FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdabhade
Staff
Staff
Article Id 203480
Description This article speaks about the correct way to configure IPsec over npu-vlink between two VDOMs.
Scope  
Solution

Consider the points while configuring the IPSEC over npu-vlink between two VDOMs.


- It is not possible to use the npu-vlink interface in the same way as a loopback interface.

 

- Do not assign /32 subnet to the IP assigned to npu-vlink interfaces.

 

- In the case of IPsec over Loopback, it is possible to reach the IPsec peer over any FortiGate interface.

 

- However, for IPsec over npu-vlink, the npu-vlink must be facing the IPsec peer.

 

- The right way to use npu-vlink for IPsec is to have something like:

 

IPsec_Peer ======== WAN[vdom-Front]npu0-vlink1----npu0-vlink0[vdom-IPsec]

 

- With the above design, IPsec in VDOM 'vdom-IPsec' can be bound to the npu0-vlink0 as the IPsec peer can be reached over npu0-vlink0.

 

Basically, IPsec peer traffic must flow over both npu0-vlink0 & npu0-vlink1.

 

- Furthermore, with the below design, the IPsec tunnel terminated on the npu0-vlink0 is not supported as IPsec peer traffic won't flow over both npu0-vlink0 & npu0-vlink1.

 

IPsec_Peer ======== WAN[vdom-IPsec]npu0-vlink0----npu0-vlink1 [vdom-Front]  

Contributors