Skip to main content
nothingel
nothingel
New Member
June 22, 2011
Question

Bridging / layer2 vpn

  • June 22, 2011
  • 7 replies
  • 7963 views
Is it possible to create a layer 2 or bridging VPN between two Fortigates? I am well-versed in interface-mode layer 3 IPsec VPNs on Fortigates where each side of the tunnel has their own subnet. However, my current problem would best be solved by bridging a very small remote network with the main network (seeing all broadcasts, using the same IP scheme, etc). As an example, I am looking for a way to duplicate the functionality of OpenVPN' s " tap" bridge mode. Thanks!

    7 replies

    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 22, 2011
    Hi, I dont think its possible as you describe it, i have searched for this as well. But there is a way to allow a few addresses from the same subnet to be on both sides, and its transparent. the word to search for is " proxy-arp" at kb.fortinet.com
    emnoc
    emnoc
    New Member
    June 23, 2011
    What you will need is a l2 MPLS VPN or L2tpv3, neither are supported within the fortigate or any other firewall that I can think of. What are you trying to accomplished or achieve with bridging over to networks? Do you have network overlaps ?
    FortiRack_Eric
    FortiRack_Eric
    New Member
    June 23, 2011
    you can create a VPN between 2 Fortigate (vdoms) in transparant mode using policy based VPN. That' ll do the trick.
    Carl_Wallmark
    Carl_Wallmark
    New Member
    June 23, 2011
    Eric: is that possible ? i been searching for a way to do this.. so the same subnet can be on both sides of the VPN tunnel ? (same broadcast domain)
    nothingel
    nothingelAuthor
    New Member
    June 23, 2011
    Can you elaborate a little more on the high level concept of a transparent mode VPN? Would broadcast traffic (including ARP) traverse? To answer the earlier question, there is a building on the property that cannot be reached via wire or wireless without extreme cost due to environmental constraints. However, cable/dsl already reaches the other building. Due to the very small number of clients, the desire is to logically extend the needed networks using the concept of bridges if at all possible. Yes, I do think MPLS would do the trick but that doesn' t seem to be an option. I' m toying with the idea of OpenVPN in " tap" mode but there' s certain drawbacks too. In the end, I may have to give up and use traditional layer 3 routed segments. It' s too bad the Fortigate soft switch cannot add IPsec interfaces as members. Thanks for the thoughts thus far!
    FortiRack_Eric
    FortiRack_Eric
    New Member
    June 24, 2011
    Nope, sorry missed the part that both subnets should be the same. you can do nat on this, but that probably won' t meet the requirement. I hope you' re not falling in the trap that some SAN supplier wants the same subnet for both for replication and failover purposes. From a network and security standpoint I won' t go for this. To subnets on the same subnet. It' s asking for problems. A recipe for disaster.
    emnoc
    emnoc
    New Member
    June 24, 2011
    ditto Your best bet is to get out of bridging and make unique L3 subnets or NAT the remote network. if it' s a network that you own/admin, then re-address them and do it smarter & not harder.
    nothingel
    nothingelAuthor
    New Member
    July 14, 2011
    Just a quick update -- L2TPv3 between two Cisco routers works great. There' s a few gotchas with servers on the Internet that block all ICMP, thus breaking PMTU but fortunately there' s several workarounds. I sure wish Fortigate supported L2TPv3. It' s a good tool in the right situation.
    Terms & ConditionsAccessibility statement