Les voy a mostrar como ustedes pueden configurar tu fortinet firewall con una verizon MiFi® 4G LTE Global USB Modem U620L. Pero primero entra en el portal del administrator y open el CLI o connectate via SSH a tu fortigate y abilitar el puerto. Despues entras este comando:
fortigate# config system lte-modem
fortigate (lte-modem)# set status enable
fortigate (lte-modem)# end
fortigate # show system lte-modem
config system lte-modem
set status enable
Para saber y asegurarse que typo de modems son compatibles con tu fortigate, ve a este enlace: https://kb.fortinet.com/kb/documentLink.do?externalID=FD30613
Ahora vamos al portal de web y tendras una nueva interface llamada WWAN. Para asegurarte ve a Network > Interfaces
Edita tu nueva WWAN interface con un Role de WAN y IP via DHCP or Manual. Dependiendo de tu configuracion.
Ahora navega hacia Network > SD-WAN y abilitalo con “Enable”. Y anide tus interfaces WAN como en la foto de abajo.
La seccion de load balancing lo tengo configurado con Volumen, con el 90% de mis seciones salen por WAN1 y el resto por el WWAN. Para mas informacion ve aqui: https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-networking/SD-WAN/SD-WAN_load_balancing.htm
Ahora necesitamos crear una regla para saber cuando una de las interfaces tenga problemas y la Fortigate pueda controlar el trafico de manera inteligente. Navega hacia Network > SD-WAN Status Check y crea una regla nueva como la de bajo.
La ultima parte es crear una default route para el SD-WAN. Ve a Network > Static Routes y crea una nueva ruta como la que tengo abajo. Esta va a dirigir tu traffic destinado al internet por medio de tu interface virtual de SD-WAN.
1. Download latest firmware from https://software.cisco.com/download/home
2. Download Solarwinds Free TFTP Server and install on your PC: https://www.solarwinds.com/free-tools/free-tftp-server
3.Open Putty and connect to your switch. Once connected run this command from the switch:
4. Reboot immediately or schedule a reboot with the command below:
SW#reload
at Reload at a specific time/date
cancel Cancel pending reload
in Reload after a time interval
SW#reload in
<1-999> time interval in minutes (mmm format)
WORD<4-6> time interval in hours & minutes (hhh:mm format)
SW#reload in 07:00
This command will reset the whole system and disconnect your current session. Reload is scheduled for 23:36:35 web(UTC-4) Tue Oct 31 2017 (in 7 hours). Do you want to continue ? (Y/N)[N] Y
SW#31-Oct-2017 16:36:44 %RNDMISC-N-SRACTIVE: system is scheduled to perform a restart at 23:36:35 Tue Oct 31 2017 (in 6 hours and 59 minutes).
5. Your switch will boot up with the new firmware image
4. Identify on which image slot your firmware was copied to:
SW#sh bootvar
Image Filename Version Date Status
----- --------- --------- --------------------- -----------
1 image-1 1.4.7.5 15-Nov-2016 11:19:18 Active*
2 image-2 1.4.8.6 10-Jul-2017 17:14:29 Not active
"*" designates that the image was selected for the next boot
__________________________________________________
5. Set to boot to the new version with the command below:
SW#boot system image-2
6. Reboot your switch or schedule a reboot with the command below:
SW#reload
at Reload at a specific time/date
cancel Cancel pending reload
in Reload after a time interval
SW#reload in
<1-999> time interval in minutes (mmm format)
WORD<4-6> time interval in hours & minutes (hhh:mm format)
SW#reload in 07:00
This command will reset the whole system and disconnect your current session. Reload is scheduled for 23:36:35 web(UTC-4) Tue Oct 31 2017 (in 7 hours). Do you want to continue ? (Y/N)[N] Y
SW#31-Oct-2017 16:36:44 %RNDMISC-N-SRACTIVE: system is scheduled to perform a restart at 23:36:35 Tue Oct 31 2017 (in 6 hours and 59 minutes).
7. Your switch will boot up with the new firmware image
Hola colegas, abajo estan las configs de las rutas.
Configuracion de Ruta1 Hub Distribucion
interface Tunnel0
description TUNEL
ip address 172.16.0.1 255.255.255.0
no ip redirects
ip mtu 1400
no ip next-hop-self eigrp 1
no ip split-horizon eigrp 1
ip nhrp authentication cisco123
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 6783
!
interface GigabitEthernet0/0
description INTERNET
ip address 1.1.1.1 255.255.255.252
!
interface GigabitEthernet0/1
description LAN
ip address 10.10.10.1 255.255.255.0
!
router eigrp 100
network 1.0.0.0
eigrp stub connected summary
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
Configuracion de Ruta2 Enlace
interface Tunnel0
ip address 172.16.0.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map multicast 1.1.1.1
ip nhrp map 172.16.0.1 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 6783
!
interface GigabitEthernet0/0
ip address 2.2.2.1 255.255.255.252
!
interface GigabitEthernet0/1
ip address 10.20.20.1 255.255.255.0
!
router eigrp 100
network 2.0.0.0
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
!
Configuracion de Ruta3 Enlace
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication cisco123
ip nhrp map multicast 1.1.1.1
ip nhrp map 172.16.0.1 1.1.1.1
ip nhrp network-id 1
ip nhrp nhs 172.16.0.1
ip tcp adjust-mss 1360
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint
tunnel key 6783
!
interface GigabitEthernet0/0
ip address 3.3.3.1 255.255.255.252
!
interface GigabitEthernet0/1
ip address 10.30.30.1 255.255.255.0
!
router eigrp 100
network 3.0.0.0
!
!
router eigrp 1
network 10.0.0.0
network 172.16.0.0
!
Encripta tus Tuneles
En todas las rutas, configura esto para encriptar el trafico, especialmente si tus tuneles pasan por redes publicas (Internet).
No se te olvide de cambiar las key cisco123 si utilizas esta configuracion afuera de un laboratorio.
Router1_Hub#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
1.1.1.1 2.2.2.1 QM_IDLE 1001 ACTIVE
1.1.1.1 3.3.3.1 QM_IDLE 1003 ACTIVE
3.3.3.1 1.1.1.1 QM_IDLE 1004 ACTIVE
2.2.2.1 1.1.1.1 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
Checa la fase 2 y asegurate de que no tenga seros en encaps y decaps.
Router1_Hub#show crypto ipsec sa
interface: Tunnel0
Crypto map tag: Tunnel0-head-0, local addr 1.1.1.1
protected vrf: (none)
local ident (addr/mask/prot/port): (1.1.1.1/255.255.255.255/47/0)
remote ident (addr/mask/prot/port): (3.3.3.1/255.255.255.255/47/0)
current_peer 3.3.3.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 263, #pkts encrypt: 263, #pkts digest: 263
#pkts decaps: 263, #pkts decrypt: 263, #pkts verify: 263
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 3.3.3.1
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xCC4E37C1(3427678145)
PFS (Y/N): N, DH group: none
inbound esp sas:
--More--
Gracias por visitar mi pagina, porfavor subscribete a mi canal de youtube. Dale un like al video y de paso tambien comparte mi canal por whatsapp, facebook o por señales de humo. Cuando llegue a 1,000 seguidores, voy a regalar una tarjeta de regalo de amazon! Gracias y disfruta este video:
Configuracion de Ruta1
conf t
track 6 ip sla 6 reachability
ip sla 6
icmp-echo 172.31.2.2 source-ip Gig0/2
threshold 1500
timeout 500
frequency 5
tos 160
tag SD-WAN
exit
ip sla schedule 6 life forever start-time now
ip route 192.168.200.0 255.255.255.0 172.31.255.2 track 6
Configuracion de Ruta2
conf t
track 6 ip sla 6 reachability
ip sla 6
icmp-echo 172.31.2.1 source-ip Gig0/2
threshold 1500
timeout 500
frequency 5
tos 160
tag SD-WAN
exit
ip sla schedule 6 life forever start-time now
ip route 192.168.100.0 255.255.255.0 172.31.255.1 track 6
Confirmacion
Hacegurate de que el routing valla por la interface correcta con
R1#show ip route
C 1.0.0.0/8 is directly connected, Serial0/2/0
D 20.0.0.0/8 [90/2195456] via 1.1.1.2, 00:43:52, Serial0/2/0
C 10.0.0.0/8 is directly connected, FastEthernet0/0
R1#show ip eigrp neighbors
IP-EIGRP neighbors for process 100
H Address Interface Hold Uptime SRTT RTO Q Seq
(sec) (ms) Cnt Num
0 1.1.1.2 Se0/2/0 13 00:45:08 355 2130 0 106
Mira el video abajo para aprender como configurar una VPN
Configuracion de Ruta1:
####PHASE 1 / FASE 1######
crypto isakmp policy 1
encrypt aes 256
hash sha256
auth pre-share
group 5
lifetime 28800
exit
####PHASE 2 / FASE 2 - No olvides cambiar la key si usas esto en produccion#####
crypto isakmp key THISISMYKEY addr 2.2.2.2
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile MY-IPSEC-PROFILE
set transform-set MY-SET
set pfs group2
set security-association lifetime seconds 28800
exit
####TUNNEL CONFIG / CONFIGURACION DEL TUNEL###
interface tunnel 1
ip addr 172.31.1.1 255.255.255.252
tunnel source GI0/0
tunnel destination 2.2.2.2
tunnel mode ipsec ipv4
tunnel protection ipsec profile MY-IPSEC-PROFILE
exit
####OSPF CONFIG###
interface tunnel 1
ip ospf area 1
exit
router ospf 1
area 1
network 192.168.100.0 0.0.0.5 area 1
end
Configuracion de Ruta2:
####PHASE 1 / FASE 1######
crypto isakmp policy 1
encrypt aes 256
hash sha256
auth pre-share
group 5
lifetime 28800
exit
####PHASE 2 / FASE 2 - No olvides cambiar la key si usas esto en produccion#####
crypto isakmp key THISISMYKEY addr 1.1.1.1
crypto ipsec transform-set MY-SET esp-aes 256 esp-sha-hmac
mode tunnel
exit
crypto ipsec profile MY-IPSEC-PROFILE
set transform-set MY-SET
set pfs group2
set security-association lifetime seconds 28800
exit
####TUNNEL CONFIG / CONFIGURACION DEL TUNEL###
interface tunnel 1
ip addr 172.31.1.2 255.255.255.252
tunnel source GI0/0
tunnel destination 1.1.1.1
tunnel mode ipsec ipv4
tunnel protection ipsec profile MY-IPSEC-PROFILE
exit
####OSPF CONFIG###
interface tunnel 1
ip ospf area 1
exit
router ospf 1
area 1
network 192.168.200.0 0.0.0.5 area 1
end
Verificacion
Confirma la fase 1 esta establecida:
show crypto isakmp sa
Confirma la fase 2 esta establecida y asegurate de que ahiga packets en decrypt y encrypt:
show crypto ipsec sa
Por ultimo puedes mandar ‘interesting’ trafico (trafico asociado con los SA (security association) Como ping entre las computadoras adentro de las LANs internas.
