Skip to main content
agonist_inhaler
agonist_inhaler
New Member
March 9, 2011
Question

IPsec VPN inside VDOM

  • March 9, 2011
  • 5 replies
  • 4326 views
Hi Guru' s, I am new in fortigate device (110C) even in the IPsec vpn itself so please bare with me. My issue is, I am trying to create an ipsec vpn tunnel on Fortigate 110C (4.0 build 0192) under default vdom root, everything seems to be working fine. and I can see that vpn tunnel is showing up when I try to bring it up. But I wanted to create 2 VDOM' s on this devices and when I did, I can no longer see tunnel interfaces being created after creating phase1 on the ipsec vpn. ie I create ipsec phase1 named testvpn, then testvpn2 for phase2, under root vdom, it automatically created testvpn tunnel interface binded under the port I used in phase1, however it doesn' t do it inside a created vdom. Please assist me on how to get about this, I am not sure if there is a specific way of doing this inside virtual domain. I am looking forward to your suggestions and inputs. c" ,)

    5 replies

    FortiRack_Eric
    FortiRack_Eric
    New Member
    March 9, 2011
    Did you forget to check interface mode in the vdom phase1' s? Common mistake as default is tunnel mode. Cheers, Eric
    agonist_inhaler
    agonist_inhalerAuthor
    New Member
    March 9, 2011
    Hi Eric, Ya, you are right, I forgot to check that. thanks again. I will keep you posted if I got it working. I appreciate your prompt reply. -cheers!-
    agonist_inhaler
    agonist_inhalerAuthor
    New Member
    March 10, 2011
    Hi Eric, I was able to create the phase1 tunnel, however I am still not able to up the ipsec tunnel for some reason. I created two static route. First is any source IP going out it will use my router IP as its gateway where WAN interface is connected and set device to the WAN interface. The second route I created was for the Private network on the other side, leaving gateway blank and used the phase1 tunnel as Device. I also created a firewall rule to set Trust to Untrust allow all and vice versa. Do I need to use ssl.vdom that was created under this VDOM and create another route? Does it need to be part of Trust or Untrust?
    agonist_inhaler
    agonist_inhalerAuthor
    New Member
    April 2, 2011
    Hi Eric, Thanks, for all the advice. I was able to get this thing up and running. Was just about the " NAT Travelsal that was set to enable" that I did not remove.
    FortiRack_Eric
    FortiRack_Eric
    New Member
    April 4, 2011
    It' s no big deal. If you have no need for NAT on both sides, you can remove NAT Traversal on both sides from the config. It makes the IPsec negotiation faster. Cheers, Eric
    Terms & ConditionsAccessibility statement