I have a site to site VPN, i want to apply a traffic shapping to specific traffic (sourc IP), but in the shaping policy it is not matching the traffic through the IPSEC tunnel.
There are some configuration that works different for interface like wan and not for IPSEC tunnel ?
Solved! Go to Solution.
Created on 05-16-2024 08:16 AM Edited on 05-16-2024 08:18 AM
Shaping-policy should work with IPsec tunnel traffic. Shaping-profile might not.
Share us your shapers.
Toshi
Hello @jr14 ,
If you want to shape traffic from a remote site internal IPs. You need to configure the shaping policy with the ipsec interface. Normally, this configuration should work.
If it is possible, can you share your shaping policy?
I did it, i am reference the ipsec tunnel, but it never match the traffic that i want to limit
Hello @jr14 ,
If it is possible, can you share your shaping policy? Also, Can you share sample logs for the traffic you want to apply shaper to?
something like this
config firewall shaping-policy
edit 1
set uuid b90a13cc-138f-51ef-6025
set name "TEST"
set service "ALL"
set srcintf "LAN"
set dstintf "IPSEC"
set traffic-shaper "guarantee-100kbps"
set traffic-shaper-reverse "guarantee-100kbps"
set srcaddr "10.10.10.10"
set dstaddr "192.168.10.10"
next
end
Hello @jr14 ,
When I examine the shaping policy, I see that it gives guaranteed bandwidth. I understood that you wanted to restrict it. If you want to restrict it, you must change this first.
Is the direction of traffic configured correctly? In this case, I see that the traffic you want to restrict starts from your local network and goes to the other side. This policy will not work if traffic starts from the opposite side.
Is just an example, i want to restrict the outgoing traffic through the IPSEC tunnel.
thanks for you support
If you want to restrict outgoing traffic to a certain bandwidth, you need to create a shaper to set "maximum-bandwidth". Then use it in the shaping-policy. The unit is Kbps.
Toshi
Created on 05-16-2024 08:15 AM Edited on 05-16-2024 08:15 AM
Yes, i know that.
I know how to configure the traffic shapping, shapping policy and more.
The problem is that i am doing for the IPSEC tunnel traffic not for the wan interface, and the traffic is not matching the shapper.
So i just asking if someone have done this before, apply shapping to the traffic passing through the IPSEC TUNNEL.
I just want to make sure that it is the same config.
Created on 05-16-2024 08:16 AM Edited on 05-16-2024 08:18 AM
Shaping-policy should work with IPsec tunnel traffic. Shaping-profile might not.
Share us your shapers.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.