Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VPNightmare
New Contributor

Routing VLAN Traffic (subnets) & DHCP Through VPN

This forum has been exceptionally helpful in the past, and I' m hoping it can help me out again. Our client has two offices, Office A and Office B. Here is what we have in Office A: A FortiGate (90D) with a VPN to office B FortiGate (140D) A phone system with an on premise phone server running off RH Linux An Active Directory subnet for Office A <---> Office B through the VPN There are three VLANs. One is default, one is voice, and one is for routing Adtran traffic stuff (phones are not my area of expertise -so " stuff" is as technical as it gets) Due to limitation in cabling, the data cable goes to the phone, then the PC cable goes from the phone to the PC. Switch is configured for LLDP-MED, with CoS for VLAN 2 Everything works fine for Office A. Yay phones. Here is what we have in Office B A FortiGate with a VPN to office A FortiGate An Active Directory subnet for Office B <---> Office A through the VPN Like Office A, there are three VLANs. One is default, one is voice, and one is for routing Adtran traffic stuff Switch is configured for LLDP-MED, with CoS for VLAN 2 WAN is your basic business-class cable WAN, with lots of bandwidth and a few static IPs on each end. Here' s the VLAN info: Office A default VLAN 1: 192.168.100.0/24 (DHCP is local to the A-DC1 AD server) Office B default VLAN 1: 192.168.101.0/24 (DHCP is local to the B-DC1 AD server) Both Office A & B, VLAN 2 (voice): 10.10.10.0/24 (DHCP is local to the phone server Both Office A & B, VLAN 10 (Adtran public): 192.168.200.0/24 How do I ensure that VLAN2 is homogeneous on both sides of the VPN fence so that phones get DHCP addresses from the phone server located in Office A and Office B phones pass traffic to and from the Office A phone server? Don' t laugh. Thanks.
9 REPLIES 9
emnoc
Esteemed Contributor III

Why would you want to do that is my 1st question? Want I would do instead ; 1: is to create a voice-subnet that' s unique at office B e.g 10.10.20.x/24 2: Create a phase2-interface for this traffic 3: Apply firewallpolicies for voice-phones to reach softPBX at site " A" to allow traffic from voice A to voiceB and phones to softPBX 4: Install a route for this network the above assume your using a route-based vpn 5th: Use the DHCP relay to relay-dhcp requests from site " B" to site " A" dhcp server. note: would create a dhcp relay-server for voice vlan#2 and point it to dhcp-server-voice at site A and set the mode to be " relay" btw, nice diagram. This helped with providing a clear picture of your dilemma

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
VPNightmare
New Contributor

Thanks emnoc for once again providing a solution. I wasn' t too keen on routing VLAN traffic through the VPN for a variety of reasons, and your solution was exactly what I was looking for. I' m using route-based VPN (always), and was hoping it would be as simple as routing. Per your solution, I' ve performed the following: Office B VLAN2 changed from 10.10.10.0/24 to 10.10.20.0/24 Office A: create firewall object, " A VLAN2" with 10.10.10.0/255.255.255.0 Office B: create firewall object, " B VLAN2" with 10.10.20.0/255.255.255.0 Office A: VPN > A_TO_B Phase2 A_TO_B2 > Quick Mode Selector > " A VLAN2" Office B: VPN > B_TO_A Phase2 B_TO_A2 > Quick Mode Selector > " B VLAN2" Set up routes for both under Router at both offices Set up policies to pass 10.10.10.x and 10.10.20.x between office A & B VPN works fine. Again, knowing that I know nothing about phone servers (and we don' t manage or have anything to do with it other than it' s a VM on our hardware), when I do DHCP relay, those phones will have to get 10.10.20.x addresses from the phone server in order for voice traffic to route back to Office A' s Adtran/T1, correct? If that' s the case, from a theoretical position, how does the DHCP server know that local subnetted voice VLAN phones get 10.10.10.x addresses and DHCP relayed phones on Office B' s voice VLAN get 10.10.20.x addresses? Another few quick (hopefully) questions on the DHCP relay setup since I' ve not done that before and documentation isn' t exactly helpful on the particulars: 1. Do I relay through the System > Network > Interfaces > Wan1 > Office_B_to_A tunnel (sub)interface? 2. What is the difference between Regular and IPsec relaying (this is where documentation fails)?
emnoc
Esteemed Contributor III

Again, knowing that I know nothing about phone servers (and we don' t manage or have anything to do with it other than it' s a VM on our hardware), when I do DHCP relay, those phones will have to get 10.10.20.x addresses from the phone server in order for voice traffic to route back to Office A' s Adtran/T1, correct? If that' s the case, from a theoretical position, how does the DHCP server know that local subnetted voice VLAN phones get 10.10.10.x addresses and DHCP relayed phones on Office B' s voice VLAN get 10.10.20.x addresses?
This would be determine by the relay-dhcp-server ip address of office B router nic ( the firewall ip_address) aka properly as the GIADDR in the dhcp-message e.g config sys interface edit vlan2 set ip 10.10.20.1/24 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 192.168.100.200 192.168.200.200 ←-- this is the dhcp-server (s) end So the DHCP relay-agent ( firewall ) will present it’s address to the DHCP-server & the scope would be correctly served based on the relay-agent address
Another few quick (hopefully) questions on the DHCP relay setup since I' ve not done that before and documentation isn' t exactly helpful on the particulars: 1. Do I relay through the System > Network > Interfaces > Wan1 > Office_B_to_A tunnel (sub)interface?
On firewall B you would have a dhcp-relay mode set for this firewall ( see the above cfg )
2. What is the difference between Regular and IPsec relaying (this is where documentation fails)?
fortigate supports various dhcp-server types depending on FortiOS ver 1: regular ( what we use for a typical LAN ) 2: ipsec ( clients that used ipsec-dhcp for configuration vrs auto-configuration request & the client sends a classic dhcpdiscover message ) 3: relay ( where your dhcp-server is external & the address/assignment/binding is done off the local L3 device and remotely managed ) FWIW: Also I know you have the phone-server DHCP-server, but you could manage the scope on any of the other 2 dhcp-server if you wanted ( Office A or B ). So if you see in my earlier example, I gave you 3 dhcp-servers all ending in .200. You would replace these with the appropriate dhcp-server that you configure the phone-dhcp-scope on. I myself have never relayed over a ipsec-vpn, but have relayed locally to external dhcp-server off the fortigate in the past. Keep your design simple & let us know how it works out. If you need diagnostics, you can tcpdump on either the tunnel-interface leading to OfficeA or OfficeA interface leading to the dhcp-server to ensue the dhcp-relay is working and what address or you can run ; e.g diag sniffer packet <my interface> " host 10.10.10.200“ or diag debug enable diag debug application dhcprelay 250 on officeB I hope this all helps

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
VPNightmare
New Contributor

Thanks again, emnoc. OK, I want to make sure I understand correctly, I do need to create VLAN subinterfaces (VLAN 2 and VLAN 10) on the FortiGate at Office B with an address of say 10.10.20.1/24 and 192.168.201.1/24? From there, I set multiple IP relays through that interface as per your example above, e.g.: config system interface edit vlan2 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 192.168.100.200 192.168.200.200 end But what about VLAN1 and VLAN10? Does all DHCP relay traffic go through the ForitGate vlan2 interface? How does it know where to route the DHCP traffic for 192.168.100/24 and 192.168.200/24? Would I create this? config system interface edit vlan2 set ip 10.10.20.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 set interface " wan1" set vlanid 2 end next edit vlan10 set ip 192.168.201.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 192.168.200.200 set interface " wan1" set vlanid 2 end I' m assuming that I won' t need to worry about the default VLANs (Office A, 192.168.100.0/24 and B, 192.168.101.0/24) since the network is on two different subnets with local Microsoft AD DHCP servers (though I could serve DHCP for both offices from Office A' s DHCP servers).
emnoc
Esteemed Contributor III

Assumptions: WAN1 is a interface into your layer2 switch that carries local traffic The layer2 switch supports 802.1q tagging DHCP server for PHONE network ( vlan#2 ) scope is carried across the VPN and to the SoftPBX at OfficeA VLAN1 is our AD server resource lan DHCP-server for the other networks are the MicrosoftAD server(s) ending with .200 in this example VLAN10 purpose is unclear, but I’m assuming it’s local to the office? Also it’s unclear on what’s the default WAN interface used for traffic exiting office A or B ( WAN2 ????? ) config system interface edit vlan1 set ip 192.168.101.1 255.255.255.0 set interface " wan1" set vlanid 1 set alias VLAN1-NETWORK_LOCAL_SERVERS end next edit vlan2 set ip 10.10.20.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 10.10.10.200 set interface " wan1" set vlanid 2 set alias VLAN2-NETWORK_LOCAL_PHONES end next edit vlan10 set ip 192.168.201.1 255.255.255.0 set dhcp-relay-service enable set dhcp-relay-type regular set dhcp-relay-ip 192.168.101.200 set interface " wan1" set vlanid 2 set alias VLAN10-NETWORK_LOCAL_USERS end cisco switchport configuration; interface gi 1/0/1 switchport switch mode trunk switch trunk allow vlan 1,2,10 logging event link-status logging event bundle-status logging event spanning-tree status load-interval 30 description UPLINK to FORTIGATE WAN1 INTERFACE no shut no cdp enable lldp transmit end As an alternative for the voip lan on officeB; you could server the scope off the local AD server if you so desire. Just change the dhcp-relay address to that of the local MicrosoftAD server(s). This could be support at either site if you need redundancy. Since the voip-gateway is in the OfficeA realm, this might not buy you too much. You have a lot of single-points-of-failures with regards to VoIP services { e.g internet uplink vpn single VoIP switch } For QoS keep in mind I believe a L3 firewall like Fortigate does not support recognition of CoS values on a 802.1p frame. Juniper does btw, but you will probably need to do a CoS re-mapping to DSCP, and them set this on firewall policy with guarantee traffic-policy. So you could map the appropriate cos for signaling and voip-channel to DSCP values and and trust the voip phone on the local switch. I would suggest the following; if officeB is very critical to explain a SoftPBX at this site locally Provide redundant SoftPBXes at both sites Provide 2nd Adtran1 Voice-GW at office Avoid carrying VoIP traffic across the VPN ( your chewing up outgoing/ingoing traffic for any off site traffic Traffic across the VPN should be intra-site-only voice imho I hope this better explain what I would do. But you have the general ideal & once again the photo explains your setup and needs very well.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
VPNightmare
New Contributor

So I haven’t been able to work on this much, but now that I have, I’ve run into some problems. It doesn’t help I have a deadline that was yesterday. As always, I can use any guidance available. I' ve included a new image that hopefully clarifies some of the more detailed setup assumptions. First, VLAN10 is no longer necessary, since that was for external management of the PBX. I found a better way. So I followed your setup as much as possible, but I’m not getting anywhere. I know there are multiple single-point-of-failure, but this is the best we can do. As a non-profit, we have a budget that simply does not allow for something better, at least not for the next while. Anyway, can you let me know what I’m doing wrong here? Here’s the interface setup for Office A: WAN1 = External interface to the internet 65.65.0.100/48 A-to-B =Tunnel generated by VPN INTERNAL1 = internal interface to L2 switch, 192.168.100.100/24 Voice = VLAN interface ID=2, 10.10.10.100/24 config system interface edit " wan1" set vdom " root" set ip 65.65.0.100 255.255.255.248 set allowaccess ping https fgfm auto-ipsec set type physical set alias " A Internet" next edit " internal1" set vdom " root" set ip 192.168.100.100 255.255.255.0 set allowaccess ping https ssh http fgfm capwap set type physical next edit " A_TO_B" set vdom " root" set type tunnel set interface " wan1" next edit " Voice" set vdom " root" set ip 10.10.10.100 255.255.255.0 set allowaccess ping set interface " internal1" set vlanid 2 next Here’s the interface setup for Office B: WAN1 = External interface to the internet 66.66.0.100/48 B-to-A =Tunnel generated by VPN INTERNAL1 = internal interface to L2 switch, 192.168.101.100/24 Voice = VLAN interface ID=2, 10.10.20.100/24, DHCP relay to 10.10.10.200 config system interface edit " wan1" set vdom " root" set ip 66.66.0.100 255.255.255.248 set allowaccess ping https fgfm set type physical set alias " B Internet" next edit " mgmt" set vdom " root" set ip 192.168.11.99 255.255.255.0 set allowaccess ping https fgfm capwap set type physical next edit " internal1" set vdom " root" set ip 192.168.101.100 255.255.255.0 set allowaccess ping https fgfm capwap set type hard-switch next edit " B_TO_A" set vdom " root" set type tunnel set interface " wan1" next edit " Voice" set vdom " root" set dhcp-relay-service enable set ip 10.10.20.100 255.255.255.0 set allowaccess ping set snmp-index 13 set dhcp-relay-ip " 10.10.10.200" set interface " internal1" set vlanid 2 next As for routing: Office A: Destination IP: 192.168.101.0/24 | Device: A-to-B Destination IP: 10.10.20.0/24 | Device: A-to-B And the usual WAN1 Gateway to 65 config router static edit 1 set device " wan1" set gateway 65.65.0.96 next edit 2 set device " A_TO_B" set dst 192.168.101.0 255.255.255.0 next edit 4 set device " A_TO_B" set dst 10.10.20.0 255.255.255.0 next end Office B: Destination IP: 192.168.100.0/24 | Device: B-to-A Destination IP: 10.10.10.0/24 | Device: B-to-A config router static edit 1 set device " B_TO_A" set dst 192.168.100.0 255.255.255.0 next edit 3 set device " wan1" set gateway 66.66.0.96 next edit 4 set device " B_TO_A" set dst 10.10.10.0 255.255.255.0 next end VPN setup: Office A: config vpn ipsec phase1-interface edit " A_TO_B" set interface " wan1" set proposal 3des-sha1 aes128-sha1 set remote-gw 66.66.0.100 set psksecret <secret> next end config vpn ipsec phase2-interface edit " A_TO_B2" set phase1name " A_TO_B" set proposal 3des-sha1 aes128-sha1 next Office B: config vpn ipsec phase1-interface edit " B_TO_A" set interface " wan1" set proposal 3des-sha1 aes128-sha1 set remote-gw 65.65.0.100 set psksecret <secret> next end config vpn ipsec phase2-interface edit " B_TO_A2" set phase1name " B_TO_A" set proposal 3des-sha1 aes128-sha1 next Firewall Policies: Office A: edit 2 set srcintf " internal1" set dstintf " A_TO_B" set srcaddr " A VPN Group" [contains 192.168.100.0/24 and 10.10.10.0/24 addresses] set dstaddr " B VPN Group" [contains 192.168.101.0/24 and 10.10.20.0/24 addresses] set action accept set schedule " always" set service " ALL" next edit 3 set srcintf " A_TO_B" set dstintf " internal1" set srcaddr " B VPN Group" set dstaddr " A VPN Group" set action accept set schedule " always" set service " ALL" next edit 13 set srcintf " Voice" set dstintf " internal1" set srcaddr " A_VLAN2" " B_VLAN2" set dstaddr " A LAN" " B LAN" set action accept set schedule " always" set service " ALL" next edit 14 set srcintf " internal1" set dstintf " Voice" set srcaddr " A LAN" " B LAN" set dstaddr " A_VLAN2" " B_VLAN2" set action accept set schedule " always" set service " ALL" next FortiGate policies are identical at both offices to allow packet in and out for 192.168.100.0/24 and 192.168.101.0/24, which works fine. Office B: edit 2 set srcintf " internal1" set dstintf " B_TO_A" set srcaddr " B VPN Group" set dstaddr " A VPN Group" set action accept set schedule " always" set service " ALL" next edit 3 set srcintf " B_TO_A" set dstintf " internal1" set srcaddr " A VPN Group" set dstaddr " B VPN Group" set action accept set schedule " always" set service " ALL" next edit 13 set srcintf " Voice" set dstintf " internal1" set srcaddr " B_VLAN2" " A_VLAN2" set dstaddr " A LAN" " B LAN" set action accept set schedule " always" set service " ALL" next edit 14 set srcintf " internal1" set dstintf " Voice" set srcaddr " A LAN" " B LAN" set dstaddr " B_VLAN2" " A_VLAN2" set action accept set schedule " always" set service " ALL" next FortiGate policies are identical at both offices to allow packet in and out for 10.10.10.0.0/24, 10.10.20.0/24, which does not work. From the Office A FortiGate Diag sniffer packet internal “host 10.10.20.100” doesn’t show any ICMP requests, or maybe 10 per hour even though I’m sending them via a windows command prompt –t constantly (0 dropped by kernel). I gather this means the requests aren’t even hitting the FortiGate internal interface, which is odd since it’s setup the same as Office B, which behaves as you would expect minus traffic going across the tunnel. From the Office B FortiGate Diag sniffer packet internal “host 10.10.10.100” shows all ICMP requests sent (but no reply) thouI’m sending them via a windows command prompt –t constantly Everything at Office A works fine. Phones get DHCP from the PBX DHCP server and work great. Office B phones registering as LLDP devices, but obviously no DHCP from the Office A PBX DHCP server. Any help would be greatly appreciated.
ede_pfau
SuperUser
SuperUser

Which policy allows DHCP requests from Site B to Site A across the tunnel " B-to-A" ? IMHO that would be from " Voice" to " B-to-A" on site B. Cross reference: does a phone in site B get assigned a DHCP address in the 10.10.20.0 range or from 10.10.10.0 or none at all?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

OP Did you ensure these policy in the direction of question is being hit ? diag debug enable diag debug flow flitter address < insert a io of the host > diag debug flow show console enable diag debug flow trace start 50 You might to arrange the policies if your not getting any matches. I would police the A2B and then B2A direction and monitor the rx/tx packet counters under your diag vpn tunnel list Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
VPNightmare
New Contributor

Thanks ede_pfau and emnoc. Here is the information you wanted. ede_pfau Policy 2 should allow DHCP traffic across the tunnel (mirrors policy 2 on Office A' s FG). The " B VPN Group" contains both 192.168.101.0/24 and 10.10.20.0/24 and the " A VPN Group" contains both 192.168.100.0/24 and 10.10.10.0/24. As far as I understand, that should allow all traffic in both ranges to travel back and forth. A phone at site B gets assigned a 10.10.10.0 address from the PBX at office A (10.10.10.200), or should. This is a secondary issue, however, as I can' t get 10.10.x.x traffic to pass through the tunnel at all. I should be able to ping the internal interface of each FG unit' s voice VLAN, but can' t, as explained at the end of my previous post. At least I' m glad there isn' t something immediately apparent I' ve overlooked. emnoc From an Office A machine, I send out ping packets to the " Voice" interface at Office B. ICMP traffic should be constant (see the end of my previous post about the different behaviors of A & B FG units - even though they are setup nearly identically). Office A' s ping packets sent to Office B' s Voice IP simply do not make it to the FG unit. Office A' s diag debug shows the occasional ICMP packet coming through, e.g.: id=13 trace_id=1 msg=" vd-root received a packet(proto=1, 192.168.100.200:2->10.10.20.100:8) from internal1." id=13 trace_id=1 msg=" Find an existing session, id-00036d95, original direction" id=13 trace_id=1 msg=" enter IPsec interface-A_TO_B" id=13 trace_id=1 msg=" send to 50.243.12.110 via intf-wan1" id=13 trace_id=1 msg=" encrypting, and send to 66.66.0.100 with source 65.65.0.100" rx/tx are so small as to be meaningless, just a few sad kbs that made it through the FG maze. So far, FortiGate: 1, VPNightmare: 0 Oh, and emnoc, because I' ve combined the IPs into groups, rx/tx will be combined for both. Previously, they were separate policies (with VLAN traffic showing the tx/rx at 0 or a few kbs), but now they' re combined, so the tx/rx you' re seeing below is all 192.168.x.x traffic. diag vpn tunnel list name=A_TO_B ver=1 serial=1 65.65.0.100:0->66.66.0.100:0 lgwy=static tun=intf mode=auto bound_if=5 proxyid_num=2 child_num=0 refcnt=431 ilast=0 olast=0 stat: rxp=4971993 txp=5080545 rxb=754321047 txb=667435043 dpd: mode=active on=1 idle=5000ms retry=3 count=0 seqno=30 natt: mode=none draft=0 interval=0 remote_port=0 proxyid=A_TO_B2 proto=0 sa=1 ref=2 auto_negotiate=0 serial=1 src: 0:0.0.0.0/0.0.0.0:0 dst: 0:0.0.0.0/0.0.0.0:0 SA: ref=378 options=0000000e type=00 soft=0 mtu=1436 expire=962 replaywin=1024 seqno=14381 life: type=01 bytes=0/0 timeout=1748/1800 dec: spi=354f2a32 esp=3des key=24 <numbers> ah=sha1 key=20 <numbers> enc: <numbers> ah=sha1 key=20 <numbers> dec:pkts/bytes=81921/13304714, enc:pkts/bytes=87521/12896802643 npu_flag=03 npu_rgwy=66.66.0.100 npu_lgwy=65.65.0.100 npu_selid=0 proxyid=Voice-2 proto=0 sa=0 ref=1 auto_negotiate=0 serial=2 src: 0:10.10.10.0/255.255.255.0:0 dst: 0:10.10.20.0/255.255.255.0:0
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors