Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
welnaggar
Staff
Staff

Created on ‎08-26-2019 12:25 AM

Article Id 194209

Technical Tip: Multicast traffic over site-to-site IPsec VPN with PIM Sparse Mode

Description
This article describes the configuration steps to successfully transmit multicast streaming over an IPsec VPN between two FortiGates with multicast routing.

The following high level diagram illustrates the scenario:



Solution
Here is the Step by Step guide on site A

- Establish an IPsec VPN tunnel between both FortiGates. Add the multicast subnet 224.0.0.0/4 as a destination inside phase2 selectors. In this example, phase2 subnets are all to all:
# config vpn ipsec phase1-interface
    edit "VPN-siteA"
        set interface "port1"
        set proposal aes256-sha1
        set dhgrp 5
        set remote-gw 10.108.16.52

# config vpn ipsec phase2-interface
    edit "VPN-siteA-0"
        set phase1name "VPN-siteA"
        set proposal aes256-sha1
        set dhgrp 5
    next
end
- Configure Firewall Policies to allow multicast traffic through the IPsec tunnel:
# config firewall policy
    edit 2
        set uuid 3f41d4ec-1b11-51e5-59e1-89ff338a8b48
        set srcintf "port2"
        set dstintf "VPN-siteA"
        set srcaddr "10.167.0.0/22"
        set dstaddr "10.144.0.0/22"
        set action accept
        set schedule "always"
        set service "ALL"
    next
    edit 3
        set uuid 4ecffd80-1b11-51e5-f9dc-b4973fcba126
        set srcintf "VPN-siteA"
        set dstintf "port2"
        set srcaddr "10.144.0.0/22"
        set dstaddr "10.167.0.0/22"
        set action accept
        set schedule "always"
        set service "ALL"
- Add the needed static routes:
# config router static
    edit 1
        set gateway 10.108.19.254
        set device "port1"
    next
    edit 2
        set dst 10.144.0.0 255.255.252.0
        set device "VPN-siteA"
    next
end
- In PIM Sparse mode, FortiGate uses the virtual tunnel interfaces to form PIM neighbor relationship to exchange PIM information. So the virtual tunnel’s IP address should be included in the source subnet of phase2 selectors:
# config system interface
    edit "VPN-siteA”
        set vdom "root"
        set ip 10.0.0.1 255.255.255.255
        set type tunnel
        set remote-ip 10.0.0.2 255.255.255.252
        set interface "port1"
    next
- The multicast traffic received on ingress interface will not be forwarded over the tunnel if the TTL value is too small to go through the FortiGate (default value TTL=1). Therefore, enable "multicast-ttl-notchange" or adjust the value in the server. In this scenario "multicast-ttl-notchange" was enabled in both peers. "multicast-forward" should also be disabled:
# config system settings
    set multicast-forward disable
    set multicast-ttl-notchange enable
    set gui-multicast-policy enable
end
- Enable "multicast-routing" and choose the PIM mode:
# config router multicast
    set multicast-routing enable
    config interface
        edit "VPN-siteA"
            set pim-mode sparse-mode
        next
    end
end
- Configure multicast firewall policies:
# config firewall multicast-policy
    edit 1
        set srcintf "port2"
        set dstintf "VPN-siteA"
        set srcaddr "all"
        set dstaddr "all"
    next
The same steps should be followed on site B

- IPsec VPN configuration:
# config vpn ipsec phase1-interface
    edit "VPN-siteB"
        set interface "port4"
        set proposal aes256-sha1
        set dhgrp 5
        set remote-gw 10.108.16.137
# config vpn ipsec phase2-interface
    edit "VPN-siteB-0"
        set phase1name "VPN-siteB"
        set proposal aes256-sha1
        set dhgrp 5
    next
end

# config system interface
edit ""VPN-siteB""
        set vdom "root"
        set ip 10.0.0.2 255.255.255.255
        set type tunnel
        set remote-ip 10.0.0.1 255.255.255.252
        set interface "port4"
    next
- Firewall Policies:
# config firewall policy
    edit 16
        set uuid d16f4a8a-1b10-51e5-3008-a5f532b77f5c
        set srcintf "VPN-siteB"
        set dstintf "port3"
        set srcaddr "10.167.0.0/22"
        set dstaddr "10.144.0.0/16"
        set action accept
        set schedule "always"
        set service "ALL
    edit 17
        set uuid f4186fa8-1b10-51e5-3a14-f0414fd58617
        set srcintf "port3"
        set dstintf "VPN-siteB"
        set srcaddr "10.144.0.0/16"
        set dstaddr "10.167.0.0/22"
        set action accept
        set schedule "always"
        set service "ALL"
    next
end
- Static routing:
# config router static
    edit 1
        set gateway 10.108.16.137
        set device "port4"
    next
    edit 2
        set dst 10.167.0.0 255.255.252.0
        set device "VPN-siteB"
    next
- Multicast configuration:
# config system settings
    set multicast-forward disable
    set multicast-ttl-notchange enable
    set gui-multicast-policy enable
end
# config router multicast
    set multicast-routing enable
    config interface
        edit "VPN-siteB"
            set pim-mode sparse-mode
        next
    end
end
- Multicast policies:
# config firewall multicast-policy
    edit 1
        set srcintf "VPN-siteB"
        set dstintf "port3"
        set srcaddr "all"
        set dstaddr "all”
    next

16984
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.