Technical Tip: Broadcast traffic over site-to-site IPsec VPN

welnaggar · ‎09-02-2019

Description
This article describes the configuration steps to successfully transmit broadcast streaming over an IPsec VPN between two FortiGates.

The following high level diagram illustrates the scenario:

Solution
Here is the Step by Step guide on site A

- Establish an IPsec VPN tunnel between both FortiGates. It’s important to add the broadcast address 225.255.255.255 as a destination inside phase2 selectors:

# config vpn ipsec phase1-interface
    edit "VPN-siteA"
        set interface "port1"
        set proposal aes256-sha1
        set dhgrp 5
        set remote-gw 10.108.16.52

# config vpn ipsec phase2-interface
    edit "VPN-siteA-0"
        set phase1name "VPN-siteA"
        set proposal aes256-sha1
        set dhgrp 5
        set src-subnet 10.10.1.0 255.255.255.0
        set dst-subnet 192.168.10.0 255.255.255.0
    next
    edit "VPN-siteA-Broadcast"
        set phase1name "VPN-siteA"
        set proposal aes256-sha1
        set dhgrp 5
        set src-subnet 10.10.1.0 255.255.255.0
        set dst-subnet 255.255.255.255 255.255.255.255
    next
end

- Configure Firewall Policies to allow multicast traffic through the IPsec tunnel:

# config firewall policy
    edit 2
        set uuid 3f41d4ec-1b11-51e5-59e1-89ff338a8b48
        set srcintf "port2"
        set dstintf "VPN-siteA"
        set srcaddr "10.10.1.0/24"
        set dstaddr "192.168.10.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 3
        set uuid 4ecffd80-1b11-51e5-f9dc-b4973fcba126
        set srcintf "VPN-siteA"
        set dstintf "port2"
        set srcaddr "192.168.10.0/24"
        set dstaddr "10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"

- Add the needed static routes:

# config router static
    edit 1
        set gateway 10.108.19.254
        set device "port1"
    next
    edit 2
        set dst 192.168.10.0 255.255.255.0
        set device "VPN-siteA"
    next
end

- "Broadcast-forward" should be enabled on the interfaces:

# config system interface
    edit VPN-siteA
        set vdom "root"
        set broadcast-forward enable
        set type tunnel
        set snmp-index 12
        set interface "port1"
    next
    edit "port2"
        set vdom "root"
        set ip 10.10.1.1 255.255.255.0
        set broadcast-forward enable
        set type physical
        set snmp-index 2
    next
end

- Configure Broadcast firewall address & policy:

# config firewall multicast-address
    edit "Broadcast"
        set type broadcastmask
        set subnet 255.255.255.255 255.255.255.255
end

# config firewall multicast-policy
    edit 1
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "Broadcast"
    next
end

The same steps should be followed on site B

- IPsec VPN configuration:

# config vpn ipsec phase1-interface
    edit "VPN-siteB"
        set interface "port1"
        set proposal aes256-sha1
        set dhgrp 5
        set remote-gw 10.108.16.137

# config vpn ipsec phase2-interface
    edit "VPN-siteB-0"
        set phase1name "VPN-siteB"
        set proposal aes256-sha1
        set dhgrp 5
        set src-subnet 192.168.10.0 255.255.255.0
        set dst-subnet 10.10.1.0 255.255.255.0
    next
    edit "VPN-siteB-Broadcast"
        set phase1name "VPN-siteB"
        set proposal aes256-sha1
        set dhgrp 5
        set src-subnet 255.255.255.255 255.255.255.255
        set dst-subnet 10.10.1.0 255.255.255.0
end

- Firewall Policies:

# config firewall policy
    edit 16
        set uuid d16f4a8a-1b10-51e5-3008-a5f532b77f5c
        set srcintf "VPN-siteB"
        set dstintf "port3"
        set srcaddr "10.10.1.0/24"
        set dstaddr "192.168.10.0/24"
        set action accept
        set schedule "always"
        set service "ALL
    next
    edit 17
        set uuid f4186fa8-1b10-51e5-3a14-f0414fd58617
        set srcintf "port3"
        set dstintf "VPN-siteB"
        set srcaddr "192.168.10.0/24"
        set dstaddr "10.10.1.0/24"
        set action accept
        set schedule "always"
        set service "ALL"
end

- Static routing:

# config router static
    edit 1
        set gateway 10.108.16.137
        set device "port1"
    next
    edit 2
        set dst 10.10.1.0 255.255.255.0
        set device "VPN-siteB"
    next

- "Broadcast-forward" should be enabled on the interfaces:

# config system interface
    edit VPN-siteB
        set vdom "root"
        set broadcast-forward enable
        set type tunnel
        set snmp-index 12
        set interface "port1"
    next
    edit "port2"
        set vdom "root"
        set ip 192.168.10.1 255.255.255.0
        set broadcast-forward enable
        set type physical
        set snmp-index 2
    next
end

- Configure Broadcast firewall address & policy:

# config firewall multicast-address
    edit "Broadcast"
        set type broadcastmask
        set subnet 255.255.255.255 255.255.255.255
end

# config firewall multicast-policy
    edit 1
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "Broadcast"
    next
end