Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
dbabic
Staff
Staff

Created on ‎08-16-2019 04:56 AM

Technical Tip: Configuring IPSec VPN tunnels on VDOMs that don’t have a WAN connection

Description
This article describes how to configure IPSec VPN tunnels on Inter-VDOM links to allow VDOMs with no WAN interface to communicate with remote peers through the root VDOM.


Solution
Consider that FortiGate has only one WAN connection assigned to the root VDOM, and an IPSec VPN tunnel should be configured on VDOM1.
Then, the root VDOM should NAT the IKE traffic originated from VDOM1, and send it to the remote peer.

Here is the Step by Step guide:

Site A VPN gateway
1) Create globally Inter-VDOM links on both VDOMs
#Config global
Config system interface
edit "VDOM-link0"
set vdom "root"
set ip 10.0.0.1 255.255.255.252
set type vdom-link
set snmp-index 14
next
edit "VDOM-link1"
set vdom "VDOM1"
set ip 10.0.0.2 255.255.255.252
set type vdom-link
set snmp-index 15
next
end

2) On VDOM1, configure an IPSec tunnel over the "VDOM-link1" interface
#config vpn ipsec phase1-interface
edit "VPN-FGT-A"
set interface "VDOM-link1"
set proposal aes256-sha1
set dhgrp 5
set remote-gw 172.16.1.1
end

#config vpn ipsec phase2-interface
edit "VPN-FGT-A"
set phase1name "VPN-FGT-A"
set proposal aes256-sha1
set dhgrp 5
set src-subnet 10.10.1.0 255.255.255.0
set dst-subnet 192.168.10.0 255.255.255.0
end
Static routing
#config router static
edit 1
set device "VPN-FGT-A"
set dstaddr "192.168.10.0-24"
next
edit 2
set distance 254
set blackhole enable
set dstaddr "192.168.10.0-24"
end
Firewall policies
#config firewall policy
edit 1
set name "vpn_VPN-FGT_local"
set srcintf "internal"
set dstintf "VPN-FGT-A"
set srcaddr "10.10.1.0-24"
set dstaddr "192.168.10.0-24"
set action accept
set schedule "always"
set service "ALL"
next
edit 2
set name "vpn_VPN-FGT_remote"
set srcintf "VPN-FGT-A"
set dstintf "internal"
set srcaddr "192.168.10.0-24"
set dstaddr "10.10.1.0-24"
set action accept
set schedule "always"
set service "ALL"
next
end
3) On root VDOM, configure an outgoing NAT policy from src: VDOM-link0---> dst:WAN interface with fixedport enabled to preserve the source ports (500/4500)
#config firewall policy
edit 1
set name "outgoing"
set srcintf "VDOM-link0"
set dstintf "wan1"
set srcaddr "10.0.0.2-IP"
set dstaddr "172.16.1.1-IP"
set action accept
set schedule "always"
set service "IKE"
set fixedport enable
set nat enable
end
4) Configure an incoming policy with VIP as a destination address from src:WAN interface ---> dst: VDOM-link0
#config firewall vip
edit " VIP-10.0.0.2"
set extip 172.16.1.1
set extintf "wan1"
set mappedip "10.0.0.2"
next
end

#config firewall policy
edit 2
set name "incoming"
set uuid 17e0cd48-bdf3-51e9-1ff5-3f7995b1c6d7
set srcintf "wan1"
set dstintf "VDOM-link0"
set srcaddr "172.16.1.1-IP"
set dstaddr "VIP-10.0.0.2"
set action accept
set schedule "always"
set service "IKE"
next
end


9987
Contributors

Contact Us