Skip to main content
johnlloyd_13
johnlloyd_13
Explorer III
February 11, 2023
Solved

Route based VPN/VTI Tunnel support in Multi VDOM

  • February 11, 2023
  • 3 replies
  • 5940 views

hi,

i've been searching/googling for VDOM support for route-based VPN/VTI Tunnel but to no avail.

is this route-based VPN/VTI tunnel interface supported in multiple VDOM? i.e. VDOM A is for our internal VPN/VTI to AWS, then VDOM B is for other customer/department.

appreciate if someone can provide a fortinet link. thanks!

Best answer by gfleming

If you read the VDOM Overview in the docs you can see the very first paragraphs states:

 

"Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network."

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/109991/virtual-domains

3 replies

tthrilok
Staff
tthrilok
Staff
February 12, 2023

Hi John,

 

Thank you for the query!

 

I understand you are having VDOM A on which you have VPN terminated to AWS, then you have VDOM B from where the user initiates the traffic to AWS. Please let me know if I misunderstood. 

 

If the above is the case, and VDOM A is encrypting your traffic to AWS. You may use the inter VDOM link and route the traffic between VDOMs.

For example, your AWS network is 10.1.1.0/24, and VDOM B network is 10.1.2.0/24

 

In the VDOM A, you can create two routes:

10.1.1.0/24 pointing to VPN Tunnel

10.1.2.0/24 pointing to InterVDOM link to VDOM B

 

then create the policies accordingly.

 

In the VDOM B you may need to create one route:

10.1.2.0/24 pointing to InterVDOM link to VDOM A

 

Create the policies accordingly.

    johnlloyd_13
    johnlloyd_13Author
    Explorer III
    February 12, 2023

    hi,

    the VDOM A and B are completely separate/independent of each other.

    there's no need to interconnect the two VDOMs.

    is VTI in a VDOM supported?

    or is VTI only available in the "root" VDOM?

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    February 12, 2023

    By default, FortiGate's IPsec VPNs are route-based (or interface based) VTI (virtual tunnel interface) that you can configure an IP address on and route traffic through.

    If you need to configure, for whatever the reason is, policy based IPsecs with GUI, you have to enable the feature visibility first.

     

    Toshi

      johnlloyd_13
      johnlloyd_13Author
      Explorer III
      February 13, 2023

      hi,

      my main question is, is VTI supported in multiple VDOM?

      or is it VTI only available in "root" VDOM?

      srajeswaran
      Staff
      srajeswaran
      Staff
      February 12, 2023

      There is no restriction in configuring route based VPN on a VDOM. The configuration steps are exact same as a VPN config on a non-VDOM firewall.

      Are you getting any errors while configuring?

        johnlloyd_13
        johnlloyd_13Author
        Explorer III
        February 13, 2023

        hi,

        i haven't configured this yet.

        just would like to know if VTI is supported in multiple VDOM.

        i only searched/see config doc using "root" VDOM.

        are you able to give/point me to a fortinet doc that configures a VTI in a VDOM other than "root"?

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        February 13, 2023

        Whatever you found as examples of VPN configuration in root vdom, you just need to replace "set vdom root" to "set vdom your-vdom-name". Nothing else would be different.

         

        Toshi

          Terms & ConditionsAccessibility statement