Technical Tip: Configuring IPSec VPN tunnels on VDOMs that do not have a WAN connection

Description

This article describes how to configure IPSec VPN tunnels on Inter-VDOM links to allow VDOMs with no WAN interface to communicate with remote peers through the root VDOM.

Scope

FortiGate.

Solution

Consider that FortiGate has only one WAN connection assigned to the root VDOM, and an IPSec VPN tunnel should be configured on VDOM1.
Then, the root VDOM should NAT the IKE traffic originating from VDOM1, and send it to the remote peer.

Here is the Step by Step guide:

Site A VPN gateway.

1. Create globally Inter-VDOM links on both VDOMs

Config global

    Config system interface
        edit "VDOM-link0"
            set vdom "root"
            set ip 10.0.0.1 255.255.255.252
            set type vdom-link
            set snmp-index 14
        next
            edit "VDOM-link1"
                set vdom "VDOM1"
                set ip 10.0.0.2 255.255.255.252
                set type vdom-link
                set snmp-index 15
            next
        end

2. On VDOM1, configure an IPSec tunnel over the 'VDOM-link1' interface
   

config vpn ipsec phase1-interface
    edit "VPN-FGT-A"
        set interface "VDOM-link1"
        set proposal aes256-sha1
        set dhgrp 5
        set remote-gw 172.16.1.1
    end

config vpn ipsec phase2-interface
    edit "VPN-FGT-A"
        set phase1name "VPN-FGT-A"
        set proposal aes256-sha1
        set dhgrp 5
        set src-subnet 10.10.1.0 255.255.255.0
        set dst-subnet 192.168.10.0 255.255.255.0
    end

Static routing.

config router static
    edit 1
        set device "VPN-FGT-A"
        set dstaddr "192.168.10.0-24"
    next
        edit 2
            set distance 254
            set blackhole enable
            set dstaddr "192.168.10.0-24"
        end

Firewall policies.

config firewall policy
    edit 1
        set name "vpn_VPN-FGT_local"
        set srcintf "internal"
        set dstintf "VPN-FGT-A"
        set srcaddr "10.10.1.0-24"
        set dstaddr "192.168.10.0-24"
        set action accept
        set schedule "always"
        set service "ALL"
    next
        edit 2
            set name "vpn_VPN-FGT_remote"
            set srcintf "VPN-FGT-A"
            set dstintf "internal"
            set srcaddr "192.168.10.0-24"
            set dstaddr "10.10.1.0-24"
            set action accept
            set schedule "always"
            set service "ALL"
        next
    end

3. On root VDOM, configure an outgoing NAT policy from src: VDOM-link0 ---> dst:WAN interface with fixedport enabled to preserve the source ports (500/4500).
   

config firewall policy
    edit 1
        set name "outgoing"
        set srcintf "VDOM-link0"
        set dstintf "wan1"
        set srcaddr "10.0.0.2-IP"
        set dstaddr "172.16.1.1-IP"
        set action accept
        set schedule "always"
        set service "IKE"
        set fixedport enable
        set nat enable
    end

4. Configure an incoming policy with VIP as a destination address from src:WAN interface ---> dst: VDOM-link0
   

config firewall vip
    edit " VIP-10.0.0.2"
        set extip X.X.X.X <- Site A Public IP.
        set extintf "wan1"
        set mappedip "10.0.0.2"
    next
end

config firewall policy
    edit 2
        set name "incoming"
        set uuid 17e0cd48-bdf3-51e9-1ff5-3f7995b1c6d7
        set srcintf "wan1"
        set dstintf "VDOM-link0"
        set srcaddr "172.16.1.1-IP"
        set dstaddr "VIP-10.0.0.2"
        set action accept
        set schedule "always"
        set service "IKE"
    next
end

Note:
Before configuring IPsec VPN, make sure there is Internet access from the desired VDOM. Refer to this document for more information:

Technical Tip: WAN connectivity using inter-VDOM link