Skip to main content
Duka
Duka
Explorer
April 22, 2022
Solved

Multiple IPSec VPN for using zones

  • April 22, 2022
  • 6 replies
  • 10739 views

Hi Everybody,

some time ago I have done a network segmentation in the headquarters based on zones (client, voip, server) and numerous policies. Now I have to do the same in a remote seat (IPSEC VPN). The remote seat  have the same logic as the main office, although not all VLANs are necessary (only client, VOIP). All routing between the VLANs is done at headquarters.

 

I would like to avoid the following solution

  • Using multiple interfaces in the policies because i lose the "Interface Pair View".
  • Duplicate policies (this makes administration more complex)

my idea
Multiple IPSec VPNs (with diffrent public IPs in the main site - parameter "set local-gw") - one VPN per VLAN, whereby its interface can then be added to the corresponding zone and the existing rules are then used automatically.

 

Since I don't have a test environment, I wanted to ask beforehand whether this is even possible (routing..) or whether I've overlooked something here?

 

Graphic for better understanding.

image.png

Thanks in advanced for your help

 

Regards
Patrick

Best answer by Duka

Hi,

the connection is now working as expected. As written by both of you, i also had to add the static routes (same priority) so that the connection works from the main office.

 

Key Elements to solve this problem:
-Multiple IPSec VPNs with Tunnel Interface IPs on both sides
-Policy Route on Remote Site - One per VLAN on Remote Site (Gateway = IP of VPN Interface on MainSite)
-Static Routes on Remote and Main Site
-Some policies to allow traffic

 

Many thanks to both of you

 

Regards
Patrick

6 replies

seshuganesh
Staff
seshuganesh
Staff
April 22, 2022

HI Team,

 

As per your requirement, you would like to configure multiple public IP in head office end and create multiple tunnels to remote end.

There by you can add different phase 2 selectors in all three tunnels.

Yes it is possible.

You are basically seperating VLAN traffic based on the tunnels.

Please correct me if i am wrong

akristof
Staff
akristof
Staff
April 22, 2022

Hi, as my colleague said, you can use single VPN with multiple phase2, but if you want to have traffic between clientA and voipB it can make it difficult because you would need all the combinations of the traffic.

You can also use single tunnel with one any/any phase2, but if you want to segment traffic to separate tunnels, then you can also do it like that.

You can configure multiple tunnels on different IP (on HQ) if you can, if you have only 1 public IP, you can configure multiple tunnels on same IP and just use localid (ikev1) or you can use network-overlay ID (ikev2).

Duka
DukaAuthor
Explorer
April 22, 2022

Hi,

thanks to both for the quick reply and the tip regarding PeerID. I'll test it out over the next few weeks and then get back to you.

 

Regards

Patrick

    Duka
    DukaAuthor
    Explorer
    April 27, 2022

    Hi,

    I have made now some tests.

     

    The VPN connections with different public IPs is working. The ping Client_A <-> Client_B and VOIP_A <-> VOIP_B works.

     

    But now I have the problem that Client_B and VOIP_B also have to contact Server_A. I created a static route, but only CLIENT_B -> Server_A or VOIP_B -> Server_A works depending on the priority.

     

    Is that even possible with "Static Route" or do I have to use "Policy Routes"? I tried that a bit, but didn't get there. Maybe someone has an idea?

     

    Regards

    Patrick

     

    akristof
    Staff
    akristof
    Staff
    April 27, 2022

    Hi,

    If you have 2 routes for same network, via IpsecA and via IpsecB (same distance, different priority) then policy-route is the best option. Possibly you did it right but policy-route was not used because of this:

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-interface/ta-p/193376

    Duka
    DukaAuthor
    Explorer
    April 28, 2022

    Hi,

    thank you for showing me the right way. By using the policy router I can now ping SERVER_A from CLIENT_B and VOIP_B. Unfortunately, the reverse way doesn't work. SERVER_A cannot ping CLIENT_B and VOIP_B. Does the Reverse Path Check have a problem with Policy Routes?

     

    Debug on Remote Site - B

    id=20085 trace_id=1373 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.245.5.105:1->192.168.50.5:2048) from DR300_DK300. type=8, code=0, id=1, seq=15888."
    id=20085 trace_id=1373 func=init_ip_session_common line=5834 msg="allocate a new session-005e1fb6"
    id=20085 trace_id=1373 func=ip_route_input_slow line=2241 msg="reverse path check fail, drop"
    id=20085 trace_id=1373 func=ip_session_handle_no_dst line=5918 msg="trace"

     

    config router policy
    edit 1
    set input-device "vlan-301"
    set src "192.168.40.0/255.255.255.0"
    set dst "10.245.5.0/255.255.255.0"
    set gateway 172.16.40.1
    set output-device "DR301_DK301"
    next
    edit 2
    set input-device "vlan-300"
    set src "192.168.50.0/255.255.255.0"
    set dst "10.245.5.0/255.255.255.0"
    set gateway 172.16.50.1
    set output-device "DR300_DK300"
    next
    end

    Regards

    Patrick

    akristof
    Staff
    akristof
    Staff
    April 28, 2022

    Hi,

    I am assuming that you have 2 routes over tunnel1 and tunnel2 with different priorities. You need to have this on both ends. It this case it doesn't matter that it will not be best route, you just need to have route for a source network in routing-table on the device that is dropping traffic because of reverse path. 

      Duka
      DukaAuthorAnswer
      Explorer
      April 28, 2022

      Hi,

      the connection is now working as expected. As written by both of you, i also had to add the static routes (same priority) so that the connection works from the main office.

       

      Key Elements to solve this problem:
      -Multiple IPSec VPNs with Tunnel Interface IPs on both sides
      -Policy Route on Remote Site - One per VLAN on Remote Site (Gateway = IP of VPN Interface on MainSite)
      -Static Routes on Remote and Main Site
      -Some policies to allow traffic

       

      Many thanks to both of you

       

      Regards
      Patrick

        Terms & ConditionsAccessibility statement