4 Redundant IPSEC Tunnels to 2 remote 3rd party firewall locations

ccastello

I need to create site to site tunnels to a cloud provider from a TZ670 Firmware 7.0.1-5145, they are using Fortinet firewalls on their side. I have two WAN interfaces and LAN and SSLVPN address ranges that need to connect over the tunnel. They have a primary site and a DR site. They have assigned different remote networks for my LAN and SSLVPN networks and each needs to translate to a specific network on their side. I need to do the NAT on the TZ670. The topology diagram they provided me shows that they want me to create 4 redundant tunnels (1 for each of my WANs to each remote location) with both my local networks running over each tunnel. Behind each of their remote gateways are two IP ranges that they tell me i should use as the remote destinations. First i cannot find a way to translate two local networks to separate remote networks on the same Site to Site Policy. Second when i try to create 2 tunnels to the same remote location specifying different local WAN interfaces and setting the NAT i cannot create the second tunnel because of subnet overlaps. I did open a ticket with SW and was told i can't do it this way, i need to specify their gateways as Primary and Secondary, and have one tunnel for my LAN and one for my SSLVPN. I am just wondering if anyone knows of a way to create the 4 tunnels my provide is requesting. Thank you.

This is what their engineer sent me:

For each of your circuits, there should be a tunnel constructed to each of our operating instance in New York (COLO 5) and Virginia (COLO 4). Both LAN and SSL VPN subnets should be translated into a respective 200.X.X.X subnet before being routed together to our PVC subnets (189.x.x.x / 191.x.x.x) for each respective tunnel. By the end, you should have 4 redundant tunnels erected. Please disregard the Peer IKE IDs, because there was not a value designated for either local or remote IKE IDs.

 Regarding VAI’s PVC subnets (189.x.x.x / 191.x.x.x), relative to you, they would be your remote destination IP’s. These subnets should be included in the tunnel configuration

preston

Hi @ccastello , you could use route based VPN(Tunnel Interface) but that depends if the Fortinet is running that , and then 2 NAT policies to NAT the subnets one for each if needed, are they just wanting you to show as coming from a specific internal IP/ network(NAT) instead of your real subnet?

just take in to account that if Natting whole Subnet the real network and the Natted network subnet masks need to match i.e. /24 Real & /24 NAT unless just Natting as to appear as coming from one IP.

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-a-tunnel-interface-vpn-static-route-based-vpn/170505633799556/

Also make sure you are on the latest firmware (7.0.1-5145-R5175) otherwise you will get an error when adding the redundant policy

preston

Hi @ccastello , once you have created the VPN policy the Interface will appear in the drop down in the routing rule

ccastello

Ok thank you

ccastello

Hi Preston,

Thank you, i will check with them about the tunnel vs Site to Site and give this a try, I do know my masks are different from their masks but will see if they can change.

ccastello

Hi Preston, I have a question. I don't get the Network Tab when creating a Tunnel Interface, How do I define the Remote Destinations? Would I create a Routing Rule for (189.x.x.x / 191.x.x.x) in addition to the NAT policies? I am at the current firmware level, still waiting on the provider to get back me about supporting this configuration. Thank you. Chris