Hot!Can I VIP into an IPSec tunnel?

Author
FatalHalt
Gold Member
  • Total Posts : 124
  • Scores: 8
  • Reward points: 0
  • Joined: 2014/06/11 08:51:54
  • Status: offline
2015/05/20 13:23:53 (permalink) 5.0
0

Can I VIP into an IPSec tunnel?

Hey All. 
 
I have a vendor accessing a series of VIPs on my Fortigate, which are pointed to a series of corresponding private IPs that are accessed over an MPLS. 
 
I need to allow this vendor to get access to a new site at which I do not have an MPLS connection. I can build an IPSec tunnel to this location, but I'm a bit confused as to what my source/destinations would be. Attached is a picture
 
So, if I Vip into XX.XX.XX.XX:3, I want to vip the traffic to 192.168.3.1, and head down the VPN tunnel. 
 
Is this possible/achievable in some way?

Attached Image(s)

#1
echo
Silver Member
  • Total Posts : 97
  • Scores: 4
  • Reward points: 0
  • Joined: 2013/06/19 07:45:28
  • Location: Tallinn, Estonia
  • Status: offline
Re: Can I VIP into an IPSec tunnel? 2015/05/21 04:59:38 (permalink)
0
Yes, I have done this. I created additional IP-address to the router's internal IP-address and used that in VIP configuration. I could access that IP address from my office over the IPSEC tunnel, and VIP translated the address (with port) to another address which was reachable using another IPSEC tunnel in that router. Of course, policies have to be done too. That's shortly said.
 
Be careful: when I created VIP to the router's default address, I lost the connection to router and had to take it off quickly by managing it over the external address. You can use a different network too if needed.
#2
walvarez
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/10/18 19:34:57
  • Status: offline
Re: Can I VIP into an IPSec tunnel? 2020/11/21 07:19:56 (permalink)
0
Hi Guys,  i need the setup guide for this.  Is possible?
#3
rwpatterson
Expert Member
  • Total Posts : 8521
  • Scores: 207
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: Can I VIP into an IPSec tunnel? 2020/11/23 11:29:19 (permalink)
0
Just treat the IPSec tunnel as another firewall address or interface. Policy from VIP->IPSec. The only difference is the VIP needs to be allowed over the tunnel. A way to get this done is to create an IP pool of a single allowed IP address through the IPSec tunnel and use it in the VIP->IPSec policy as the source address.
post edited by rwpatterson - 2020/11/23 11:30:50

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com


-5.0.14-b0323
FWF81CM (1)
 
-4.3.19-b0694
FWF80CM (2)
FWF81CM (2)
 
#4
Jump to:
© 2020 APG vNext Commercial Version 5.5