Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
agonist_inhaler
New Contributor

IPsec VPN inside VDOM

Hi Guru' s, I am new in fortigate device (110C) even in the IPsec vpn itself so please bare with me. My issue is, I am trying to create an ipsec vpn tunnel on Fortigate 110C (4.0 build 0192) under default vdom root, everything seems to be working fine. and I can see that vpn tunnel is showing up when I try to bring it up. But I wanted to create 2 VDOM' s on this devices and when I did, I can no longer see tunnel interfaces being created after creating phase1 on the ipsec vpn. ie I create ipsec phase1 named testvpn, then testvpn2 for phase2, under root vdom, it automatically created testvpn tunnel interface binded under the port I used in phase1, however it doesn' t do it inside a created vdom. Please assist me on how to get about this, I am not sure if there is a specific way of doing this inside virtual domain. I am looking forward to your suggestions and inputs. c" ,)
5 REPLIES 5
FortiRack_Eric
New Contributor III

Did you forget to check interface mode in the vdom phase1' s? Common mistake as default is tunnel mode. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
agonist_inhaler
New Contributor

Hi Eric, Ya, you are right, I forgot to check that. thanks again. I will keep you posted if I got it working. I appreciate your prompt reply. -cheers!-
agonist_inhaler
New Contributor

Hi Eric, I was able to create the phase1 tunnel, however I am still not able to up the ipsec tunnel for some reason. I created two static route. First is any source IP going out it will use my router IP as its gateway where WAN interface is connected and set device to the WAN interface. The second route I created was for the Private network on the other side, leaving gateway blank and used the phase1 tunnel as Device. I also created a firewall rule to set Trust to Untrust allow all and vice versa. Do I need to use ssl.vdom that was created under this VDOM and create another route? Does it need to be part of Trust or Untrust?
agonist_inhaler
New Contributor

Hi Eric, Thanks, for all the advice. I was able to get this thing up and running. Was just about the " NAT Travelsal that was set to enable" that I did not remove.
FortiRack_Eric
New Contributor III

It' s no big deal. If you have no need for NAT on both sides, you can remove NAT Traversal on both sides from the config. It makes the IPsec negotiation faster. Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors