VPN on multiple WAN IP

garvati · ‎03-11-2021

Hello,

I have WAN network with multiple IP ( subnet )

The wan ip is the x.x.x.228 but but .229 - .232 are available.

I already used different wan IP with VIP to map service for a specific public address

to internal address without problem.

Now I set up a site2site IPsec tunnel and I can't use x.x.x.228 as public IP.

I want my tunnel use x.x.x.229 instead of x.x.x.228 as incoming and outgoing IP

I tried to use IP pool ( 1-to-1 to x.x.x.229) and use NAT on outgoing ( local vpn address-> vpn interface )

vpn policy without success

Which is the best way to manage this situation ?

Do I need to set something on incoming policy ( vpn interface -> local vpn address ) ?

Thank you

Giuseppe

Graeme_NZ · ‎08-29-2021

A couple of options that I can see ...

If you can set a "Secondary IP Address" on your x.x.x.228 WAN interface to be x.x.x.229, then you can select that "Secondary IP" as your "Local Gateway" address.

Alternatively, if you can't set x.x.x.229 as a secondary IP address, then you might be able to "Specify" x.x.x.229 as your local gateway address of your VPN.

I've not tried this myself (yet), so I can't be sure at this point in time that the second option will work ... or there may be additional config steps. Try asking Fortinet support - I've found them to be pretty responsive and helpful over the years that I've been dealing with them.

View solution in original post

marchand · ‎03-11-2021

A solution would be to use vdom .

garvati · ‎03-11-2021

Thank you Merchand for your help

I never used vdom. I need to study and make some test

thank you again

emnoc · ‎03-11-2021

Is this a site2ite vpn terminated to the fortigate? If yes just use the address assigned to the wan interface.

And no I have to disagree vdom is not is not required here nor beneficial , it would make your configuration more complex and solved nothing with your public-address allocation.

If you need more public space you need to have the SP route you more addresses

Ken Felix

PCNSE

NSE

StrongSwan

garvati · ‎03-11-2021

Thank you emnoc,

yes it's a site2ite vpn terminated to the fortigate.

>If yes just use the address assigned to the wan interface

but the ip address of wan interface is x.x.x.228 and I want to use

a different IP, x.x.x.229.

>If you need more public space you need to have the SP route you more addresses

I already have 14 IP assigned from SP x.x.x.225 to x.x.x.238

My question was about how to create a vpn tunnel that go out through an IP,

in the pool of addresses SP assigned to me, different from the one

set in wan interface

sorry but I'm not able to explain well in English

I hope I have been clearer

thank you

emnoc · ‎03-11-2021

Why is my 1st question? The local wan interface is ideal and serves that purpose.

What you could do if you need to src the vpn to a different address

set a loopback interface and assign it a /32

set the vpn to terminate on that loopback

you will need. src/dst rules to allow IKE/ESP/IKE-NAT etc......

config vpn ipsec phase1-interface

edit "ubun"

set interface "loop-strongswan"

set ike-version 2

set peertype any

set net-device disable

set proposal aes256-sha1

set dhgrp 5

set remote-gw 192.168.1.115

set psksecret ENC wtRFBB3TsiWgHrBsv6vxbd5rLALgU0xpcHZVtawR7fCR5xFI5yexJhn+ZKwikAYt7DGmi2q1Li4X8TCfcEs2/By6TYGsrvr5QXd7NwYdOVNoy4Ow9+bZTsOEEijJYwM2bVQByxVxu5dGGnthLRZPIE1YPFWpHWcwie6QFakVVrObY/IiLGs6PrcEo++oJyxEbovI4w==

config firewall policy

edit 8

set name "vpnstrngswan-in"

set uuid ea93ca2e-8287-51eb-067b-2e67980578f1

set srcintf "internal"

set dstintf "loop-strongswan"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "IKE" "ESP"

edit 7

set name "vpnstrngswan-out"

set uuid b4f30d8a-8287-51eb-ddd4-e2f75cacfece

set srcintf "loop-strongswan"

set dstintf "internal"

set srcaddr "all"

set dstaddr "all"

set action accept

set schedule "always"

set service "IKE" "ESP"

But I question why you need a different address to begin with and specially when you have limited addresses to start with ?

Ken

PCNSE

NSE

StrongSwan

garvati · ‎03-11-2021

The IT guys of other site ask to me for a differt IP, I do not know exectly why.

I understand they have, some times, person in our site that use a client vpn that go out from

same public IP of vpn site2site I trying to configure and this leads to problems

I'm trying to understand your solution, not so easy for my skills

however thank a lot ken

Giuseppe

Graeme_NZ · ‎08-29-2021

A couple of options that I can see ...

If you can set a "Secondary IP Address" on your x.x.x.228 WAN interface to be x.x.x.229, then you can select that "Secondary IP" as your "Local Gateway" address.

Alternatively, if you can't set x.x.x.229 as a secondary IP address, then you might be able to "Specify" x.x.x.229 as your local gateway address of your VPN.

I've not tried this myself (yet), so I can't be sure at this point in time that the second option will work ... or there may be additional config steps. Try asking Fortinet support - I've found them to be pretty responsive and helpful over the years that I've been dealing with them.