Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
oliverlag
New Contributor

VIP over multiple interfaces

Hi, 

I'm trying to reach this:

I do have 2 IPSECs VPN over a customer. On the customer side I need to use some prenat and so I have some VIPs. 

Those VIPs are attached to the VPN interface.  That's a problem because I can't have fully redundance because of limit of the VIP attached to one single interface. (and I can't use interface any). 

I tried to ask to support and they suggested me to use soft / hardware switch and make a single logical interface with the two VPNs. Unluckily this is not possible. 

I tried to workaround this using loopback interfaces and gre tunnels but it does not work (VIP object can't be linked to loopbacks or gre or zones). 

Someone has some suggestion about how to workaround this (if it's possible)? 

 

Thanks

5 REPLIES 5
N_Shagar
New Contributor

I have the same problem, if I set interface as any, the local address(mapped) lost your access to Internet, but I need to send traffic between 2 specific interfaces, but Fortigate let me set only 1.

@oliverlag, does you has been succeeded?

 

CHgeek

Ho oliverlag,

 

I have the exact same problem. What was your solution to it?

 

Kind regards,

CHgeek

emnoc
Esteemed Contributor III

Do you have a topology map? You could in fact make a  DNAT vip for ipsec and should be able to  define the VIP as any.

 

Ken

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
CHgeek
New Contributor

Hi emnoc,

the setup is having about 12 Site-to-Site VPNs and using carrier-grad NAT as "public" IP address for customers to access services over S2SVPN. Some customers need to access  same Services behind and it would be nice to have the same "public" IP address for the same service. But either I create a VIP and attach it to "any" interface, then this would work, but in contrast I have NATed traffic inside Datacenter when Traffic matches source. Or I create a VIP for each S2SVPN Interface have each a different "public" IP and NAT it to the actual server (+more control / -each customer has it's own ip to connect to the service).

 

This guy is explaining my problem pretty clear... https://blog.webernetz.net/fortigate-virtual-ips-with-interface-any/

 

Cheers CHgeek

Wil_12
New Contributor

Hi.

i have a similar issue. helpme please.

We have a SD-WAN and need connect a remote pc.

my setup is the next.

 

WAN1: wan1 (Static IP)

WAN2: wan2 (Dynamic)

Internal: Net

 

***************VIP***********

VIP: Control

Interface: any

External IP: x.x.x.120

Mapped IP: x.x.x.100

Protocol: TCP

External Port: 3389

Map to port: 3389

 

 

************IPV4 Policy**********

Incoming: wan1

outgoing: Net

source: all

destination: Control

schedule: always

service: all

Nat: Disable

 

*********Internet IPV4 Policy********

Incoming: Net

outgoing: wan1

source: all

destination: all

schedule: always

service: all

Nat: enable

 

 

Kind regards.

Labels
Top Kudoed Authors