Skip to main content
RVTim
RVTim
New Member
November 19, 2020
Question

Multiple ISP + BGP + VPN question

  • November 19, 2020
  • 1 reply
  • 3470 views

I've got a tough question with multiple parts that has me stumped right now.  Here are the requirements or info points.

 

1)   2 (or more ISPs)  Each providing a /29, on 2 or more interfaces.

2)   We own our own /24 block.  That needs to be advertised with BGP and available publicly.

3)   I want VPN tunnels to terminate on our IPv4 IPs...that way IPSec Tunnels are ISP independent.

4)   I want the remaining IPv4 Addresses useable by other hosts...preferrably on a VLAN interface that holds the public IP Space.

 

I'm really stuck on each part.  I've got a VPN established on one ISP block of IPs.

I've got BGP advertising but currently I have a VLAN created with our /24 and it is being advertised.

I can't seem to find how to use one of my publics, say X.X.X.10 for my IP address on the Fortigate for IPSec to terminate on.

 

I did find a post today on a fortiguru site titled "Public IP Pass-through (DMZ Transparent Mode)" that seems to address much of what I'm looking for but no details on how to configure it.  And, it doesn't address VPN question. 

Anyone able to lend some advice?

Not Logged in

chrome

    1 reply

    boneyard
    boneyard
    Valued Contributor
    November 19, 2020

    you create a secondary IP address on the /24 vlan interface and use that in your VPN configuration.

     

    this is the general idea: https://kb.fortinet.com/kb/documentLink.do?externalID=FD32009

     

    lobstercreed
    lobstercreed
    New Member
    November 19, 2020

    I'm actually dealing with a somewhat similar thing.  My own /24 doesn't exist on an interface though (all used for VIPs).  I have a loopback interface that one of my VIPs NATs to and I terminate my IPSEC tunnels on this loopback. 

     

    I'm just now beginning to implement this (still not full production) but it seems to be working.  I'd be happy to discuss more over PM or demo over a brief Zoom if it would be helpful.

    RVTim
    RVTimAuthor
    New Member
    November 20, 2020

    Thanks for your answers.  The approach in that linked article was one I tried a couple days ago without success, but, since I wrote my request for help, I got what I needed.  Yesterday I had called support and we couldn't figure it out but the forti engineer I got took it as a project and set it up in the lab.  He came up with a working solution.

     

    Let me explain where things went wrong.  When I did it just per the article, I moved my VPN that terminated on the ISP's assigned IP address, to the secondary on the VLAN interface I created.  I was able to bring up a tunnel, and pass traffic into the network.  The replies also tried to send back, but it failed as the packets went into the tunnel and I wasn't able to get any packets going back across the tunnel.  It said there was no route to the other end, which is bogus, because it had the tunnel built and it should have known where to go.  So what we did as the fix was this:

     

    We enabled overlapping subnets.  That way I could have the /24 on the VLAN interface, but create a loopback with a /32 mask on x.x.x.2   Then I could terminate the VPN on that IP.  Once that was done, the traffic routed fine and everything worked.   Now I just have to verify that I can still use my /24 block for NAT of internal hosts for internet access as well.  If so, it should work out just fine.

     

    Thanks again for your tips.  After 18 years of banging away at Cisco equipment of all types, the COVID situation forced me into a job change and I've found myself having to pick up something totally new. Definitely a little gear grinding as I try to shift into higher gears.

    Terms & ConditionsAccessibility statement