Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
papa
New Contributor

FortiGates and VRF with VPN

I am currently in the process of evaluating FortiGate firewall to be deployed at customer locations. The plan is to use IPSec tunnel between the FortiGate and a VPN gateway (Cisco or FortiGate) located in the data center. The plan is to share the same VPN gateway (pair to be precise) for multiple customers. On the Cisco platform I am used to using VRFs which allow the data traffic from customers to be separated. One of the options I will be considering is " VRF Aware IPSec" feature available on Cisco routers. Is something similar possible with the FortiGate firewalls? Should add that I don' t want to use VDOMs as the plan is to keep the tunnel end point IP address the same for all the FortiGate firewalls that are deployed. Thanks

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

We use vdoms for that purpose. If don't, your customers share the same routing domain at the termination point of VPN, which defeats the purpose of having separate MPLS(VRF) network per customer on Cisco side.

neonbit
Valued Contributor

I believe VRF support is being added in FortiOS 6.4.

Toshi_Esumi
Esteemed Contributor III

I heard that rumor. But I didn't know it's in their road-map now. It would be more than a year out, I guess, even if that's true.

 

 

emnoc
Esteemed Contributor III

VRF support in a vdom  is already here iirc

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

I don't think the currently implementation is fully compatible with other vendor's, like Cisco, Juniper, etc. The available number of vrf is merely 0 - 31.

papa
New Contributor

The purpose is to Don't use vdoms for each VPN .We want to have the same public IP for all VPN and after separate the traffic with vrf for each customers . I dont now if it's possible to do .

VRf support in vdom is added in fortiOS 6.2.3. i'm trying to build a comp for testing it .

emnoc
Esteemed Contributor III

The only downside to this would be the 32 limits for total VRFs. So that would equal to 32 max clients if you can get it working.  Also this was discuss last month about VRF and VRF support

 

https://forum.fortinet.com/tm.aspx?m=181441

I played with it , but not with tunnels. I would not see any reason why it would not work, fwiw. So vdom would be cost prohibit in that you have hard set limits for the appliance and then license addon cost $$$$, VRF could be stroke upto 32 and then you deal with it as you by adding more fortigate and more IPs and go at it.

 

The other issues which is more pressing ( imho ) , how much ipsec traffic and a performance degradation for up to 32x ipsec-tunnels.  ( i.e are you using a mid-range or entry level fortigate, what's the total IPSEC traffic in bps that is expected, etc.…..)

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
dudarra
New Contributor

Hi Guys, 

 

we have some old Cisco Nexus 5K and it would be funny to replace them with the FortiCluster

 

But is out there any kind of documentation for the VRF use? My aim would be to have the Firewall as a CustomerEdge device!

 

Cherrio Raffa

thanks in advanced Rafael

thanks in advanced Rafael
Labels
Top Kudoed Authors