Proxy chaining over IPsec tunnel
You can configure proxy chaining over an IPsec VPN tunnel to ensure that all traffic forwarded from the inside to the outside proxy is encrypted.
Network Topology
To configure an IPsec VPN tunnel:
Refer to Basic site-to-site VPN with pre-shared key to create the Site-1 and Site-2 IPsec site-to-site tunnels based on the network topology.
To configure Site-2:
-
Configure the interface as follows:
config system interface
edit "port1" <<-outside-interface
set vdom "root"
set ip 172.18.20.166 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test
set type physical
set explicit-web-proxy enable
set explicit-ftp-proxy enable
set alias "Site-2-External"
set snmp-index 1
next
edit "port2" <<-inside-interface
set vdom "root"
set ip 10.200.1.11 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test
set type physical
set explicit-web-proxy enable
set explicit-ftp-proxy enable
set alias "Site-2-Internal"
set snmp-index 3
next
edit "to-site-1"
set vdom "root"
set type tunnel
set explicit-web-proxy enable
set explicit-ftp-proxy enable
set snmp-index 4
set interface "port2"
next
end
-
Configure the IPsec tunnel as follows:
config vpn ipsec phase1-interface
edit "to-site-1"
set interface "port2" <<- inside-interface
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: to-site-1 (Created by VPN wizard)"
set remote-gw 10.100.1.10 <<- outside interface of Site-1 device
set psksecret ENC Im/HjW6abJFHgpclP7XYqJcreuVNxJZLDT32LOJDwXnNprNtQJ9n3N2VDM6Q9kxuviUPaiRA9Wq+dodgs5PKhhmmE2LzGMlsi6kNas8ZMw6Q1uF3iJkLcvzZap7M9m5+8Ay8zMzR97m4zpgt80RculvXt26q6pU7UIsjTOtf1FDnnf7T0RCzU4n/WiTe2LbUJ2VKs1lmMjY3dkVA
next
end
config vpn ipsec phase2-interface
edit "to-site-1"
set phase1name "to-site-1"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: to-site-1 (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to-site-1_local"
set dst-name "to-site-1_remote"
next
end
-
Configure the static route as follows:
-
Route to the outside interface/subnet of the Site-1 proxy via the inside interface
-
Route to the Site-1 inside explicit proxy address/subnet via the VPN tunnel
-
Default route via the outside interface
config router static
edit 1
set gateway 172.18.20.1
set device "port1"
next
edit 2
set dst 10.100.1.0 255.255.255.0
set gateway 10.200.1.50
set device "port2"
next
edit 3
set device "to-site-1"
set comment "VPN: to-site-1 (Created by VPN wizard)"
set dstaddr "to-site-1_remote"
next
end
-
-
Configure the explicit proxy as follows:
config web-proxy explicit-proxy
edit "web-proxy"
set status enable
set interface "to-site-1"
set http-incoming-port 8080
set https-incoming-port 8080
next
end
-
Configure the explicit FTP proxy as follows:
config ftp-proxy explicit
set status enable
set incoming-port 2121
set outgoing-ip 0.0.0.0
set sec-default-action accept
end
-
Configure the firewall proxy policy as follows:
config firewall policy
edit 1
set type explicit-web
set name "Upstream proxy in Site-2"
set uuid f8aac3fa-1005-51f0-f549-57daac806021
set dstintf "port1" <<-outside interface
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set webproxy-profile "XFF-Site-2"
set logtraffic all
set log-http-transaction enable
next
edit 3
set type explicit-ftp
set name "ftp-proxy-policy"
set uuid 3a1cbbfa-10aa-51f0-c416-4cd82a72e04f
set dstintf "port1" <<-outside interface
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set logtraffic all
next
end
-
Configure DNS service as follows:
config system dns-server
edit "to-site-1"
next
end
To configure Site-1:
-
Configure the interface as follows:
config system interface
edit "port2" <<-outside-interface
set vdom "root"
set ip 10.100.1.10 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test
set type physical
set alias "to_site-2"
set snmp-index 3
next
edit "port3" <<-inside-interface
set vdom "root"
set ip 10.10.1.10 255.255.255.0
set allowaccess ping https ssh snmp http telnet fgfm radius-acct probe-response fabric ftm speed-test
set type physical
set explicit-web-proxy enable
set explicit-ftp-proxy enable
set snmp-index 4
next
edit "to-site-2"
set vdom "root"
set type tunnel
set snmp-index 5
set interface "port2"
next
end
-
Configure the IPsec tunnel as follows:
config vpn ipsec phase1-interface
edit "to-site-2"
set interface "port2" <<-outside-interface
set peertype any
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: to-site-2 (Created by VPN wizard)"
set remote-gw 10.200.1.11 <<-inside interface of Site-2 device
set psksecret ENC MAmDuLLv4/T5ydYd4qglW6fcNyfbSlq1LMl25rDwAaFe4XhXwW8Ryec7fRXHagbGF4Dvn2Ccr4wYdSjIYkbDY9Dwz3wEuYCXKHzqHx+FST1oU5DQb4KpcPsR7BgGjShNkeLVnV1HUTUhpIJDyxJzb04wMu0OFljY6ru4rNcMUy7lxxUreJgVoMdCbWLrCcETY+TDyFlmMjY3dkVA
next
end
config vpn ipsec phase2-interface
edit "to-site-2"
set phase1name "to-site-2"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
set comments "VPN: to-site-2 (Created by VPN wizard)"
set src-addr-type name
set dst-addr-type name
set src-name "to-site-2_local"
set dst-name "to-site-2_remote"
next
end
-
Configure the static route as follows:
-
Route to the inside interface/subnet of the Site-2 proxy via the outside interface
-
Route to the outside interface/subnet of the Site-2 proxy via the VPN tunnel
-
Configure "preferred-source" as Site-1 FPX inside interface ip (10.10.1.10) under VPN tunnel route.
config router static
edit 1
set dst 10.200.1.0 255.255.255.0
set gateway 10.100.1.50
set device "port2"
next
edit 2
set preferred-source 10.10.1.10
set device "to-site-2"
set comment "VPN: to-site-2 (Created by VPN wizard)"
set dstaddr "to-site-2_remote"
next
end
-
-
Configure the explicit policy as follows:
config web-proxy explicit-proxy
edit "web-proxy"
set status enable
set interface "port3"
set http-incoming-port 8080
set https-incoming-port 8080
set incoming-ip 10.10.1.10 <<-port3 ip address
next
end
-
Configure the explicit FTP proxy as follows:
config ftp-proxy explicit
set status enable
set incoming-port 2121
set outgoing-ip 0.0.0.0
set sec-default-action accept
end
-
Configure the forward server as follows:
config web-proxy forward-server
edit "http-to-site-2"
set ip 172.18.20.166 <<-outside interface IP address of Site-2 proxy
set port 8080
set protocol http
next
edit "ftp-to-site-2"
set ip 172.18.20.166 <<- outside interface IP address of Site-2 proxy
set port 2121
set protocol ftp
next
end
-
Configure the server list as follows:
config web-proxy url-match
edit "www.fortinet.com"
set explicit-web-proxy "web-proxy"
set url-pattern "www.fortinet.com"
set forward-server "http-to-site-2"
next
end
-
Configure the firewall proxy server as follows:
config firewall policy
edit 4
set type explicit-ftp
set name "ftp-proxy-chaining"
set uuid a36d1baa-10a9-51f0-7706-d06775cd89be
set dstintf "to-site-2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set logtraffic all
set logtraffic-start enable
set webproxy-forward-server "ftp-to-site-2"
next
edit 1
set type explicit-web
set name "server-url-match-forward"
set uuid eb97a0d0-1004-51f0-01f6-2c7c369110d4
set dstintf "to-site-2"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "webproxy"
set explicit-web-proxy "web-proxy"
set logtraffic all
set log-http-transaction enable
next
end
-
Configure FortiGuard as follows:
config system autoupdate tunneling
set status enable
set address "172.18.20.166"
set port 8080
end