- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Multiple ISP + BGP + VPN question
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multiple ISP + BGP + VPN question
I've got a tough question with multiple parts that has me stumped right now. Here are the requirements or info points.
1) 2 (or more ISPs) Each providing a /29, on 2 or more interfaces.
2) We own our own /24 block. That needs to be advertised with BGP and available publicly.
3) I want VPN tunnels to terminate on our IPv4 IPs...that way IPSec Tunnels are ISP independent.
4) I want the remaining IPv4 Addresses useable by other hosts...preferrably on a VLAN interface that holds the public IP Space.
I'm really stuck on each part. I've got a VPN established on one ISP block of IPs.
I've got BGP advertising but currently I have a VLAN created with our /24 and it is being advertised.
I can't seem to find how to use one of my publics, say X.X.X.10 for my IP address on the Fortigate for IPSec to terminate on.
I did find a post today on a fortiguru site titled "Public IP Pass-through (DMZ Transparent Mode)" that seems to address much of what I'm looking for but no details on how to configure it. And, it doesn't address VPN question.
Anyone able to lend some advice?
Not Logged in chrome
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you create a secondary IP address on the /24 vlan interface and use that in your VPN configuration.
this is the general idea: https://kb.fortinet.com/kb/documentLink.do?externalID=FD32009
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm actually dealing with a somewhat similar thing. My own /24 doesn't exist on an interface though (all used for VIPs). I have a loopback interface that one of my VIPs NATs to and I terminate my IPSEC tunnels on this loopback.
I'm just now beginning to implement this (still not full production) but it seems to be working. I'd be happy to discuss more over PM or demo over a brief Zoom if it would be helpful.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answers. The approach in that linked article was one I tried a couple days ago without success, but, since I wrote my request for help, I got what I needed. Yesterday I had called support and we couldn't figure it out but the forti engineer I got took it as a project and set it up in the lab. He came up with a working solution.
Let me explain where things went wrong. When I did it just per the article, I moved my VPN that terminated on the ISP's assigned IP address, to the secondary on the VLAN interface I created. I was able to bring up a tunnel, and pass traffic into the network. The replies also tried to send back, but it failed as the packets went into the tunnel and I wasn't able to get any packets going back across the tunnel. It said there was no route to the other end, which is bogus, because it had the tunnel built and it should have known where to go. So what we did as the fix was this:
We enabled overlapping subnets. That way I could have the /24 on the VLAN interface, but create a loopback with a /32 mask on x.x.x.2 Then I could terminate the VPN on that IP. Once that was done, the traffic routed fine and everything worked. Now I just have to verify that I can still use my /24 block for NAT of internal hosts for internet access as well. If so, it should work out just fine.
Thanks again for your tips. After 18 years of banging away at Cisco equipment of all types, the COVID situation forced me into a job change and I've found myself having to pick up something totally new. Definitely a little gear grinding as I try to shift into higher gears.
Related Posts
- Multiple FGTs to one SAML server 120 Views
- Recipient Verification 84 Views
- Configuring FortiMail to Filter Incoming Emails... 78 Views
- Multiple Fortigate/VDOM SAML MFA Auth (for... 73 Views
- Deploying HA Firewall to current environment 104 Views
Labels
-
FortiGate
6,593 -
FortiClient
1,315 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.