Multiple ISP + BGP + VPN question

Author
RVTim
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/19 08:29:29
  • Status: offline
2020/11/19 08:43:57 (permalink)
0

Multiple ISP + BGP + VPN question

I've got a tough question with multiple parts that has me stumped right now.  Here are the requirements or info points.
 
1)   2 (or more ISPs)  Each providing a /29, on 2 or more interfaces.
2)   We own our own /24 block.  That needs to be advertised with BGP and available publicly.
3)   I want VPN tunnels to terminate on our IPv4 IPs...that way IPSec Tunnels are ISP independent.
4)   I want the remaining IPv4 Addresses useable by other hosts...preferrably on a VLAN interface that holds the public IP Space.
 
I'm really stuck on each part.  I've got a VPN established on one ISP block of IPs.
I've got BGP advertising but currently I have a VLAN created with our /24 and it is being advertised.
I can't seem to find how to use one of my publics, say X.X.X.10 for my IP address on the Fortigate for IPSec to terminate on.
 
I did find a post today on a fortiguru site titled "Public IP Pass-through (DMZ Transparent Mode)" that seems to address much of what I'm looking for but no details on how to configure it.  And, it doesn't address VPN question. 

Anyone able to lend some advice?

Not Logged in






chrome
#1

3 Replies Related Threads

    boneyard
    Gold Member
    • Total Posts : 364
    • Scores: 16
    • Reward points: 0
    • Joined: 2014/07/30 11:15:18
    • Status: offline
    Re: Multiple ISP + BGP + VPN question 2020/11/19 09:41:47 (permalink)
    0
    you create a secondary IP address on the /24 vlan interface and use that in your VPN configuration.
     
    this is the general idea: https://kb.fortinet.com/kb/documentLink.do?externalID=FD32009
     
    #2
    lobstercreed
    Platinum Member
    • Total Posts : 345
    • Scores: 43
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Multiple ISP + BGP + VPN question 2020/11/19 10:56:54 (permalink)
    0
    I'm actually dealing with a somewhat similar thing.  My own /24 doesn't exist on an interface though (all used for VIPs).  I have a loopback interface that one of my VIPs NATs to and I terminate my IPSEC tunnels on this loopback. 
     
    I'm just now beginning to implement this (still not full production) but it seems to be working.  I'd be happy to discuss more over PM or demo over a brief Zoom if it would be helpful.
    #3
    RVTim
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/11/19 08:29:29
    • Status: offline
    Re: Multiple ISP + BGP + VPN question 2020/11/19 22:49:31 (permalink)
    0
    Thanks for your answers.  The approach in that linked article was one I tried a couple days ago without success, but, since I wrote my request for help, I got what I needed.  Yesterday I had called support and we couldn't figure it out but the forti engineer I got took it as a project and set it up in the lab.  He came up with a working solution.
     
    Let me explain where things went wrong.  When I did it just per the article, I moved my VPN that terminated on the ISP's assigned IP address, to the secondary on the VLAN interface I created.  I was able to bring up a tunnel, and pass traffic into the network.  The replies also tried to send back, but it failed as the packets went into the tunnel and I wasn't able to get any packets going back across the tunnel.  It said there was no route to the other end, which is bogus, because it had the tunnel built and it should have known where to go.  So what we did as the fix was this:
     
    We enabled overlapping subnets.  That way I could have the /24 on the VLAN interface, but create a loopback with a /32 mask on x.x.x.2   Then I could terminate the VPN on that IP.  Once that was done, the traffic routed fine and everything worked.   Now I just have to verify that I can still use my /24 block for NAT of internal hosts for internet access as well.  If so, it should work out just fine.
     
    Thanks again for your tips.  After 18 years of banging away at Cisco equipment of all types, the COVID situation forced me into a job change and I've found myself having to pick up something totally new. Definitely a little gear grinding as I try to shift into higher gears.
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5