IPsec Remote Access VPN behind another FortiGate – possible design or workaround?

Question

Hello Fortinet Community,I am working on a lab / design scenario and would like to ask for guidance on whether this setup is technically supported or if there is a recommended workaround.A FortiGate External is deployed at the edge (Internet-facing)A FortiGate Internal is deployed behind itThe Internal FortiGate is intended to terminate IPsec Remote Access VPN (FortiClient)The External FortiGate acts only as a border firewall (NAT / routing)So i wanna ask you whether my topology working normally, if yes, can you guide me how to deploy, thanks very much

AEK · Answer

HelloSure it is technically possible. If you use UDP (default), on ext-fw just forward the incoming UDP-500 and UDP-4500 from WAN to the int-fw (using DNAT or just routing depending on the case), and allow outgoing UDP-500 and UDP-4500 from int-fw to WAN (using SNAT or just routing depending on the case)But I wonder if it is a more correct design to setup the internal firewall as VPN server or to setup the external one. I guess the external one.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded