Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
purathal
New Contributor

Terminating IPSEC VPN tunnel with remote networks that has public IPs and private IPs

Hello,

 

I am completely new to Fortinet world and considering to get Fortinet 60D or Fortinet 70D where I will be required to setup a few IPSEC site-to-site tunnels on it. I need some expert advise on whether the following is feasible and how to go about configuring it (preferably via GUI and if you can point me to any documentation/video tutorial that's even better).

 

Following are my scenarios for required VPN setup (this is not a typical site-to-site setup involving private IPs). Please note the remote peer devices make/model could vary every time as we deal with new vendors at all times.

 

Scenario 1:

 

Remote Peer: Public IP

Remote Network: Public IPs/subnet

 

My Peer: Public IP

My Network: a few servers behind my Fortinet device that will have routable public IPs assigned to them

 

Requirement: Users on remote network need to be able to access the resources running on my network over the tunnel (only on certain allowed port numbers. For example: 80, 21 ... and all other ports to be blocked). My servers need to be able to communicate with remote network on all port numbers.

 

Scenario 2:

 

Remote Peer: Public IP

Remote Network: Private IPs/subnet

 

My Peer: Public IP

My Network: a few servers behind my Fortinet device that will have routable public IPs assigned to them

 

Requirement: Same as Scenario 1 - Users on remote network need to be able to access the resources running on my network over the tunnel (only on certain allowed port numbers. For example: 80, 21 ... and all other ports to be blocked). My servers need to be able to communicate with remote network on all port numbers.

 

As you can see the only difference between my Scenario 1 and 2 is the remote network's IP class (public vs private). Some vendors that we deal with prefer their end of the VPN tunnel to be terminated on public subnet and some prefer that we do it on their private subnet. So, is that a challenge with Fortinet devices?

 

Thanks in advance. Please let me know.

3 REPLIES 3
purathal
New Contributor

Anyone?

rwpatterson
Valued Contributor III

Welcome to the forums.

 

It really doesn't matter what networks are behind the remote peer. All you need to remember is when routing, the distances for those remote subnets needs to be shorter than that of the default gateway on your side. This will direct all those remote subnets down the tunnel as opposed to the public Internet.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
purathal

Thank you! I never worked with Fortinet devices before so I am little confused with when you said 'distances for those remote subnets needs to be shorter'. I can tell it is some kind of weighing scale to pick the best possible routes but that's pretty much it.

 

Every Fortinet documentation that I looked up online talks about how to configure L2L connections for two private networks, and nothing that I can find that talks about anything similar to what I requested. Do you know of any online tutorial that focus on what I need?

 

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors