Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
topcu
New Contributor II

Traffic Shaping and prioritizing local VPN Traffic (IPsec, IKE/ESP) on a shared WAN interface?

Hello, we share the bandwith of an ISP uplink on a Fortigate (FWF60E, v6.2.7) to connect a VPN tunnel to a central hub but also to provide local internet access for users and systems connected on the fortigate. I want to control the bandwith of the WAN uplink by applying traffic shaping policies. Limiting and prioritizing the user traffic is not an issue. But is it possible to control also the local tunnel traffic (IKE and ESP) on the uplink?

 

I my test configuration (s.below) I built a shaper by specifying the tunnel destination IP and the protocols ike and esp (source is dynamic address). But when verifying the diag outputs, it seems, that the shaper is not able to match on local generated traffic. Is this true, and if yes, is there an alternative, to control the tunnel traffic on the shared uplink?

 

A sample configuration could look like this:

- User realtime internet traffic, min. 5M, max. unlimit, prio High

- Local VPN Traffic (tunnel to central hub), min. 20M, max. unlimit, prio Medium (???)

- User internet traffic, min. 5M, max. unlimit, prio Low

 

Many thanks in advance! Hakan

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor II

It's not a shaper but shaping-policy you can specify source and/or destination to match traffic.

But the addresses you should match with the shaping-policy is supposed to be the real sources and destinations, not the tunnel IP addresses, like local LAN 192.168.1.0/24 and remote LAN 192.168.2.0/24.

 

Toshi

topcu
New Contributor II

You are right, we talking about a traffic shaping policy.

 

Assume the following configuration:
WAN1 (internet uplink) uses DHCP
This interface is the tunnel source
The tunnel destination is 1.2.3.4

 

Finally I try to catch the ipsec traffic, that is sourced from WAN1 (dhcp) to 1.2.3.4.

E.g. src=192.168.178.20, dst=1.2.3.4, ESP

 

My shaping policy matches on:
- source = all (because we dont know the dhcp address on WAN1)
- destination = 1.2.3.4 (tunnel destination)
- service = ESP, IKE (IPsec traffic)
- Out. interface = WAN1 (tunnel source)
- shared shaper

 

But this doesn't work. I assume, that the shaping policy is not able to match on traffic, that is local generated on the fortigate.

 

Otherwise, as far as I understand what you mean, I had to shape the traffic that is going "through" the tunnel. In this case the source were local LAN, destination remote LAN and outgoing interface the VPN tunnel interface. But this doesn't allow me, to prioritize local user internet traffic over IPsec traffic (or vice versa), that is going shared though WAN1.

Toshi_Esumi
Esteemed Contributor II

The Out/dst interface in the shaping-policy should be the tunnel interface/name, not WAN1, just like firewall policies.

 

Or if you can share the shaping-policy in CLI, it would be much easier to comment on.

ADMNET

Hello,

 

The problem is the tunnel interface doesn't appaer in the list of outgoing interface. There are only physical interface and vlan, not tunnel.

 

Any idea ?