How to broadcast cross IP Sec VPN?
I need one network device broadcast cross VPN.
Device IP Address: 192.168.88.88
Network: Windows 2008 domain LAN network, 192.168.88.x
router: Fortigate 51E
VPN: IP Sec, connected
VPN destination network: 192.168.110.x
The 192.168.88.88 device need to send a SIP Broadcast 224.0.1.75 to servers on the other end of VPN, so we wish the broadcast can cross the VPN, arrive a server which IP address is 192.168.110.110.
I created firewall policy to allow 192.168.88.88 to all the 192.168.110.x address, but it seems not to be enough.
Thank s for any suggestion.
Device IP Address: 192.168.88.88
Network: Windows 2008 domain LAN network, 192.168.88.x
router: Fortigate 51E
VPN: IP Sec, connected
VPN destination network: 192.168.110.x
The 192.168.88.88 device need to send a SIP Broadcast 224.0.1.75 to servers on the other end of VPN, so we wish the broadcast can cross the VPN, arrive a server which IP address is 192.168.110.110.
I created firewall policy to allow 192.168.88.88 to all the 192.168.110.x address, but it seems not to be enough.
Thank s for any suggestion.
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Few remarks:
Broadcast is defined as: All systems on the current network segment, which excludes everything beyond a router (any router).
The Address you mention isn't broadcast, but Multicast. A system as to ask it to receive Multicast (subscription model).
You need IGMP enabled for that. (and possibly IGMP snooping on switches to actualy convert a multicast to broadcast on relevant segments.)
Adding routes to areas you want to reach with multicast is like adding 224.0.0.0/240.0.0.0 routes on equipment that uses it.
IPSEC requires that you ALSO create a separate tunnel for this kind of traffic as it is filtered if the endpoints have non-matching IPranges.
Multicast traffic always is UDP btw.
Broadcast is defined as: All systems on the current network segment, which excludes everything beyond a router (any router).
The Address you mention isn't broadcast, but Multicast. A system as to ask it to receive Multicast (subscription model).
You need IGMP enabled for that. (and possibly IGMP snooping on switches to actualy convert a multicast to broadcast on relevant segments.)
Adding routes to areas you want to reach with multicast is like adding 224.0.0.0/240.0.0.0 routes on equipment that uses it.
IPSEC requires that you ALSO create a separate tunnel for this kind of traffic as it is filtered if the endpoints have non-matching IPranges.
Multicast traffic always is UDP btw.
224.0.1.75 destination is multicast as noci already wrote.
Few points:
- IPsec tunnel does not support multicast traffic by itself
- GRE via IPsec supports multicast traffic
- if multicast sender and receiver are not located in the the same subnet multicast routing need to be configured.
So, if you are not using L2TPv3 you will need to configure:
Create GRE tunnel, forward GRE traffic into IPsec tunnel and also need you will need to build multicast IP routing for full traffic path
IGMP snooping mentioned above is just related to switch infrastructure, typically for last hop, from VLAN SVI to multicast receiver, but IGMP snooping is not converting multicast to broadcast. Actually, Function of IGMP snooping is to prevent multicast to act like broadcast (if IGMP snooping is not configured on switch multicast traffic is treated as broadcast).
There could be some other solutions too, but I am not aware of your network devices and protocols that are supported on those devices.
Few points:
- IPsec tunnel does not support multicast traffic by itself
- GRE via IPsec supports multicast traffic
- if multicast sender and receiver are not located in the the same subnet multicast routing need to be configured.
So, if you are not using L2TPv3 you will need to configure:
Create GRE tunnel, forward GRE traffic into IPsec tunnel and also need you will need to build multicast IP routing for full traffic path
IGMP snooping mentioned above is just related to switch infrastructure, typically for last hop, from VLAN SVI to multicast receiver, but IGMP snooping is not converting multicast to broadcast. Actually, Function of IGMP snooping is to prevent multicast to act like broadcast (if IGMP snooping is not configured on switch multicast traffic is treated as broadcast).
There could be some other solutions too, but I am not aware of your network devices and protocols that are supported on those devices.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial