Hot!Can I VIP into an IPSec tunnel?

Gold Member
  • Total Posts : 124
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/06/11 08:51:54
  • Status: offline
2015/05/20 13:23:53 (permalink) 5.0

Can I VIP into an IPSec tunnel?

Hey All. 
I have a vendor accessing a series of VIPs on my Fortigate, which are pointed to a series of corresponding private IPs that are accessed over an MPLS. 
I need to allow this vendor to get access to a new site at which I do not have an MPLS connection. I can build an IPSec tunnel to this location, but I'm a bit confused as to what my source/destinations would be. Attached is a picture
So, if I Vip into XX.XX.XX.XX:3, I want to vip the traffic to, and head down the VPN tunnel. 
Is this possible/achievable in some way?

Attached Image(s)

Silver Member
  • Total Posts : 102
  • Scores: 4
  • Reward points: 0
  • Joined: 2013/06/19 07:45:28
  • Location: Tallinn, Estonia
  • Status: offline
Re: Can I VIP into an IPSec tunnel? 2015/05/21 04:59:38 (permalink)
Yes, I have done this. I created additional IP-address to the router's internal IP-address and used that in VIP configuration. I could access that IP address from my office over the IPSEC tunnel, and VIP translated the address (with port) to another address which was reachable using another IPSEC tunnel in that router. Of course, policies have to be done too. That's shortly said.
Be careful: when I created VIP to the router's default address, I lost the connection to router and had to take it off quickly by managing it over the external address. You can use a different network too if needed.
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/10/18 19:34:57
  • Status: offline
Re: Can I VIP into an IPSec tunnel? 2020/11/21 07:19:56 (permalink)
Hi Guys,  i need the setup guide for this.  Is possible?
Expert Member
  • Total Posts : 8531
  • Scores: 207
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Can I VIP into an IPSec tunnel? 2020/11/23 11:29:19 (permalink)
Just treat the IPSec tunnel as another firewall address or interface. Policy from VIP->IPSec. The only difference is the VIP needs to be allowed over the tunnel. A way to get this done is to create an IP pool of a single allowed IP address through the IPSec tunnel and use it in the VIP->IPSec policy as the source address.
post edited by rwpatterson - 2020/11/23 11:30:50

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at:

FWF81CM (1)
FWF80CM (2)
FWF81CM (2)
Jump to:
© 2021 APG vNext Commercial Version 5.5