Description
This article describes the configuration steps to successfully transmit multicast streaming over an IPsec VPN between two FortiGates without multicast routing.
The following high-level diagram illustrates the scenario:
The following high-level diagram illustrates the scenario:
Scope
FortiGate.
Solution
Set up requirements:
- Establish IPsec VPN tunnel between both FortiGates.
- Server side (subnet 10.167.0.0/22) should be able to reach the Client side (subnet 10.144.0.0/22).
- VLC player installed on the server and client side to simulate the stream.
- 'multicast-forward' should be enabled in both peers.
- 'multicast-router' must be disabled in both peers.
- 'multicast firewall policies' should be configured in both peers.
- The multicast traffic received on the ingress interface will not be forwarded over the tunnel if the TTL value is too small to go through the FortiGate (default value TTL=1). Therefore, it is necessary to enable 'multicast-ttl-notchange' or adjust the value in the server. In this scenario, 'multicast-ttl-notchange' was enabled in both peers.
Configuration Student - CLI Configuration:
VPN configuration:
config vpn ipsec phase1-interface
edit "tunneltoremote"
set interface "port1"
set proposal aes256-sha1
set dhgrp 5
set remote-gw 10.108.16.52
config vpn ipsec phase2-interface
edit "tunneltoremote"
set phase1name "tunneltoremote"
set proposal aes256-sha1
set dhgrp 5
next
end
Firewall Policies:
config firewall policy
edit 2
set uuid 3f41d4ec-1b11-51e5-59e1-89ff338a8b48
set srcintf "port2"
set dstintf "tunneltoremote"
set srcaddr "10.167.0.0/22"
set dstaddr "10.144.0.0/22"
set action accept
set schedule "always"
set service "ALL"
next
edit 3
set uuid 4ecffd80-1b11-51e5-f9dc-b4973fcba126
set srcintf "tunneltoremote"
set dstintf "port2"
set srcaddr "10.144.0.0/22"
set dstaddr "10.167.0.0/22"
set action accept
set schedule "always"
set service "ALL"
Static Route:
config router static
edit 1
set gateway 10.108.19.254
set device "port1"
next
edit 2
set dst 10.144.0.0 255.255.252.0
set device "tunneltoremote"
next
end
Configuration multicast:
config system settings
set multicast-forward enable
set multicast-ttl-notchange enable
Firewall multicast policy:
config firewall multicast-policy
edit 1
set srcintf "port2"
set dstintf "tunneltoremote"
set srcaddr "all" <- Unicast address.
set dstaddr "all" <- Multicast address.
next
Remote Configuration - CLI Configuration:
Remote VPN configuration:
config vpn ipsec phase1-interface
edit "tunneltostudent"
set interface "port4"
set proposal aes256-sha1
set dhgrp 5
set remote-gw 10.108.16.137
config vpn ipsec phase2-interface
edit "tunneltostudent"
set phase1name "tunneltostudent"
set proposal aes256-sha1
set dhgrp 5
next
end
Firewall Policies:
config firewall policy
edit 16
set uuid d16f4a8a-1b10-51e5-3008-a5f532b77f5c
set srcintf "tunneltostudent"
set dstintf "port3"
set srcaddr "10.167.0.0/22"
set dstaddr "10.144.0.0/16"
set action accept
set schedule "always"
set service "ALL
edit 17
set uuid f4186fa8-1b10-51e5-3a14-f0414fd58617
set srcintf "port3"
set dstintf "tunneltostudent"
set srcaddr "10.144.0.0/16"
set dstaddr "10.167.0.0/22"
set action accept
set schedule "always"
set service "ALL"
next
end
Static routing:
config router static
edit 2
set dst 10.167.0.0 255.255.252.0
set device "tunneltostudent"
next
Multicast configuration:
config system settings
set multicast-forward enable
set multicast-ttl-notchange enable
Multicast policies:
config firewall multicast-policy
edit 1
set srcintf "tunneltostudent"
set dstintf "port3"
set srcaddr "all" <- unicast address.
set dstaddr "all" <- multicast address.
next
Note:
Multicast and Unicast IP addresses should be included on Phase2-interface of the tunnel. If not, the multicast traffic will not be passing through the tunnel.
To verify multicast flow on both sides, use the following command:
diagnose sys mcast-session list
