Description
This article describes the configuration steps to successfully transmit multicast streaming over an IPsec VPN between two FortiGates with multicast routing.
The following high-level diagram illustrates the scenario:
Scope
FortiGate.
Solution
Here is the Step by Step guide on site A.
Establish an IPsec VPN tunnel between both FortiGates. Add the multicast subnet 224.0.0.0/4 as a destination inside phase2 selectors. In this example, phase2 subnets are all-to-all:
config vpn ipsec phase1-interface
edit "VPN-siteA"
set interface "port1"
set proposal aes256-sha1
set dhgrp 5
set remote-gw 10.108.16.52
config vpn ipsec phase2-interface
edit "VPN-siteA-0"
set phase1name "VPN-siteA"
set proposal aes256-sha1
set dhgrp 5
next
end
Configure Firewall Policies to allow multicast traffic through the IPsec tunnel:
config firewall policy
edit 2
set uuid 3f41d4ec-1b11-51e5-59e1-89ff338a8b48
set srcintf "port2"
set dstintf "VPN-siteA"
set srcaddr "10.167.0.0/22"
set dstaddr "10.144.0.0/22"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set uuid 4ecffd80-1b11-51e5-f9dc-b4973fcba126
set srcintf "VPN-siteA"
set dstintf "port2"
set srcaddr "10.144.0.0/22"
set dstaddr "10.167.0.0/22"
set action accept
set schedule "always"
set service "ALL"
Add the needed static routes:
config router static
edit 1
set gateway 10.108.19.254
set device "port1"
next
edit 2
set dst 10.144.0.0 255.255.252.0
set device "VPN-siteA"
next
end
In PIM Sparse mode, FortiGate uses the virtual tunnel interfaces to form a PIM neighbor relationship to exchange PIM information. So the virtual tunnel’s IP address should be included in the source subnet of phase2 selectors
config system interface
edit "VPN-siteA”
set vdom "root"
set ip 10.0.0.1 255.255.255.255
set type tunnel
set remote-ip 10.0.0.2 255.255.255.252
set interface "port1"
next
The multicast traffic received on the ingress interface will not be forwarded over the tunnel if the TTL value is too small to go through the FortiGate (default value TTL=1). Therefore, enable 'multicast-ttl-notchange' or adjust the value in the server. In this scenario, 'multicast-ttl-notchange' was enabled in both peers. 'multicast-forward' should also be disabled:
config system settings
set multicast-forward disable
set multicast-ttl-notchange enable
set gui-multicast-policy enable
end
Enable 'multicast-routing' and choose the PIM mode:
config router multicast
set multicast-routing enable
config interface
edit "VPN-siteA"
set pim-mode sparse-mode
next
end
end
Configure multicast firewall policies:
config firewall multicast-policy
edit 1
set srcintf "port2"
set dstintf "VPN-siteA"
set srcaddr "all"
set dstaddr "all"
next
The same steps should be followed on site B.
IPsec VPN configuration:
config vpn ipsec phase1-interface
edit "VPN-siteB"
set interface "port4"
set proposal aes256-sha1
set dhgrp 5
set remote-gw 10.108.16.137
config vpn ipsec phase2-interface
edit "VPN-siteB-0"
set phase1name "VPN-siteB"
set proposal aes256-sha1
set dhgrp 5
next
end
config system interface
edit ""VPN-siteB""
set vdom "root"
set ip 10.0.0.2 255.255.255.255
set type tunnel
set remote-ip 10.0.0.1 255.255.255.252
set interface "port4"
next
Firewall Policies:
config firewall policy
edit 16
set uuid d16f4a8a-1b10-51e5-3008-a5f532b77f5c
set srcintf "VPN-siteB"
set dstintf "port3"
set srcaddr "10.167.0.0/22"
set dstaddr "10.144.0.0/16"
set action accept
set schedule "always"
set service "ALL
edit 17
set uuid f4186fa8-1b10-51e5-3a14-f0414fd58617
set srcintf "port3"
set dstintf "VPN-siteB"
set srcaddr "10.144.0.0/16"
set dstaddr "10.167.0.0/22"
set action accept
set schedule "always"
set service "ALL"
next
end
Static routing:
config router static
edit 1
set gateway 10.108.16.137
set device "port4"
next
edit 2
set dst 10.167.0.0 255.255.252.0
set device "VPN-siteB"
next
Multicast configuration:
config system settings
set multicast-forward disable
set multicast-ttl-notchange enable
set gui-multicast-policy enable
end
config router multicast
set multicast-routing enable
config interface
edit "VPN-siteB"
set pim-mode sparse-mode
next
end
end
Multicast policies:
config firewall multicast-policy
edit 1
set srcintf "VPN-siteB"
set dstintf "port3"
set srcaddr "all"
set dstaddr "all”
next
Note:
If the multicast neighborship will not form, and the output of 'get router info multicast pim sparse-mode neighbour' is either empty on one side or both, run the below debug commands (on both sites) to check where the PIM hello is failing.
diagnose ip router pim-sm level info
diagnose ip router pim-sm all enable
diagnose debug console timestamp enable
diagnose debug enable
Working scenario:
Site1:
PIM-SM: Hello send to vpnTunnel
PIM-SM: Send Hello message
..
..
PIM-SM: PIM Hello packet Recved.
PIM-SM: PIM Hello from y.y.y.y on vpnTunnel
PIM-SM: Recv Hello message
Site2:
PIM-SM: Hello send to vpnTunnel
PIM-SM: Send Hello message
..
..
PIM-SM: PIM Hello packet Recved.
PIM-SM: PIM Hello from x.x.x.x on vpnTunnel
PIM-SM: Recv Hello message
Non-working scenario (PIM hello is NOT received on one of the sites):
Site1:
PIM-SM: Hello send to vpnTunnel
PIM-SM: Send Hello message
Site2:
PIM-SM: Hello send to vpnTunnel
PIM-SM: Send Hello message
..
..
PIM-SM: PIM Hello packet Recved.
PIM-SM: PIM Hello from x.x.x.x on vpnTunnel
PIM-SM: Recv Hello message
If devices that are capable of NPU offload are involved, try to disable the NPU offload on the VPN tunnel and also on the FireWall policy.
