Description | This article speaks about the correct way to configure IPsec over npu-vlink between two VDOMs. |
Scope | |
Solution |
Consider the points while configuring the IPSEC over npu-vlink between two VDOMs.
- Do not assign /32 subnet to the IP assigned to npu-vlink interfaces.
- In the case of IPsec over Loopback, it is possible to reach the IPsec peer over any FortiGate interface.
- However, for IPsec over npu-vlink, the npu-vlink must be facing the IPsec peer.
- The right way to use npu-vlink for IPsec is to have something like:
IPsec_Peer ======== WAN[vdom-Front]npu0-vlink1----npu0-vlink0[vdom-IPsec]
- With the above design, IPsec in VDOM 'vdom-IPsec' can be bound to the npu0-vlink0 as the IPsec peer can be reached over npu0-vlink0.
Basically, IPsec peer traffic must flow over both npu0-vlink0 & npu0-vlink1.
- Furthermore, with the below design, the IPsec tunnel terminated on the npu0-vlink0 is not supported as IPsec peer traffic won't flow over both npu0-vlink0 & npu0-vlink1.
IPsec_Peer ======== WAN[vdom-IPsec]npu0-vlink0----npu0-vlink1 [vdom-Front] |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.