Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Duka
New Contributor II

Multiple IPSec VPN for using zones

Hi Everybody,

some time ago I have done a network segmentation in the headquarters based on zones (client, voip, server) and numerous policies. Now I have to do the same in a remote seat (IPSEC VPN). The remote seat  have the same logic as the main office, although not all VLANs are necessary (only client, VOIP). All routing between the VLANs is done at headquarters.

 

I would like to avoid the following solution

  • Using multiple interfaces in the policies because i lose the "Interface Pair View".
  • Duplicate policies (this makes administration more complex)

my idea
Multiple IPSec VPNs (with diffrent public IPs in the main site - parameter "set local-gw") - one VPN per VLAN, whereby its interface can then be added to the corresponding zone and the existing rules are then used automatically.

 

Since I don't have a test environment, I wanted to ask beforehand whether this is even possible (routing..) or whether I've overlooked something here?

 

Graphic for better understanding.

image.png

Thanks in advanced for your help

 

Regards
Patrick

1 Solution
Duka
New Contributor II

Hi,

the connection is now working as expected. As written by both of you, i also had to add the static routes (same priority) so that the connection works from the main office.

 

Key Elements to solve this problem:
-Multiple IPSec VPNs with Tunnel Interface IPs on both sides
-Policy Route on Remote Site - One per VLAN on Remote Site (Gateway = IP of VPN Interface on MainSite)
-Static Routes on Remote and Main Site
-Some policies to allow traffic

 

Many thanks to both of you

 

Regards
Patrick

View solution in original post

10 REPLIES 10
seshuganesh
Staff
Staff

HI Team,

 

As per your requirement, you would like to configure multiple public IP in head office end and create multiple tunnels to remote end.

There by you can add different phase 2 selectors in all three tunnels.

Yes it is possible.

You are basically seperating VLAN traffic based on the tunnels.

Please correct me if i am wrong

akristof
Staff
Staff

Hi, as my colleague said, you can use single VPN with multiple phase2, but if you want to have traffic between clientA and voipB it can make it difficult because you would need all the combinations of the traffic.

You can also use single tunnel with one any/any phase2, but if you want to segment traffic to separate tunnels, then you can also do it like that.

You can configure multiple tunnels on different IP (on HQ) if you can, if you have only 1 public IP, you can configure multiple tunnels on same IP and just use localid (ikev1) or you can use network-overlay ID (ikev2).

Adrian
Duka
New Contributor II

Hi,

thanks to both for the quick reply and the tip regarding PeerID. I'll test it out over the next few weeks and then get back to you.

 

Regards

Patrick

Duka
New Contributor II

Hi,

I have made now some tests.

 

The VPN connections with different public IPs is working. The ping Client_A <-> Client_B and VOIP_A <-> VOIP_B works.

 

But now I have the problem that Client_B and VOIP_B also have to contact Server_A. I created a static route, but only CLIENT_B -> Server_A or VOIP_B -> Server_A works depending on the priority.

 

Is that even possible with "Static Route" or do I have to use "Policy Routes"? I tried that a bit, but didn't get there. Maybe someone has an idea?

 

Regards

Patrick

 

akristof

Hi,

If you have 2 routes for same network, via IpsecA and via IpsecB (same distance, different priority) then policy-route is the best option. Possibly you did it right but policy-route was not used because of this:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

Adrian
seshuganesh

Since you want to define VLAN per tunnel, you need to use policy routes.

If you want to split based only on destination then you can chose static routes, but as per your requirement you need to split based on source, so you need to go for policy routes

Duka
New Contributor II

Hi,

thank you for showing me the right way. By using the policy router I can now ping SERVER_A from CLIENT_B and VOIP_B. Unfortunately, the reverse way doesn't work. SERVER_A cannot ping CLIENT_B and VOIP_B. Does the Reverse Path Check have a problem with Policy Routes?

 

Debug on Remote Site - B

id=20085 trace_id=1373 func=print_pkt_detail line=5664 msg="vd-root:0 received a packet(proto=1, 10.245.5.105:1->192.168.50.5:2048) from DR300_DK300. type=8, code=0, id=1, seq=15888."
id=20085 trace_id=1373 func=init_ip_session_common line=5834 msg="allocate a new session-005e1fb6"
id=20085 trace_id=1373 func=ip_route_input_slow line=2241 msg="reverse path check fail, drop"
id=20085 trace_id=1373 func=ip_session_handle_no_dst line=5918 msg="trace"

 

config router policy
edit 1
set input-device "vlan-301"
set src "192.168.40.0/255.255.255.0"
set dst "10.245.5.0/255.255.255.0"
set gateway 172.16.40.1
set output-device "DR301_DK301"
next
edit 2
set input-device "vlan-300"
set src "192.168.50.0/255.255.255.0"
set dst "10.245.5.0/255.255.255.0"
set gateway 172.16.50.1
set output-device "DR300_DK300"
next
end

Regards

Patrick

akristof

Hi,

I am assuming that you have 2 routes over tunnel1 and tunnel2 with different priorities. You need to have this on both ends. It this case it doesn't matter that it will not be best route, you just need to have route for a source network in routing-table on the device that is dropping traffic because of reverse path. 

Adrian
seshuganesh

Even though you configure policy route, make sure there is static route for the respective destinations on the other end through both tunnels on both end of the firewall.

This will resolve the issue

Labels
Top Kudoed Authors