Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
btendolle
New Contributor

Site2Site (IPSEC) into VDOM.

Currently i'm trying to make a site2site vpn into a vdom. I noticed that if i send it over the inter vdom link with VIP and NAT activated that ofcourse the inter vdom interface is noticed as the peer.

 

The root vdom exposes to the internet using multiple ipv4 /24 subnets with several ports 

 

There is not much information about how to setup the Site2Site VPN into a vdom. I hope that you guys can help me out with that. 

3 REPLIES 3
Toshi_Esumi
Esteemed Contributor III

It's not about the VDOM environment but it's about if the termination point is reachable from the internet or behind the NAT. Exactly the same situation you have an upstream router, which provides a NAT, then your FGT without VDOMs sits behind it interconnected with private subnet like 192.168.1.0/24.

Enable NAT-T on both ends, then if both sides are static IPs, it should come up when local VDOM end tries establishing the tunnel with the other end through root vdom.

btendolle

But do i need to do something with the source port because i read that you should enable outside NAT with port 500

Toshi_Esumi
Esteemed Contributor III

Are you blocking something at root vdom for this VPN termination vdom's vdom-link IP to go out? If some restrictions/filtering for outgoing traffic at root, I recommend just create a new policy at root to allow everything from this IP toward the internet. If you want/need to limit anything from this vdom toward the internet, you can/should do that at the vdom, not at root.

 

Think about the situation, like you put a fortigate behind a cable/DSL router at home, which can't disable NAT because that's only where the public IP assigned by the ISP lives. IPSec tunnels from the FGT behind it still works without changing any config on the router because it's not restricting anything special for outgoing traffic. NAT-T would help for the situation. I think your multi-vdom situation is exactly the same.

 

If you're VIPing from the root vdom, you should forward udp 500/4500. But you didn't mention about it.

Labels
Top Kudoed Authors