Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor

Route based VPN/VTI Tunnel support in Multi VDOM

hi,

i've been searching/googling for VDOM support for route-based VPN/VTI Tunnel but to no avail.

is this route-based VPN/VTI tunnel interface supported in multiple VDOM? i.e. VDOM A is for our internal VPN/VTI to AWS, then VDOM B is for other customer/department.

appreciate if someone can provide a fortinet link. thanks!

Thanks,
John
Thanks,John
1 Solution
gfleming

If you read the VDOM Overview in the docs you can see the very first paragraphs states:

 

"Virtual Domains (VDOMs) are used to divide a FortiGate into two or more virtual units that function independently. VDOMs can provide separate security policies and, in NAT mode, completely separate configurations for routing and VPN services for each connected network."

 

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/109991/virtual-domains

Cheers,
Graham

View solution in original post

12 REPLIES 12
tthrilok
Staff
Staff

Hi John,

 

Thank you for the query!

 

I understand you are having VDOM A on which you have VPN terminated to AWS, then you have VDOM B from where the user initiates the traffic to AWS. Please let me know if I misunderstood. 

 

If the above is the case, and VDOM A is encrypting your traffic to AWS. You may use the inter VDOM link and route the traffic between VDOMs.

For example, your AWS network is 10.1.1.0/24, and VDOM B network is 10.1.2.0/24

 

In the VDOM A, you can create two routes:

10.1.1.0/24 pointing to VPN Tunnel

10.1.2.0/24 pointing to InterVDOM link to VDOM B

 

then create the policies accordingly.

 

In the VDOM B you may need to create one route:

10.1.2.0/24 pointing to InterVDOM link to VDOM A

 

Create the policies accordingly.

johnlloyd_13
Contributor

hi,

the VDOM A and B are completely separate/independent of each other.

there's no need to interconnect the two VDOMs.

is VTI in a VDOM supported?

or is VTI only available in the "root" VDOM?

Thanks,
John
Thanks,John
Toshi_Esumi
Esteemed Contributor III

By default, FortiGate's IPsec VPNs are route-based (or interface based) VTI (virtual tunnel interface) that you can configure an IP address on and route traffic through.

If you need to configure, for whatever the reason is, policy based IPsecs with GUI, you have to enable the feature visibility first.

 

Toshi

johnlloyd_13

hi,

my main question is, is VTI supported in multiple VDOM?

or is it VTI only available in "root" VDOM?

Thanks,
John
Thanks,John
Toshi_Esumi
Esteemed Contributor III

There is no restriction about configuring IPsec VPNs between any vdoms, which is route-based/VTI by default, "root" or any other vdoms.

 

Toshi

srajeswaran
Staff
Staff

There is no restriction in configuring route based VPN on a VDOM. The configuration steps are exact same as a VPN config on a non-VDOM firewall.

Are you getting any errors while configuring?

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

johnlloyd_13

hi,

i haven't configured this yet.

just would like to know if VTI is supported in multiple VDOM.

i only searched/see config doc using "root" VDOM.

are you able to give/point me to a fortinet doc that configures a VTI in a VDOM other than "root"?

Thanks,
John
Thanks,John
Toshi_Esumi
Esteemed Contributor III

Whatever you found as examples of VPN configuration in root vdom, you just need to replace "set vdom root" to "set vdom your-vdom-name". Nothing else would be different.

 

Toshi

johnlloyd_13

hi,

do you have a fortinet link to support this? or a command guide that explicitly mentioned "set vdom <CUSTOM VDOM>"?

my google search is failing me.

Thanks,
John
Thanks,John
Labels
Top Kudoed Authors