Now, let’s do this one policy. This policy supports policy because you mentioned already SOAPnet.
So, you have to mention them.
So, instead of just being addressed, far-Sighted, this is local subunit and our local subnet is one, this one. And it can be any of network. And this should be addressed remote. We’ve been. Let be more willing, let’s give them more, don’t care, we don’t get what was the name, we just need to understand, okay? And this is remote to local to the morgue, and this one initiated is okay and okay now just this last thing to district. Okay, so let’s go to Rippin and I’ll show you where this is straight from here. What is the issue? So, is Don Refresh says don’t let me issue is inside the people.
So, let me go to BP internal and this will be an industry ready for you everything.
So, our strategy, the gateway is one local one, one one. It’s correct. Authentication is pretty shaky if you try to see.
So, one, two, three, four, five, six. Aggressive mode amplified and local government is one and this is two.
So, that side is okay. And now let’s go to in the other side and we’re being double double click to edit.
So, static IP one one and all one is to do okay, we changed this one to four. One primary IP is to disable authentication. We have an alternate authentication.
So, let me. Okay. Let me try this one. One, two, three, four, five, six, and waiting for you, okay? And at the beginning of December, too, and go to one one one.
So, I believe it’s okay. And let’s try again.
So, still, we let go to concentrate now.
So, it’s okay. And he is also gay. And let me try it here. Okay, let’s try it from the other side.
So, being 190 to 168, one dark one, so both side is not working. Okay. And it did.
So, let me try. I don’t know, just to double check, okay, policy. And we need one. Maybe the issue is the road as well, maybe that road is deleted, so no idea. If anything, give it to one one, one, two. Yes, correct. And let’s go to this road. These the only thing which we need to check. Maybe that’s the issue and let’s give it to two to one.
So, I think as far as the configuration line to when we check this one and. If it’s try, it will reach.
So, because you don’t have a wireshark to see what is the issue, unfortunately.
So, let me go up and see the configuration. Yeah, it’s okay. I don’t know, pretty key when. Simple weapon and custom enable it, and this theater would be configure. Yeah, it’s correct.
So, let’s try. What else can be the issue? Maybe some issue and apology. Okay, wait a minute. Yes. Last time I was going to work and I pressed the button on the fringe, I want in a way, you bring it up under. I press it works. Okay, so let me try. Yes.
Sometime.
So, what do we pian. No, there is okay and wanted to know it’s okay. I don’t think so. Bring it up. Unfreezes.
So, you know, if I click on both here and I basically saw the monitor one. When everything is lookin for somebody and then but I think so there is something wrong and our configuration, let me see again, SCHNALL even still.
So, let’s go to again, Wherify here, what is IP Denel and if I click edit either let me do one thing and it is okay, no need to delete them.
So, I did this one. Static IP breached one one one local gateways, two to two and it is not there. It was no need to take dictation. We are using pressure in default and DP Hilman is five. Okay and fish two. One hundred and sixty two to one. Yeah this is in here. This one is also correct and maybe we choose differently. This is show. Okay, so this is shot and this hour to reconfigure them, let me go there, I think through here we choose empty. Yes.
So, this was the issue. And if we try again, so it’s okay now to know from server one to server to to to to and from this or to server one, boats are now here and it will become green. No, it’s okay. Now if we were to monitor and I Piecyk monitors a screen and everything is okay.
So, the only issue was because you are using different methods here and here, a different method.
So, it will not work. It has to be similar I think. Okay.
So, yeah.
So, this is all a seabass. Why. Because we call every single policy if we go to policy and IP for policy or guess who we call inside the policy here I Piecyk and also there is no doubt needed and also we create only one policy rather than to create and also we did not create any extra around like a broad based VPN. Also you can apply this and both more proxy proximal and also need more both mode. You can apply this side to side with BEON, but broad based VPN cannot be applied, which I mentioned you already did here, which we discuss here. This difference between these two and then we verify everything is okay.
So, this is this was policy based Cycloset VPN.