Created on 05-15-2009 02:00 PM Edited on 06-02-2022 09:12 AM
Description
The requirement is to forward multicast traffic across route based IPSec tunnel.
Because the tunnel is a dialup tunnel, on dialup client the src quick mode selector cannot be 0.0.0.0/0 and the quick mode selector does not take multicast address for example: 224.0.0.0/4 or 224.0.1.59/32 so multicast traffic cannot be passed over the tunnel as the tunnel proxy id does not cover the multicast address.
A common example of where this may be used is in a VOIP network requirement.
How to get multicast packets to forward over a site-to-site VPN? Assuming a site to site VPN tunnel has been set up in interface mode. Ping will traverse the tunnel without problems, however, multicast functions, say VOIP phones, cannot work correctly.
Scope
Affected products/releases: All
Solution
Workaround
config vpn ipsec phase2-interface
edit "Rob_Home_P2"
set dst-addr-type name
set src-addr-type name
set dst-name "Rob-Home"
set src-name "all"
end
config vpn ipsec phase2-interface
edit "Rob_Home_P2"
set dst-addr-type name
set phase1name "Rob_Home"
set proposal 3des-sha1 3des-md5
set src-addr-type name
set dst-name "Rob-Home"
set src-name "all"
next
end
config vpn ipsec phase2-interface
edit "7LS-HQ-P2"
set dst-addr-type name
set src-addr-type name
set dst-name "all"
set src-name "Rob-Home"
end
config vpn ipsec phase2-interface
edit "7LS-HQ-P2"
set dst-addr-type name
set keepalive enable
set phase1name "7LS-HQ"
set proposal 3des-sha1 3des-md5
set src-addr-type name
set dst-name "all"
set src-name "Rob-Home"
next
end
Related Articles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.