Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎05-15-2009 02:00 PM Edited on ‎06-02-2022 09:12 AM

Article Id 198563

Technical Tip: How to send multicast packets to forward over a site-to-site VPN

Description
The requirement is to forward multicast traffic across route based IPSec tunnel.

Because the tunnel is a dialup tunnel, on dialup client the src quick mode selector cannot be 0.0.0.0/0 and the quick mode selector does not take multicast address for example: 224.0.0.0/4 or 224.0.1.59/32 so multicast traffic cannot be passed over the tunnel as the tunnel proxy id does not cover the multicast address.

A common example of where this may be used is in a VOIP network requirement.

How to get multicast packets to forward over a site-to-site VPN? Assuming a site to site VPN tunnel has been set up in interface mode.  Ping will traverse the tunnel without problems, however, multicast functions, say VOIP phones,  cannot work correctly.


Scope
Affected products/releases: All
Solution

The description of this solution involves a specific example.

Topology

192.168.99.0/24----FGTclient----Internet----FGTserver----192.168.7.0/24


There are two options to correct this issue, either one of them will work:

1. Instead of using dialup tunnel, use DDNS tunnel so both site can use 0.0.0.0/0 as SRC and DST quick mode selector in phase2.

2. Configure firewall address for multicast address 224.0.0.0/4 and create firewall address group to include it and modify phase2 to use firewall address or address group name as quick mode selector.

Workaround

 

1. Created firewall address definition for multicast(224.0.0.0/4) on both FortiGates.

2. Created firewall address group Rob-Home to includes both Rob-Lan(192.168.99.0/24) and multicast address as members.

3. On HQ site, modify the phase2 from CLI:
config vpn ipsec phase2-interface
edit "Rob_Home_P2"
set dst-addr-type name
set src-addr-type name
set dst-name "Rob-Home"
set src-name "all"
end

So now the phase2 looks like below:

7LS-FORTIGATE # sh vpn ipsec phase2-i Rob_Home_P2
config vpn ipsec phase2-interface
edit "Rob_Home_P2"
set dst-addr-type name
set phase1name "Rob_Home"
set proposal 3des-sha1 3des-md5
set src-addr-type name
set dst-name "Rob-Home"
set src-name "all"
next
end
4. On the Rob (remote) site, modify the phase2 from CLI:
config vpn ipsec phase2-interface
edit "7LS-HQ-P2"
set dst-addr-type name
set src-addr-type name
set dst-name "all"
set src-name "Rob-Home"
end


So now the phase2 looks like below:
FWF60B3908627180 # sh vpn ipsec phase2-i 7LS-HQ-P2
config vpn ipsec phase2-interface
edit "7LS-HQ-P2"
set dst-addr-type name
set keepalive enable
set phase1name "7LS-HQ"
set proposal 3des-sha1 3des-md5
set src-addr-type name
set dst-name "all"
set src-name "Rob-Home"
next
end
 

 

Related Articles

Gateway-to-gateway IPSec VPN example

How do I configure an IPSec VPN?

Labels:
6700
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.