FortiWAN Planning your VPN

Leave a reply

Define routing policies for an IPSec VPN

FortiWAN’s intelligent routing function (Auto Routing and Tunnel Routing) transferred all packets, including packets of IPSec, outward over multiple WAN links. Although an IPSec configuration specifies the IP addresses of the WAN ports (Phase 1: Local IP and Remote IP) used to establish the IPSec VPN and the IP addresses that Quick Mode selectors evaluate for, it does not imply the correspondent routing for the IPSec packets. You are required to have extra rules of Auto Routing or Tunnel Routing setting manually to fixedly route the IPSec packets to correct WAN port.

The IPSec packets we are talking about consist of the packets of 2 phases IKE negotiations (called “IKE packets” here) and the packets of IPSec VPN communications (called “ESP packets” here). An IKE packet comes from the local FortiWAN unit and its source IP address is just the configured Local IP (a WAN port); an ESP packet comes from a private network behind the local FortiWAN and its source IP address is a private IP address. The followings describe the procedures defining related policies for “IPSec Tunnel mode” and “Tunnel Routing over IPSec Transport mode”.

Define Auto Routing and NAT policies for an IPSec Tunnel-mode VPN

For IPSec Tunnel Mode, you need to make sure connections of both IKE and ESP packets are fixedly routed by Auto Routing to the WAN port that is configured as the Local IP of the IPSec VPN tunnel.

Example topology for the following policies

For this example topology, we need to have configurations of Network Setting, Auto Routing, NAT and IPSec as follows:

Network Setting

Network Settings on the both sides:

WAN settings Go to System > Network Setting > WAN Setting
WAN Setting Local endpoint (Site A) Remote endpoint (Site B)
WAN Link 1 1
WAN Type Routing Mode Routing Mode
WAN Port Port1 Port1
IPv4 Localhost IP 10.10.10.10 20.20.20.20
IPv4 Netmask 255.255.255.0 255.255.255.0
IPv4 Default Gateway 10.10.10.254 20.20.20.254

For the details of WAN link setting, see “Configurations for a WAN link in Routing Mode”, “Configurations for a WAN link in Bridge Mode: One Static IP” and “Configurations for a WAN link in Bridge Mode: Multiple Static IP”.

LAN private subnets Go to System > Network Setting > LAN Private Subnet
LAN Private Subnet Local endpoint (Site A) Remote endpoint (Site B)
IP(s) on Localhost 192.168.10.254 192.168.100.254
Netmask 255.255.255.0 255.255.255.0
LAN Port Port3 Port3

For the details of LAN private subnet setting, see “LAN Private Subnet”.

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiWAN on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.