Description
This article explains how a route-based VPN interoperates with a policy-based VPN.
Scope
Any currently supported version of FortiGate.
Solution
Consider a scenario where the goal is to connect the following Routed_VPN and Policy_VPN through an IPsec tunnel:
User A = 192.168.40.2, port9.
User B = 192.168.41.2, port5.
A ping from user A to user B shows as follows:
A ping from user B to user A shows as follows:
Sniffer shows that ICMP is transmitted through an IPsec tunnel:
1.487169 port9 in 192.168.40.2 -> 192.168.41.2: icmp: echo request
1.487197 Routed_VPN out 192.168.40.2 -> 192.168.41.2: icmp: echo request
1.487244 hub_spoke1 in 192.168.40.2 -> 192.168.41.2: icmp: echo request
1.487261 port5 out 192.168.40.2 -> 192.168.41.2: icmp: echo request
1.487799 port5 in 192.168.41.2 -> 192.168.40.2: icmp: echo reply
1.487848 Routed_VPN in 192.168.41.2 -> 192.168.40.2: icmp: echo reply
1.487854 port9 out 192.168.41.2 -> 192.168.40.2: icmp: echo reply
Notably, with Routed_VPN, the traffic is transmitted through the tunnel interface:
# config system interface
edit "Routed_VPN"
set vdom "hub"
set type tunnel
set snmp-index 31
set interface "hub_spoke0"
Meanwhile with Policy_VPN, traffic is transmitted as if through a physical interface. In this case, vdom-link:
# config system interface
edit "hub_spoke1"
set vdom "spoke_1"
set ip 192.168.70.2 255.255.255.252
set allowaccess ping https ssh snmp http fgfm
set type vdom-link
set snmp-index 30
Conclusions:
- Both route-based and policy-based VPNs can interoperate effectively.
- As of the time this article was written, FortiGate supports both a policy and route-based IPsec VPN.
See the file attached to this article for the configuration used.
Related documents:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/991625/policy-based-ipsec-tunnel
