Hi Everybody,
some time ago I have done a network segmentation in the headquarters based on zones (client, voip, server) and numerous policies. Now I have to do the same in a remote seat (IPSEC VPN). The remote seat have the same logic as the main office, although not all VLANs are necessary (only client, VOIP). All routing between the VLANs is done at headquarters.
I would like to avoid the following solution
my idea
Multiple IPSec VPNs (with diffrent public IPs in the main site - parameter "set local-gw") - one VPN per VLAN, whereby its interface can then be added to the corresponding zone and the existing rules are then used automatically.
Since I don't have a test environment, I wanted to ask beforehand whether this is even possible (routing..) or whether I've overlooked something here?
Graphic for better understanding.
Thanks in advanced for your help
Regards
Patrick
Solved! Go to Solution.
Hi,
the connection is now working as expected. As written by both of you, i also had to add the static routes (same priority) so that the connection works from the main office.
Key Elements to solve this problem:
-Multiple IPSec VPNs with Tunnel Interface IPs on both sides
-Policy Route on Remote Site - One per VLAN on Remote Site (Gateway = IP of VPN Interface on MainSite)
-Static Routes on Remote and Main Site
-Some policies to allow traffic
Many thanks to both of you
Regards
Patrick
HI Team,
As per your requirement, you would like to configure multiple public IP in head office end and create multiple tunnels to remote end.
There by you can add different phase 2 selectors in all three tunnels.
Yes it is possible.
You are basically seperating VLAN traffic based on the tunnels.
Please correct me if i am wrong
Hi, as my colleague said, you can use single VPN with multiple phase2, but if you want to have traffic between clientA and voipB it can make it difficult because you would need all the combinations of the traffic.
You can also use single tunnel with one any/any phase2, but if you want to segment traffic to separate tunnels, then you can also do it like that.
You can configure multiple tunnels on different IP (on HQ) if you can, if you have only 1 public IP, you can configure multiple tunnels on same IP and just use localid (ikev1) or you can use network-overlay ID (ikev2).
Hi,
thanks to both for the quick reply and the tip regarding PeerID. I'll test it out over the next few weeks and then get back to you.
Regards
Patrick
Hi,
I have made now some tests.
The VPN connections with different public IPs is working. The ping Client_A <-> Client_B and VOIP_A <-> VOIP_B works.
But now I have the problem that Client_B and VOIP_B also have to contact Server_A. I created a static route, but only CLIENT_B -> Server_A or VOIP_B -> Server_A works depending on the priority.
Is that even possible with "Static Route" or do I have to use "Policy Routes"? I tried that a bit, but didn't get there. Maybe someone has an idea?
Regards
Patrick
Hi,
If you have 2 routes for same network, via IpsecA and via IpsecB (same distance, different priority) then policy-route is the best option. Possibly you did it right but policy-route was not used because of this:
Since you want to define VLAN per tunnel, you need to use policy routes.
If you want to split based only on destination then you can chose static routes, but as per your requirement you need to split based on source, so you need to go for policy routes
Hi,
thank you for showing me the right way. By using the policy router I can now ping SERVER_A from CLIENT_B and VOIP_B. Unfortunately, the reverse way doesn't work. SERVER_A cannot ping CLIENT_B and VOIP_B. Does the Reverse Path Check have a problem with Policy Routes?
Debug on Remote Site - B
id=20085 trace_id=1373 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.245.5.105:1->192.168.50.5:2048) from DR300_DK300. type=8, code=0, id=1, seq=15888."
id=20085 trace_id=1373 func=init_ip_session_common line=5834 msg="allocate a new session-005e1fb6"
id=20085 trace_id=1373 func=ip_route_input_slow line=2241 msg="reverse path check fail, drop"
id=20085 trace_id=1373 func=ip_session_handle_no_dst line=5918 msg="trace"
config router policy
edit 1
set input-device "vlan-301"
set src "192.168.40.0/255.255.255.0"
set dst "10.245.5.0/255.255.255.0"
set gateway 172.16.40.1
set output-device "DR301_DK301"
next
edit 2
set input-device "vlan-300"
set src "192.168.50.0/255.255.255.0"
set dst "10.245.5.0/255.255.255.0"
set gateway 172.16.50.1
set output-device "DR300_DK300"
next
end
Regards
Patrick
Hi,
I am assuming that you have 2 routes over tunnel1 and tunnel2 with different priorities. You need to have this on both ends. It this case it doesn't matter that it will not be best route, you just need to have route for a source network in routing-table on the device that is dropping traffic because of reverse path.
Even though you configure policy route, make sure there is static route for the respective destinations on the other end through both tunnels on both end of the firewall.
This will resolve the issue
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1743 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.