Skip to main content
VPNightmare
VPNightmare
New Member
July 27, 2015
Question

VDOMs: VPN, VIP Through Management VDOM?

  • July 27, 2015
  • 1 reply
  • 9992 views

Hello,

We have a 200D FortiGate (well, two in HA mode) with multiple client VDOMs in NAT mode, each with their own VLAN (multiple servers, SANs, typical data center stuff). Rather than allocating two ports for each VDOM (LAN/WAN), we decided to use unnumbered VDOM routes between each VDOM and the management VDOM, root, so as to only use one port (LAN) per VDOM instance. This works great.

 

What we need next is twofold:

[ol]
  • We need independent IPsec VPN tunnels in each VDOM to the client FortiGates. In the attached image, for instance, VDOM1 would have a direct VPN tunnel to the remote client FortiGate. This is necessary.
  • We need a way to route public IPs to VDOMn. In the image, a public IP of 200.200.1.7 VIPs to a 10.1.0.x address in VDOM1. This is also necessary.[/ol]

    So, is there a way 1 and/or 2 this can be accomplished without using independent WAN ports for each VDOM?

     

    As always, thank you in advance for any assistance.

      • 1 reply

      MBR
      MBR
      New Member
      October 26, 2016

      Hi,

       

      Did you found a solution for this?

      Currently i'm having the exact same problem.

       

      MBR

      emnoc
      emnoc
      New Member
      October 26, 2016

      What yo are doing is a meshed vodka approach. 

       

      http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html

       

       

      You have a few choices, you can run  DNAT VIP on the internet facing vodka to  the respective  fortigate inside vdom (  1  2 3 )

       

      or 

       

      Assign  public ipv4 to the inside vdom1 2 3  and route these thru the  internet facing vdom

       

      or

       

      Are the inside vdom "responders" or "initiators"? if it's the latter you could just SNAT the traffic { ipsec/ike } from the vdom to the remote location(S). if your worried about al ipsec coming from  the same src-ip, use a peer-id to distinguish each tunnel.

       

       

       

      MBR
      MBR
      New Member
      November 1, 2016

      thanks emnoc.

       

      I'm trying a configuration with a public ip on the "inner" vdom link interface and also on a loopback interface inside the vdom.

      Got the vpn up but i'm still checking the traffic flows which doesn't seem to work properly but this couldl be caused by a  particular soho router on the other side.. will try with a fortigate - fortigate configuration.

      Terms & ConditionsAccessibility statement