Hot!FortiGates and VRF with VPN

Author
papa
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/15 02:52:07
  • Status: offline
2020/01/15 02:58:07 (permalink)
0

FortiGates and VRF with VPN

I am currently in the process of evaluating FortiGate firewall to be deployed at customer locations. The plan is to use IPSec tunnel between the FortiGate and a VPN gateway (Cisco or FortiGate) located in the data center. The plan is to share the same VPN gateway (pair to be precise) for multiple customers. On the Cisco platform I am used to using VRFs which allow the data traffic from customers to be separated. One of the options I will be considering is " VRF Aware IPSec" feature available on Cisco routers. Is something similar possible with the FortiGate firewalls?

Should add that I don' t want to use VDOMs as the plan is to keep the tunnel end point IP address the same for all the FortiGate firewalls that are deployed.

Thanks
#1

7 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: FortiGates and VRF with VPN 2020/01/15 08:43:31 (permalink)
    0
    We use vdoms for that purpose. If don't, your customers share the same routing domain at the termination point of VPN, which defeats the purpose of having separate MPLS(VRF) network per customer on Cisco side.
    #2
    neonbit
    Expert Member
    • Total Posts : 539
    • Scores: 69
    • Reward points: 0
    • Joined: 2013/07/02 21:39:52
    • Location: Dark side of the moon
    • Status: offline
    Re: FortiGates and VRF with VPN 2020/01/15 13:42:17 (permalink)
    0
    I believe VRF support is being added in FortiOS 6.4.
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: FortiGates and VRF with VPN 2020/01/15 14:42:43 (permalink)
    0
    I heard that rumor. But I didn't know it's in their road-map now. It would be more than a year out, I guess, even if that's true.
     
     
    #4
    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGates and VRF with VPN 2020/01/15 14:51:45 (permalink)
    0
    VRF support in a vdom  is already here iirc
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #5
    Toshi Esumi
    Expert Member
    • Total Posts : 1928
    • Scores: 168
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: FortiGates and VRF with VPN 2020/01/15 15:02:43 (permalink)
    0
    I don't think the currently implementation is fully compatible with other vendor's, like Cisco, Juniper, etc. The available number of vrf is merely 0 - 31.
    #6
    papa
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/01/15 02:52:07
    • Status: offline
    Re: FortiGates and VRF with VPN 2020/01/17 01:23:20 (permalink)
    0
    The purpose is to Don't use vdoms for each VPN .We want to have the same public IP for all VPN and after separate the traffic with vrf for each customers . I dont now if it's possible to do .
    VRf support in vdom is added in fortiOS 6.2.3. i'm trying to build a comp for testing it .
    #7
    emnoc
    Expert Member
    • Total Posts : 5508
    • Scores: 355
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: FortiGates and VRF with VPN 2020/01/17 07:40:43 (permalink)
    0
    The only downside to this would be the 32 limits for total VRFs. So that would equal to 32 max clients if you can get it working.  Also this was discuss last month about VRF and VRF support
     
    https://forum.fortinet.com/tm.aspx?m=181441

    I played with it , but not with tunnels. I would not see any reason why it would not work, fwiw. So vdom would be cost prohibit in that you have hard set limits for the appliance and then license addon cost $$$$, VRF could be stroke upto 32 and then you deal with it as you by adding more fortigate and more IPs and go at it.
     
    The other issues which is more pressing ( imho ) , how much ipsec traffic and a performance degradation for up to 32x ipsec-tunnels.  ( i.e are you using a mid-range or entry level fortigate, what's the total IPSEC traffic in bps that is expected, etc.…..)
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5