Currently i'm trying to make a site2site vpn into a vdom. I noticed that if i send it over the inter vdom link with VIP and NAT activated that ofcourse the inter vdom interface is noticed as the peer.
The root vdom exposes to the internet using multiple ipv4 /24 subnets with several ports
There is not much information about how to setup the Site2Site VPN into a vdom. I hope that you guys can help me out with that.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's not about the VDOM environment but it's about if the termination point is reachable from the internet or behind the NAT. Exactly the same situation you have an upstream router, which provides a NAT, then your FGT without VDOMs sits behind it interconnected with private subnet like 192.168.1.0/24.
Enable NAT-T on both ends, then if both sides are static IPs, it should come up when local VDOM end tries establishing the tunnel with the other end through root vdom.
But do i need to do something with the source port because i read that you should enable outside NAT with port 500
Are you blocking something at root vdom for this VPN termination vdom's vdom-link IP to go out? If some restrictions/filtering for outgoing traffic at root, I recommend just create a new policy at root to allow everything from this IP toward the internet. If you want/need to limit anything from this vdom toward the internet, you can/should do that at the vdom, not at root.
Think about the situation, like you put a fortigate behind a cable/DSL router at home, which can't disable NAT because that's only where the public IP assigned by the ISP lives. IPSec tunnels from the FGT behind it still works without changing any config on the router because it's not restricting anything special for outgoing traffic. NAT-T would help for the situation. I think your multi-vdom situation is exactly the same.
If you're VIPing from the root vdom, you should forward udp 500/4500. But you didn't mention about it.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.