Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
VPNightmare
New Contributor

VDOMs: VPN, VIP Through Management VDOM?

Hello,

We have a 200D FortiGate (well, two in HA mode) with multiple client VDOMs in NAT mode, each with their own VLAN (multiple servers, SANs, typical data center stuff). Rather than allocating two ports for each VDOM (LAN/WAN), we decided to use unnumbered VDOM routes between each VDOM and the management VDOM, root, so as to only use one port (LAN) per VDOM instance. This works great.

 

What we need next is twofold:

[ol]
  • We need independent IPsec VPN tunnels in each VDOM to the client FortiGates. In the attached image, for instance, VDOM1 would have a direct VPN tunnel to the remote client FortiGate. This is necessary.
  • We need a way to route public IPs to VDOMn. In the image, a public IP of 200.200.1.7 VIPs to a 10.1.0.x address in VDOM1. This is also necessary.[/ol]

    So, is there a way 1 and/or 2 this can be accomplished without using independent WAN ports for each VDOM?

     

    As always, thank you in advance for any assistance.

  • 4 REPLIES 4
    MBR
    New Contributor III

    Hi,

     

    Did you found a solution for this?

    Currently i'm having the exact same problem.

     

    MBR

    - MBR -

    NSE1, NSE2, NSE3

    FGT60D/E, FWF60D/E, FGT200D

    - MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
    emnoc
    Esteemed Contributor III

    What yo are doing is a meshed vodka approach. 

     

    http://socpuppet.blogspot.com/2014/09/a-stacked-vdom-concept-with-fortigate.html

     

     

    You have a few choices, you can run  DNAT VIP on the internet facing vodka to  the respective  fortigate inside vdom (  1  2 3 )

     

    or 

     

    Assign  public ipv4 to the inside vdom1 2 3  and route these thru the  internet facing vdom

     

    or

     

    Are the inside vdom "responders" or "initiators"? if it's the latter you could just SNAT the traffic { ipsec/ike } from the vdom to the remote location(S). if your worried about al ipsec coming from  the same src-ip, use a peer-id to distinguish each tunnel.

     

     

     

    PCNSE 

    NSE 

    StrongSwan  

    PCNSE NSE StrongSwan
    MBR
    New Contributor III

    thanks emnoc.

     

    I'm trying a configuration with a public ip on the "inner" vdom link interface and also on a loopback interface inside the vdom.

    Got the vpn up but i'm still checking the traffic flows which doesn't seem to work properly but this couldl be caused by a  particular soho router on the other side.. will try with a fortigate - fortigate configuration.

    - MBR -

    NSE1, NSE2, NSE3

    FGT60D/E, FWF60D/E, FGT200D

    - MBR - NSE1, NSE2, NSE3 FGT60D/E, FWF60D/E, FGT200D
    dsisevran
    New Contributor

    Hi!   Have you found how to achive an IPsec VPN directly to your VDOM?   Regards

    Labels
    Top Kudoed Authors