Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VLAN config for data and voip (and VPN site to site configuration)

Hi all I need some suggestions / help about configuring a site to site VPN used for 2 different VLAN (data and voip) Headquarter Fortigate 60D firmware 5.2.1 Internal lan Fortigate internal interface We have also (not connected to Fortigate) another internal, used for VOIP Network is Remote Site Fortigate 60C (currently firmware 4.0 MR2 Patch 8, but I'm planning to upgrade to 5.2.1) I need to configure a site-to-site VPN to connect Headquarter and Remote site and I need to allow the transmission of data and voip traffic I' ve seen something about configuring VLAN  (I suppose I need to do it) but it's not clear to me.. 1) How do I configure the FGT 60D to connect also to voip VLAN ? Is it necessary to configure only one VLAN (for VOIP) or 2 (for data and voip) ? 2) How do I configure the VPN ? Do i simply follow the wizard for "site-to-site fortigate" VPN ? Thank you Corrado

Esteemed Contributor III



let's start with connecting the FGT to your VLAN.


Assume the VLAN is on the same "wire" as your internal LAN which is connected to the FGT "internal" port.

Then create a new interface (Network>Interface, create new) with type "VLAN". Enter the VLAN ID and the associated interface "internal".

VLAN interfaces are always sub-interfaces to a physical port, like for instance VPN virtual interfaces as well. Traffic entering the VLAN interface will be untagged at ingress and tagged on egress.


Now send the VLAN traffic across the VPN tunnel:

You will now have a new interface which you will want to use in policies (!). For traffic to be able to flow between networks there has to be a policy combining the source and destination interfaces.

In your case you want the VLAN traffic to flow into the VPN tunnel (or vice versa) - so you need to create a policy with

src int: my_VLAN

src addr: VLAN_subnet

dst int: my_tunnel

dst addr: remote _subnet


Of course, you might have to take provisions so that your phase2 of the VPN allows for the extra VLAN subnet. There are 2 cases: if you have wildcard Quick Mode selectors in phase2 ('') then you don't have to change anything. This only works if the other end is a FGT as well.

If you have specified the source and destination subnet in the QM selectors (as the RFC demands for), then just create a second phase2 for the same phase1 and specifiy the VLAN subnet here.


If you have read so far - good! You need one other detail: create a static route on the remote FGT which points the VLAN subnet back to the tunnel (interface). Otherwise, the remote FGT will discard the traffic as being 'rogue'.

Additionally replicate the changes you made on the local FGT to the configuration on the remote side (VLAN, policy, address object).




"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors