Skip to main content
FatalHalt
FatalHalt
New Member
May 20, 2015
Question

Can I VIP into an IPSec tunnel?

  • May 20, 2015
  • 1 reply
  • 13261 views

Hey All. 

 

I have a vendor accessing a series of VIPs on my Fortigate, which are pointed to a series of corresponding private IPs that are accessed over an MPLS. 

 

I need to allow this vendor to get access to a new site at which I do not have an MPLS connection. I can build an IPSec tunnel to this location, but I'm a bit confused as to what my source/destinations would be. Attached is a picture

 

So, if I Vip into XX.XX.XX.XX:3, I want to vip the traffic to 192.168.3.1, and head down the VPN tunnel. 

 

Is this possible/achievable in some way?

1 reply

echo
echo
Explorer II
May 21, 2015

Yes, I have done this. I created additional IP-address to the router's internal IP-address and used that in VIP configuration. I could access that IP address from my office over the IPSEC tunnel, and VIP translated the address (with port) to another address which was reachable using another IPSEC tunnel in that router. Of course, policies have to be done too. That's shortly said.

 

Be careful: when I created VIP to the router's default address, I lost the connection to router and had to take it off quickly by managing it over the external address. You can use a different network too if needed.

walvarez
walvarez
New Member
November 21, 2020

Hi Guys,  i need the setup guide for this.  Is possible?

rwpatterson
rwpatterson
New Member
November 23, 2020

Just treat the IPSec tunnel as another firewall address or interface. Policy from VIP->IPSec. The only difference is the VIP needs to be allowed over the tunnel. A way to get this done is to create an IP pool of a single allowed IP address through the IPSec tunnel and use it in the VIP->IPSec policy as the source address.

Terms & ConditionsAccessibility statement