Routing VLAN Traffic (subnets) & DHCP Through VPN

Why would you want to do that is my 1st question? Want I would do instead ; 1: is to create a voice-subnet that' s unique at office B e.g 10.10.20.x/24 2: Create a phase2-interface for this traffic 3: Apply firewallpolicies for voice-phones to reach softPBX at site " A" to allow traffic from voice A to voiceB and phones to softPBX 4: Install a route for this network the above assume your using a route-based vpn 5th: Use the DHCP relay to relay-dhcp requests from site " B" to site " A" dhcp server. note: would create a dhcp relay-server for voice vlan#2 and point it to dhcp-server-voice at site A and set the mode to be " relay" btw, nice diagram. This helped with providing a clear picture of your dilemma

Thanks emnoc for once again providing a solution. I wasn' t too keen on routing VLAN traffic through the VPN for a variety of reasons, and your solution was exactly what I was looking for. I' m using route-based VPN (always), and was hoping it would be as simple as routing. Per your solution, I' ve performed the following: Office B VLAN2 changed from 10.10.10.0/24 to 10.10.20.0/24 Office A: create firewall object, " A VLAN2" with 10.10.10.0/255.255.255.0 Office B: create firewall object, " B VLAN2" with 10.10.20.0/255.255.255.0 Office A: VPN > A_TO_B Phase2 A_TO_B2 > Quick Mode Selector > " A VLAN2" Office B: VPN > B_TO_A Phase2 B_TO_A2 > Quick Mode Selector > " B VLAN2" Set up routes for both under Router at both offices Set up policies to pass 10.10.10.x and 10.10.20.x between office A & B VPN works fine. Again, knowing that I know nothing about phone servers (and we don' t manage or have anything to do with it other than it' s a VM on our hardware), when I do DHCP relay, those phones will have to get 10.10.20.x addresses from the phone server in order for voice traffic to route back to Office A' s Adtran/T1, correct? If that' s the case, from a theoretical position, how does the DHCP server know that local subnetted voice VLAN phones get 10.10.10.x addresses and DHCP relayed phones on Office B' s voice VLAN get 10.10.20.x addresses? Another few quick (hopefully) questions on the DHCP relay setup since I' ve not done that before and documentation isn' t exactly helpful on the particulars: 1. Do I relay through the System > Network > Interfaces > Wan1 > Office_B_to_A tunnel (sub)interface? 2. What is the difference between Regular and IPsec relaying (this is where documentation fails)?

Again, knowing that I know nothing about phone servers (and we don' t manage or have anything to do with it other than it' s a VM on our hardware), when I do DHCP relay, those phones will have to get 10.10.20.x addresses from the phone server in order for voice traffic to route back to Office A' s Adtran/T1, correct? If that' s the case, from a theoretical position, how does the DHCP server know that local subnetted voice VLAN phones get 10.10.10.x addresses and DHCP relayed phones on Office B' s voice VLAN get 10.10.20.x addresses?

This would be determine by the relay-dhcp-server ip address of office B router nic ( the firewall ip_address) aka properly as the GIADDR in the dhcp-message e.g config sys interface edit vlan2 set ip 10.10.20.1/24 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 192.168.100.200 192.168.200.200 ←-- this is the dhcp-server (s) end So the DHCP relay-agent ( firewall ) will present it’s address to the DHCP-server & the scope would be correctly served based on the relay-agent address

Another few quick (hopefully) questions on the DHCP relay setup since I' ve not done that before and documentation isn' t exactly helpful on the particulars: 1. Do I relay through the System > Network > Interfaces > Wan1 > Office_B_to_A tunnel (sub)interface?

On firewall B you would have a dhcp-relay mode set for this firewall ( see the above cfg )

2. What is the difference between Regular and IPsec relaying (this is where documentation fails)?

fortigate supports various dhcp-server types depending on FortiOS ver 1: regular ( what we use for a typical LAN ) 2: ipsec ( clients that used ipsec-dhcp for configuration vrs auto-configuration request & the client sends a classic dhcpdiscover message ) 3: relay ( where your dhcp-server is external & the address/assignment/binding is done off the local L3 device and remotely managed ) FWIW: Also I know you have the phone-server DHCP-server, but you could manage the scope on any of the other 2 dhcp-server if you wanted ( Office A or B ). So if you see in my earlier example, I gave you 3 dhcp-servers all ending in .200. You would replace these with the appropriate dhcp-server that you configure the phone-dhcp-scope on. I myself have never relayed over a ipsec-vpn, but have relayed locally to external dhcp-server off the fortigate in the past. Keep your design simple & let us know how it works out. If you need diagnostics, you can tcpdump on either the tunnel-interface leading to OfficeA or OfficeA interface leading to the dhcp-server to ensue the dhcp-relay is working and what address or you can run ; e.g diag sniffer packet <my interface> " host 10.10.10.200“ or diag debug enable diag debug application dhcprelay 250 on officeB I hope this all helps

Thanks again, emnoc. OK, I want to make sure I understand correctly, I do need to create VLAN subinterfaces (VLAN 2 and VLAN 10) on the FortiGate at Office B with an address of say 10.10.20.1/24 and 192.168.201.1/24? From there, I set multiple IP relays through that interface as per your example above, e.g.: config system interface edit vlan2 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 192.168.100.200 192.168.200.200 end But what about VLAN1 and VLAN10? Does all DHCP relay traffic go through the ForitGate vlan2 interface? How does it know where to route the DHCP traffic for 192.168.100/24 and 192.168.200/24? Would I create this? config system interface edit vlan2 set ip 10.10.20.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 set interface " wan1" set vlanid 2 end next edit vlan10 set ip 192.168.201.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 192.168.200.200 set interface " wan1" set vlanid 2 end I' m assuming that I won' t need to worry about the default VLANs (Office A, 192.168.100.0/24 and B, 192.168.101.0/24) since the network is on two different subnets with local Microsoft AD DHCP servers (though I could serve DHCP for both offices from Office A' s DHCP servers).

Assumptions: WAN1 is a interface into your layer2 switch that carries local traffic The layer2 switch supports 802.1q tagging DHCP server for PHONE network ( vlan#2 ) scope is carried across the VPN and to the SoftPBX at OfficeA VLAN1 is our AD server resource lan DHCP-server for the other networks are the MicrosoftAD server(s) ending with .200 in this example VLAN10 purpose is unclear, but I’m assuming it’s local to the office? Also it’s unclear on what’s the default WAN interface used for traffic exiting office A or B ( WAN2 ????? ) config system interface edit vlan1 set ip 192.168.101.1 255.255.255.0 set interface " wan1" set vlanid 1 set alias VLAN1-NETWORK_LOCAL_SERVERS end next edit vlan2 set ip 10.10.20.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 set interface " wan1" set vlanid 2 set alias VLAN2-NETWORK_LOCAL_PHONES end next edit vlan10 set ip 192.168.201.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 192.168.101.200 set interface " wan1" set vlanid 2 set alias VLAN10-NETWORK_LOCAL_USERS end cisco switchport configuration; interface gi 1/0/1 switchport switch mode trunk switch trunk allow vlan 1,2,10 logging event link-status logging event bundle-status logging event spanning-tree status load-interval 30 description UPLINK to FORTIGATE WAN1 INTERFACE no shut no cdp enable lldp transmit end As an alternative for the voip lan on officeB; you could server the scope off the local AD server if you so desire. Just change the dhcp-relay address to that of the local MicrosoftAD server(s). This could be support at either site if you need redundancy. Since the voip-gateway is in the OfficeA realm, this might not buy you too much. You have a lot of single-points-of-failures with regards to VoIP services { e.g internet uplink vpn single VoIP switch } For QoS keep in mind I believe a L3 firewall like Fortigate does not support recognition of CoS values on a 802.1p frame. Juniper does btw, but you will probably need to do a CoS re-mapping to DSCP, and them set this on firewall policy with guarantee traffic-policy. So you could map the appropriate cos for signaling and voip-channel to DSCP values and and trust the voip phone on the local switch. I would suggest the following; if officeB is very critical to explain a SoftPBX at this site locally Provide redundant SoftPBXes at both sites Provide 2nd Adtran1 Voice-GW at office Avoid carrying VoIP traffic across the VPN ( your chewing up outgoing/ingoing traffic for any off site traffic Traffic across the VPN should be intra-site-only voice imho I hope this better explain what I would do. But you have the general ideal & once again the photo explains your setup and needs very well.

Which policy allows DHCP requests from Site B to Site A across the tunnel " B-to-A" ? IMHO that would be from " Voice" to " B-to-A" on site B. Cross reference: does a phone in site B get assigned a DHCP address in the 10.10.20.0 range or from 10.10.10.0 or none at all?

OP Did you ensure these policy in the direction of question is being hit ? diag debug enable diag debug flow flitter address < insert a io of the host > diag debug flow show console enable diag debug flow trace start 50 You might to arrange the policies if your not getting any matches. I would police the A2B and then B2A direction and monitor the rx/tx packet counters under your diag vpn tunnel list Ken

Thanks ede_pfau and emnoc. Here is the information you wanted. ede_pfau Policy 2 should allow DHCP traffic across the tunnel (mirrors policy 2 on Office A' s FG). The " B VPN Group" contains both 192.168.101.0/24 and 10.10.20.0/24 and the " A VPN Group" contains both 192.168.100.0/24 and 10.10.10.0/24. As far as I understand, that should allow all traffic in both ranges to travel back and forth. A phone at site B gets assigned a 10.10.10.0 address from the PBX at office A (10.10.10.200), or should. This is a secondary issue, however, as I can' t get 10.10.x.x traffic to pass through the tunnel at all. I should be able to ping the internal interface of each FG unit' s voice VLAN, but can' t, as explained at the end of my previous post. At least I' m glad there isn' t something immediately apparent I' ve overlooked. emnoc From an Office A machine, I send out ping packets to the " Voice" interface at Office B. ICMP traffic should be constant (see the end of my previous post about the different behaviors of A & B FG units - even though they are setup nearly identically). Office A' s ping packets sent to Office B' s Voice IP simply do not make it to the FG unit. Office A' s diag debug shows the occasional ICMP packet coming through, e.g.: id=13 trace_id=1 msg=" vd-root received a packet(proto=1, 192.168.100.200:2->10.10.20.100:8) from internal1." id=13 trace_id=1 msg=" Find an existing session, id-00036d95, original direction" id=13 trace_id=1 msg=" enter IPsec interface-A_TO_B" id=13 trace_id=1 msg=" send to 50.243.12.110 via intf-wan1" id=13 trace_id=1 msg=" encrypting, and send to 66.66.0.100 with source 65.65.0.100" rx/tx are so small as to be meaningless, just a few sad kbs that made it through the FG maze. So far, FortiGate: 1, VPNightmare: 0 Oh, and emnoc, because I' ve combined the IPs into groups, rx/tx will be combined for both. Previously, they were separate policies (with VLAN traffic showing the tx/rx at 0 or a few kbs), but now they' re combined, so the tx/rx you' re seeing below is all 192.168.x.x traffic. diag vpn tunnel list name=A_TO_B ver=1 serial=1 65.65.0.100:0->66.66.0.100:0 lgwy=static tun=intf mode=auto bound_if=5 proxyid_num=2 child_num=0 refcnt=431 ilast=0 olast=0 stat: rxp=4971993 txp=5080545 rxb=754321047 txb=667435043 dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=30 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=A_TO_B2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=378 options=0000000e type=00 soft=0 mtu=1436 expire=962 replaywin=1024 seqno=14381 life: type=01 bytes=0/0 timeout=1748/1800 dec: spi=354f2a32 esp=3des key=24 <numbers> ah=sha1 key=20 <numbers> enc: <numbers> ah=sha1 key=20 <numbers> dec:pkts/bytes=81921/13304714, enc:pkts/bytes=87521/12896802643 npu_flag=03 npu_rgwy=66.66.0.100 npu_lgwy=65.65.0.100 npu_selid=0 proxyid=Voice-2 proto=0 sa=0 ref=1 auto_negotiate=0 serial=2 src: 0:10.10.10.0/255.255.255.0:0 dst: 0:10.10.20.0/255.255.255.0:0