Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sfernando
Staff
Staff

Created on ‎09-04-2023 01:31 AM

Article Id 271461

Troubleshooting Tip: IPSec VPN terminating on a Loopback via a VIP using a Floating WAN IP

Description This article describes a deployment of IPSec where IPSec was up but traffic was not passing. Appropriate lab testing was performed to verify the deployment.
Scope FortiGate, IPSec.
Solution

In this scenario, IPSec connection has been terminated on a loopback interface on VDOM1. There is a VIP which uses a floating IP of the ISP-provided WAN subnet. The VIP maps this floating IP to the loopback interface. LAB testing was performed to identify a working scenario.

 

Normally, the ISP provides a WAN IP subnet to its customers as WAN IPs and routing is completed by the ISP for this subnet toward the customer, where any IP in this subnet will be routed out toward the customer link.

 

Assuming this subnet is a /29, only 1 IP will be configured on the WAN interface (there may be a secondary IP too). Consequently, there are other remaining IPs in this subnet. These remaining IPs are considered as floating IPs.

 

diagram.JPG

 

In this setup, VIP1 is configured with a floating IP as the external IP and the mapped IP as a loopback.

 

config firewall vip

edit "VIP1"

set uuid 33d80748-cabd-51ed-b149-f403c3864dff

set extip 1.1.1.5

set mappedip "192.168.10.1"

set extintf "any"

end

 

config system interface

edit "Loopback0"

set vdom "VDOM1"
set ip 192.168.10.1 255.255.255.255
set allowaccess ping
set type loopback
set snmp-index 157

next

 

config vpn ipsec phase1-interface

edit "HUB-Ext_WAN2"

set type dynamic

set interface "Loopback0"

set ike-version 2

 

In above setup, phase 1 and phase 2 IPsec tunnels are up. However, when the spoke is trying to connect to the internal resources, it will not connect despite how firewall policies were set up accordingly. Further lab testing determined that physical interfaces on the VDOM1 also have the same issue. Overall, any interface on VDOM1 selected as the VIP mapped IP will not work.

 

Solution or working scenario.

 

Further testing determined that, when the VIP mapped IP is either a VDOM link IP or VDOM 2 with any interface IP, the traffic flows from the spoke device.

 

In conclusion: when using a floating IP on a VIP object as the external IP, always make the mapped IP a VDOM link IP or another vdom's interface IP.
1097
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.