- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Terminating IPSEC VPN tunnel with remote networks ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Terminating IPSEC VPN tunnel with remote networks that has public IPs and private IPs
Hello,
I am completely new to Fortinet world and considering to get Fortinet 60D or Fortinet 70D where I will be required to setup a few IPSEC site-to-site tunnels on it. I need some expert advise on whether the following is feasible and how to go about configuring it (preferably via GUI and if you can point me to any documentation/video tutorial that's even better).
Following are my scenarios for required VPN setup (this is not a typical site-to-site setup involving private IPs). Please note the remote peer devices make/model could vary every time as we deal with new vendors at all times.
Scenario 1:
Remote Peer: Public IP
Remote Network: Public IPs/subnet
My Peer: Public IP
My Network: a few servers behind my Fortinet device that will have routable public IPs assigned to them
Requirement: Users on remote network need to be able to access the resources running on my network over the tunnel (only on certain allowed port numbers. For example: 80, 21 ... and all other ports to be blocked). My servers need to be able to communicate with remote network on all port numbers.
Scenario 2:
Remote Peer: Public IP
Remote Network: Private IPs/subnet
My Peer: Public IP
My Network: a few servers behind my Fortinet device that will have routable public IPs assigned to them
Requirement: Same as Scenario 1 - Users on remote network need to be able to access the resources running on my network over the tunnel (only on certain allowed port numbers. For example: 80, 21 ... and all other ports to be blocked). My servers need to be able to communicate with remote network on all port numbers.
As you can see the only difference between my Scenario 1 and 2 is the remote network's IP class (public vs private). Some vendors that we deal with prefer their end of the VPN tunnel to be terminated on public subnet and some prefer that we do it on their private subnet. So, is that a challenge with Fortinet devices?
Thanks in advance. Please let me know.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
It really doesn't matter what networks are behind the remote peer. All you need to remember is when routing, the distances for those remote subnets needs to be shorter than that of the default gateway on your side. This will direct all those remote subnets down the tunnel as opposed to the public Internet.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! I never worked with Fortinet devices before so I am little confused with when you said 'distances for those remote subnets needs to be shorter'. I can tell it is some kind of weighing scale to pick the best possible routes but that's pretty much it.
Every Fortinet documentation that I looked up online talks about how to configure L2L connections for two private networks, and nothing that I can find that talks about anything similar to what I requested. Do you know of any online tutorial that focus on what I need?
Related Posts
- Layer3 Fortiswitch 119 Views
- Terminate site-to-site IPSec VPN tunnel on... 1636 Views
- FortiGate IPsec Configuration - Unable to... 382 Views
- aws and fortigate 613 Views
- aws internet traffic and aws 1579 Views
Labels
-
FortiGate
6,948 -
FortiClient
1,369 -
5.2
801 -
5.4
639 -
FortiManager
600 -
FortiAnalyzer
440 -
6.0
416 -
5.6
362 -
FortiAP
362 -
FortiSwitch
359 -
FortiClient EMS
281 -
FortiMail
269 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
168 -
6.4
128 -
FortiNAC
123 -
FortiGuard
111 -
IPsec
99 -
FortiGateCloud
92 -
FortiSIEM
91 -
SSL-VPN
87 -
FortiCloud Products
85 -
FortiToken
76 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
63 -
FortiProxy
48 -
FortiADC
45 -
FortiEDR
43 -
SD-WAN
42 -
Fortivoice
41 -
FortiDNS
37 -
FortiExtender
35 -
FortiGate v5.4
35 -
FortiSandbox
33 -
FortiSwitch v6.4
32 -
Firewall policy
31 -
High Availability
28 -
FortiAuthenticator
27 -
VLAN
27 -
FortiConnect
24 -
FortiWAN
23 -
ZTNA
21 -
FortiConverter
21 -
DNS
20 -
FortiGate v5.2
19 -
FortiPortal
18 -
FortiSwitch v6.2
17 -
SAML
17 -
LDAP
17 -
Certificate
17 -
BGP
16 -
VDOM
16 -
FortiMonitor
14 -
FortiLink
14 -
Interface
14 -
Logging
14 -
Authentication
13 -
FortiGate v5.0
13 -
Routing
13 -
FortiDDoS
13 -
FortiCASB
12 -
NAT
11 -
RADIUS
10 -
SSL SSH inspection
10 -
Traffic shaping
10 -
Fortigate Cloud
10 -
Virtual IP
10 -
SSO
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Application control
9 -
4.0MR2
9 -
SSID
8 -
FortiBridge
8 -
WAN optimization
8 -
Web profile
8 -
FortiGate v4.0 MR3
8 -
IP address management - IPAM
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
SNMP
7 -
Admin
7 -
4.0
7 -
Security profile
6 -
Traffic shaping policy
6 -
Web application firewall profile
6 -
Proxy policy
5 -
Packet capture
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Antivirus profile
4 -
Automation
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
trunk
4 -
Port policy
4 -
FortiDeceptor
3 -
Fortinet Engage Partner Program
3 -
FortiToken Cloud
3 -
Traffic shaping profile
3 -
FortiPAM
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Users
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Multicast routing
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Explicit proxy
1 -
Zone
1
Top Kudoed Authors
| User | Count |
|---|---|
| 999 | |
| 832 | |
| 468 | |
| 440 | |
| 136 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.