I am very short on public IPs, and I would like to have my Fortigate to service IPsec clients (using a variety of clients) while at the same time using the same public IPv4 to keep running the site-2-site tunnel with a remote branch office (with a 2nd Fortigate there).
Is it even possible, or am I asking too much?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
No that is doable. You can bound multuiple ipsec tunnels to the same wan interface and address. You might have to use peerid to distinguish peers for s2s tunnels.
e.g
fqdn
string
certificate DN
Ken Felix
PCNSE
NSE
StrongSwan
Thanks for your answer.
I understand the idea of using peerid to multiplex an IPsec service; although I am under the impression it restricts to IKE v1 and aggressive mode (please, please correct me where I am wrong).
However, I would like to confirm you can mix on the same interface, s2s tunnels (using "set type static" in phase1-interface) with dialup answering services ("set type dynamic"); your post seems to mean the former can be multiplexed, but I am interested to use the latter as well.
I have dial up ipsec tunnels (mostly ike1, aggressive mode, split tunneling) and also s2s tunnels on the same interface without any problems.
Like emnoc wrote you might have to use peerids or unique pairs of proposals to have the FGT assign the correct tunnels. It won't mix up dial up and s2s anyways because s2s does not support dial up so you cannot want to dial into a s2s ;)
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
No Aggression mode does not need peerid (aka groups ) but yes you can mix and match static and dialup to the same interface. So you do not have any worries in that area. You can also run IKEv1 v2 versions on the same interfaces.
Your only limit on how many tunnels on one interface is outline in the fortios max values . Outside of that, your good to go.
You can reference max value via your fortios version
https://docs.fortinet.com/document/fortigate/6.2.0/fortios-maximum-values-table
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.