Topology:

Below is the network diagram used to demonstrate this deployment.

In a multi-tenant environment where many customers or companies share the same or single hardware (FortiGate in this case), it can be advantageous to share, for example, an 'already provisioned Internet connection' with all of the tenants. This would mean each company does not have to start looking for ways to buy internet connectivity when onboarding, and can be used to bypass all of the contract signing and other steps necessary to set up a new internet link. Some environments have strict rules regarding bringing one's own internet or MPLS connectivity.  

This type of solution is highly relevant to these situations.

This article depicts a scenario where two companies, ACME & GLOBEX (not real companies), host their application servers in a DataCenter. The infrastructure owner shares one internet link among all companies hosted, despite how each customer was allocated a separate VDOM.

The DataCenter ISP provides a /24 Public IP (200.200.200.0/24 in this example), and each tenant or customer is given one of these IPs to connect to the internet with.

ACME was allocated 200.200.200.6, GLOBEX was allocated 200.200.200.8, the infrastructure owner or admin owns the root VDOM with the IP address 200.200.200.2, and the ISP router has the IP 200.200.200.1 (the gateway for all internet bound traffic from the infrastructure).

EMAC-VLAN Interface allows multiple VDOMs to share a single physical interface that may even belong to another VDOM (port1 shared by all companies in this article is in the root VDOM).

With this feature, all of the VDOMs (customers) can use the same Internet connection.

After ACME & GLOBEX hosted their applications in the DataCenter, they require VPN connectivity to their HQs so users can have access to those applications in DataCenter.

Configuration:

1. Create an EMAC-VLAN interface and assign IP address.
2. Create a default route in each VDOM (vdom use in this article are: ACME & GLOBEX).
3. Create an IPSec VPN tunnel for each company.
4. Create a static or dynamic route to return users' traffic to the application server back to their respective HQ LANs.
5. Create FW policy.
6. Configure each company's HQ Firewall or Router appropriately (this is not covered in this article).

Create an EMAC-VLAN interface and assign IP addresses:

config system interface

    edit "port1"

        set vdom "root"

        set ip 200.200.200.2 255.255.255.0

        set allowaccess ping https ssh

        set type physical

    next

    edit "ACME-EMAC"

        set vdom "ACME"

        set ip 200.200.200.6 255.255.255.0

        set allowaccess ping https ssh

        set type emac-vlan  <- Type must be emac-vlan.

        set role wan

        set interface "port1" <- Bind to port1.

    next

    edit "GLOBEX-EMAC"

        set vdom "GLOBEX"

        set ip 200.200.200.8 255.255.255.0

        set allowaccess ping https ssh

        set type emac-vlan    <- Type must be emac-vlan.

        set role wan

        set interface "port1"  <- Bind to port1.

    next

end

Create a default route in each VDOM.

config vdom

edit ACME

config router static

edit 1

set gateway 200.200.200.1 <- ISP IP address.

set device "ACME-EMAC"  <- EMAC-VLAN Interface sharing IP subnet with port1.

next

edit 2

set dst 10.40.40.0 255.255.255.0 <- Return route to ACME HQ LAN over the VPN.

set device "acme-vpn-hq"

next

end

config vdom

edit GLOBEX

config router static

edit 1

set gateway 200.200.200.1<- ISP IP address.

set device "GLOBEX-EMAC"    <- EMAC-VLAN Interface sharing IP subnet with port1.

next

edit 2

set dst 10.60.60.0 255.255.255.0   <- Return route to GLOBEX HQ LAN over the VPN.

set device "globex-vpn-hq"

next

end

Create an IPSec VPN tunnel for each company.

config vdom

edit ACME

config vpn ipsec phase1-interface

edit "acme-vpn-hq"

set interface "ACME-EMAC" <- The IPSec VPN is bound to the EMAC-VLAN Interface.

set peertype any

set net-device disable

set proposal aes128-sha256

set remote-gw 2.2.2.2 <- ACME HQ wan IP.

set psksecret xxxxxxx

next

end

config vpn ipsec phase2-interface

edit "acme-vpn-hq"

set phase1name "acme-vpn-hq"

set proposal aes128-sha256

set auto-negotiate enable

next

end

config vdom

edit GLOBEX

config vpn ipsec phase1-interface

edit "globex-vpn-hq"

set interface "GLOBEX-EMAC"  <- The IPSec VPN is bind to EMAC-VLAN Interface.

set peertype any

set net-device disable

set proposal aes128-sha256

set remote-gw 185.5.5.5   <- GLOBEX HQ wan IP.

set psksecret xxxxxxx

next

end

config vpn ipsec phase2-interface

edit "globex-vpn-hq"

set phase1name "globex-vpn-hq"

set proposal aes128-sha256

set auto-negotiate enable

next

end

Create 'static or dynamic route' to return a user's traffic to the application server back to their respective HQ LANs.

This is already covered in step 2.

Create an FW policy.

config vdom

edit ACME

config firewall policy

edit 0

set name "ACME2"

set srcintf "acme-vpn-hq"   <- ACME VPN to HQ.

set dstintf "port6"  <- Interface connecting ACME application server.

set action accept

set srcaddr "all"    <- Permit IPs as applicable.

set dstaddr "all"   <- Permit IPs as applicable.

set schedule "always"

set service "ALL"   <- Permit service as applicable

set logtraffic all

next

end

config vdom

edit GLOBEX

config firewall policy

edit 0

set name "GLOBEX2"

set srcintf "globex-vpn-hq" <- GLOBEX VPN to HQ.

set dstintf "port8" <- Interface connecting GLOBEX application server.

set action accept

set srcaddr "all" <- Permit IPs as applicable.

set dstaddr "all" <- Permit IPs as applicable.

set schedule "always"

set service "ALL" <- Permit service as applicable.

next

end

Verifications:

The VPNs are UP:

The ACME LAN IP can reach application server 192.168.40.40:

The GLOBEX LAN IP can reach application server 192.168.60.60:

The IPsec VPN to ACME QH (acme-vpn-hq) shows the following usage:

The IPSec VPN to GLOBEX QH (acme-vpn-hq) shows the following usage: