VLAN config for data and voip (and VPN site to site configuration)
I need some suggestions / help about configuring a site to site VPN used for 2 different VLAN (data and voip)
Fortigate 60D firmware 5.2.1
Internal lan 192.168.20.0/24
Fortigate internal interface 192.168.20.252
We have also (not connected to Fortigate) another internal, used for VOIP
Network is 192.168.1.0/24
Fortigate 60C (currently firmware 4.0 MR2 Patch 8, but I'm planning to upgrade to 5.2.1)
I need to configure a site-to-site VPN to connect Headquarter and Remote site and I need to allow the transmission of data and voip traffic
I' ve seen something about configuring VLAN (I suppose I need to do it) but it's not clear to me..
1) How do I configure the FGT 60D to connect also to voip VLAN ? Is it necessary to configure only one VLAN (for VOIP) or 2 (for data and voip) ?
2) How do I configure the VPN ? Do i simply follow the wizard for "site-to-site fortigate" VPN ?
Assume the VLAN is on the same "wire" as your internal LAN which is connected to the FGT "internal" port.
Then create a new interface (Network>Interface, create new) with type "VLAN". Enter the VLAN ID and the associated interface "internal".
VLAN interfaces are always sub-interfaces to a physical port, like for instance VPN virtual interfaces as well. Traffic entering the VLAN interface will be untagged at ingress and tagged on egress.
Now send the VLAN traffic across the VPN tunnel:
You will now have a new interface which you will want to use in policies (!). For traffic to be able to flow between networks there has to be a policy combining the source and destination interfaces.
In your case you want the VLAN traffic to flow into the VPN tunnel (or vice versa) - so you need to create a policy with
src int: my_VLAN
src addr: VLAN_subnet
dst int: my_tunnel
dst addr: remote _subnet
Of course, you might have to take provisions so that your phase2 of the VPN allows for the extra VLAN subnet. There are 2 cases: if you have wildcard Quick Mode selectors in phase2 ('0.0.0.0/0') then you don't have to change anything. This only works if the other end is a FGT as well.
If you have specified the source and destination subnet in the QM selectors (as the RFC demands for), then just create a second phase2 for the same phase1 and specifiy the VLAN subnet here.
If you have read so far - good! You need one other detail: create a static route on the remote FGT which points the VLAN subnet back to the tunnel (interface). Otherwise, the remote FGT will discard the traffic as being 'rogue'.
Additionally replicate the changes you made on the local FGT to the configuration on the remote side (VLAN, policy, address object).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.