Fortigate 90D - HD2 and FusionHub keep blocking ports with site to site VPN

Erik_Olsen · February 26, 2018, 5:49am

Hello,

Hoping to get some tips or advice. We currently have cable internet with Comcast with 1 static IP that connects to our head office which has Verizon fibre using our Fortigate 90D firewall which does a full tunnel VPN using preshared key. The head office authenticates also against the Comcast static IP address. This is a standard IPSec VPN.

We decided to remove the Comcast as it’s insanely slow and purchased a HD2 device with 2 AT&T SIM cards both with Static IP and then deployed FusionHub on Azure to do bonding because we need all outbound traffic to come from a dedicated IP address for the VPN. I set all traffic on the HD2 to go through the FusionHub VPN, and when doing online checks for my IP it shows my IP as the FusionHub IP address. I also updated the head end to FusionHub’s IP address instead of Comcasts.

The VPN will not connect though, and our head office device is saying it’s because the ports aren’t open. I then went into FusionHub and tried Port Forwarding, making 2 rules, one for all TCP ports and 1 for all UDP ports, and set them to forward to the IP address of the Fortigate 90D connected to the HD2. The HD2 is 192.168.200.1, and the Fortigate is 192.168.200.10, so I set it to forward all ports to 192.168.200.10.

This still doesn’t work, the Fortigate VPN will not connect with the head office saying ports are closed. I have a FTP server running on port 21 connected to the Fortigate 90D which is 192.168.200.12 and port forwards in the Fortigate as well as another server at 192.168.200.13 on port 90. If I connect via FTP to FusionHub’s public IP address it connects fine as expected, same with port 90 for the other server, which leads me to believe that I’m forwarding ports properly, as I can access servers connected directly to the Fortigate 90D, just not VPN through.

We also have Client VPN on the Fortigate 90D, but if I try to connect from a laptop remotely to FusionHub’s public IP address it’s the same issue, it never connects and says check that the ports are open. Been trying to make this work for a few days unsuccessfully so I feel like I’m doing something wrong.

Do I need to do something extra on the HD2 or FusionHub to make our VPN actually work like this?

MartinLangmaid · February 26, 2018, 8:59am

This is an interesting problem since Speedfusion used UDP 4500 for PepVPN/SpeedFusion and your fortigate will also be trying to use 4500 UDP (and 500 UDP). Instead of finding the fortigate located at your HD2 site on the public IP of the fusionhub (on 4500) it will instead find the Fusionhub.

On physical Peplink devices we can enable IPSEC service passthrough. That option is not available on the Fusionhub. Instead the Fusionhub is designed to be a IPSEC handoff point. So you could have an IPSEC tunnel between your Fusionhub and the head office Fortigate which would give you a L3 tunnel back to the LAN side of the HD2 which would be connected to the Fusionhub via SpeedFusion.

[HD2] → {SpeedFusion} → FusionHub → {IPSEC} → [Head Office Fortigate]

Lets see if the Peplink team can suggest a way to make IPSEC service passthrough work on the FusionHub… but I’m not aware of a way to do that.

Erik_Olsen · February 26, 2018, 1:30pm

Thank you Martin, I was wondering if that might be what it was also. Connecting the FusionHub to the head office Fortigate wouldn’t be allowed with corporate policy, same with changing the ports used on the Fortigate. I’m going to assume that FusionHub’s ports cannot be changed also, but what we may just need to do is use 1 SIM only since it has a Static IP and skip the bonding. I really appreciate your help!

MartinLangmaid · February 27, 2018, 3:32am

The only other thing worth trying is changing the data port in use for SpeedFusion on the Fusionhub from 4500 to something else. That might solve this…