Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
v20100
New Contributor III

routing wifi traffic for site to site VPN

Hi

 

On the Fortigates we have about 90 site to site VPN links. The 'source' address is one of our subnet on the LAN interface

We also have a Wifi WLAN with 321C access points connected via a Fortiswitch connected directly to the Fortigates

We would like to be able to connect from the Wifi onto each of the 90 VPN sites.

 

However, it is nearly impossible to communicate to the 90 different VPN partners to add a subnet to the encryption domain, so cannot really modify the VPN settings for each link.

 

I thought of reserving one IP address on our lan to hide the Wifi traffic behind it, when trying to access the VPN sites, but the security only allows 1 outgoing interface.

We are using static routes.

 

Is there a way to achieve this?

 

Thanks in advance 

11 REPLIES 11
ede_pfau
Esteemed Contributor III

hi,

 

but the security only allows 1 outgoing interface
- could you please explain what the problem is exactly?

You need one policy from Wifi to each VPN. In this policy, you set up a source NAT via an IP pool. I'm not aware that you cannot reuse the IP pool in the second,..., 90th policy.

 

Of course, at this point you should start thinking about simplifications. If you put all tunnel interfaces into a zone, you could get away with just one policy for all. I'm not sure if you could then use an individual zone member interface in an explicit policy anymore.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
v20100
New Contributor III

Thanks Ede

 

Yes, at this stage, I cannot only think of having 90 extra policies which I wanted to avoid. Also, if you are right about the NAT with the same IP for each policy, we will be stuck with this too, as we do not have that many IP available.

 

I am not familiar with zones, but that could be the answer. I will investigate what it is. Do you have any URL I could look at?

 

Thanks

 

support12
New Contributor III

can you explain ..

 

but the security only allows 1 outgoing interface.

 

create a zone and include all 90 vpn interfaces on it, then you only create one policy from wifi  to zone

v20100
New Contributor III

I found how to create a zone, but it only show the physical interfaces members, so cannot add the 90 VPN tunnels!

 

ede_pfau
Esteemed Contributor III

Oops, went down that dead end before...sorry. Zones look promising but they are not thought through to the end...

 

Different suggestion: bridge your WiFi to the internal subnet with addresses from the same subnet, using a hardware switch with 'internal/lan' and 'your_Wifi' interfaces. Beware that using a softswitch (in case your FGT doesn't support a hardware switch) might have an impact on CPU load.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
v20100
New Contributor III

Thanks Ede

 

I think the bridge suggestion might be too risky to implement and also will hit some restrictions really soon in terms on number of available IP.

So, it does not look like there is an easy way and we will need to hit the bullet, and contact all our 90 partners to make change for their phase2 VPN. will take several months, but at least will work!

 

Cheers

 

 

ede_pfau
Esteemed Contributor III

I can't really follow you.

Why wouldn't you try to bridge the WiFi with the internal LAN? This would save you from NATting, enable WiFi traffic across all existing tunnels and wouldn't even need one more policy.

 

You can easily define your internal LAN to hold 512, 1k,... addresses, even without changing anything on the LAN - just change the network mask from /24 to /23, /22...

 

Compare this effort to "nearly impossible" like you've posted.

 

If you don't want to go down that road I've got another working idea to solve this.

 


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
v20100
New Contributor III

Hi Ede

If I increase the lan subnet, I also need to ask all the 90 partners to change the subnet for phase2, so in practise it is the same as adding a separate lan

 

I am keen to hear about your other idea!

 

Cheers

ede_pfau
Esteemed Contributor III

The other idea is to virtualize another FGT on your hardware, a VDOM. It would only have one physical port to the AP and one internal virtual port to the root VDOM. This VDOM would only exist for NATting the traffic to an internal LAN address.

What do you think?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors