Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JavierM_CL
Staff
Staff

Created on ‎10-22-2024 07:17 AM

Article Id 351178

Technical Tip: Multiple IPsec SD-WAN hubs sharing a single public IP address

Description

This article describes a configuration that uses multiple VDOMs as HUBs sharing a single public IP address. A NAT VDOM is used to forward custom IPsec ports among the Customer VDOMs.

 

In MSSP-like or multi-tenant environments where different customers use a HUB and Spoke overlay topology, sharing a FortiGate HUB device, VDOMs are used to separate customers from each other. Each VDOM will operate as a HUB dedicated to a particular customer organization. Usually, in this scenario, each HUB will be reachable from the dial-up spokes pointing to a customer dedicated public IP address or FQDN.

 

In some cases, the provider may need to share the public IP addresses, because the allocated IP addresses are not enough to cover their entire customer base on a 1:1 basis.
Scope

FortiOS: 7.0 and later:

 

General ArchitectureGeneral Architecture
Solution

Follow steps 1 to 7 to configure the setup on FortiGate HUB:

 

  1. Configure a VDOM named as 'NAT'. This VDOM will host the WAN Interface with the Public IP Address.

 

NAT VDOMNAT VDOM

 

  1. Configure as many VDOMs as customers to deploy: Customer1… CustomerN.

 

Customer VDOMCustomer VDOM

 

  1. On the Global VDOM, for each pair of NAT-Customer VDOMs, configure a /30 inter-VDOM-link.

 

inter-vdom linkinter-vdom link

 

See Configure Inter-VDOM link.


Alternatively, a hardware accelerated vdom-link can be used: Configuring Inter-VDOM link acceleration.

 

  1. Configure a default route in the Customer VDOM:

 

customer default routecustomer default route

 

  1. Customize IKE port on each Customer VDOM, and assign a dedicated port for each Customer:

 

config vdom

    edit customer01

    current vf=customer01:4

        config system settings

            set ike-port 45001

        end

 

Reference: Configurable IKE port.

 

  1. On the NAT VDOM, create a VIP with port forward for each customer using the IKE port.

 

VIP IKE port forwardVIP IKE port forward

 

Reference: Virtual IP with services.

 

  1. On the NAT VDOM, configure a DNAT policy using the previously created VIP.

 

DNAT PolicyDNAT Policy


  1. On the Spoke FortiGate, configure the corresponding IKE port:

config system settings
    set ike-port 45001
end

 

  1. Finally, configure the IPsec dial-up tunnel overlay depending on the desired scenario (hub and spoke, site to site). On all of the spokes, use the shared HUB public IP address as the remote gateway.

Related articles:
Labels:
384
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.