How to broadcast cross IP Sec VPN?

Snowy Canada
Snowy Canada used Ask the Experts™
on
I need one network device broadcast cross VPN.

Device IP Address: 192.168.88.88
Network: Windows 2008 domain LAN network, 192.168.88.x
router: Fortigate 51E
VPN: IP Sec, connected
VPN destination network: 192.168.110.x

The 192.168.88.88 device need to send a SIP Broadcast 224.0.1.75 to servers on the other end of VPN, so we wish the broadcast can cross the VPN, arrive a server which IP address is 192.168.110.110.

I created firewall policy to allow 192.168.88.88 to all the 192.168.110.x address, but it seems not to be enough.

Thank s for any suggestion.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Software Engineer
Distinguished Expert 2018
Commented:
Few remarks:
Broadcast is defined as: All systems on the current network segment, which excludes everything beyond a router (any router).
The Address you mention isn't broadcast, but Multicast.  A system as to ask it to receive Multicast (subscription model).

You need IGMP enabled for that. (and possibly IGMP snooping on switches to actualy convert a multicast to broadcast on relevant segments.)
Adding routes to areas you want to reach with multicast is like adding 224.0.0.0/240.0.0.0 routes on equipment that uses it.

IPSEC requires that you ALSO create a separate tunnel for this kind of traffic as it is filtered if the endpoints have non-matching IPranges.
Multicast traffic always is UDP btw.
Distinguished Expert 2018
Commented:
224.0.1.75 destination is multicast as noci already wrote.
Few points:
- IPsec tunnel does not support multicast traffic by itself
- GRE via IPsec supports multicast traffic
- if multicast sender and receiver are not located in the the same subnet multicast routing need to be configured.

So, if you are not using L2TPv3 you will need to configure:
Create GRE tunnel, forward GRE traffic into IPsec tunnel and also need you will need to build multicast IP routing for full traffic path
IGMP snooping mentioned above is just related to switch infrastructure, typically for last hop, from VLAN SVI to multicast receiver, but IGMP snooping is not converting multicast to broadcast. Actually, Function of IGMP snooping is to prevent multicast to act like broadcast (if IGMP snooping is not configured on switch multicast traffic is treated as broadcast).

There could be some other solutions too, but I am not aware of your network devices and protocols that are supported on those devices.
Snowy CanadaNetwork Administrator

Author

Commented:
Thanks for the suggestion. I need work with branch office test the VPN and update you.
Snowy CanadaNetwork Administrator

Author

Commented:
Thank you so much for the suggestion

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial