Technical Tip: How to pass traffic between three FortiGates through an IPsec tunnel without creating tunnels between all FortiGates

1. The three FortiGates in this example are Glendale(A), Moon(B), Iron(C).
2. The tunnels from Glendale to Moon (A<->B) and Glendale to Iron (A<->B) are already working.

Glendale IPsec tunnels:

Moon IPsec tunnel:

Iron IPsec tunnel:

3. The desired outcome is to have all of the traffic from Moon to Iron and Iron to Moon (B<->C) pass through Glendale only.

4. To configure for this scenario, follow the steps in the images below to see what the phase 2 selector, static routes, and policies should look like on all FortiGates.
5. Phase 2 selectors on each FortiGate's should be looks like below.

Glendale FortiGate(A)-> On the Glendale FortiGate, just create an Iron to Moon phase 2 selector under the Glendale to Moon IPsec tunnel, and a Moon to Iron phase 2 selector under Glendale to Iron IPsec tunnel.

For the Moon FortiGate(B)->, just create a phase 2 selector To Iron on the Moon FortiGate under the Moon to Glendale IPsec tunnel.

For the Iron FortiGate(C), just create a phase 2 selector on the Iron FortiGate to Moon under the Iron to Glendale IPsec tunnel.

6. The Static route on each FortiGate should look like the following.

On the Glendale FortiGate(A), there is no need to add any static route, as the routes to Iron(C) and to Moon(B) are already there.

On the Moon FortiGate(B), it is only necessary to add one route for the Iron(C) destination IP through the Glendale tunnel.

On the Iron FortiGate(C), it is only necessary to add one route for the Moon(B) destination IP through the Glendale tunnel. 

7. The policies on each FortiGate should look like the following.

On the Glendale FortiGate(A), it is only necessary to add two policies: one from Iron to Moon(C->B), and another one from Moon to Iron(B->C).

On the Moon FortiGate(B), it is only necessary to add two policies: one towards Iron(C), and a second in reverse.

On the Iron FortiGate(C), it is only necessary to add two policies: one towards Moon(B), and a second in reverse.

8. This setup will pass traffic from Moon to Iron and Iron to Moon (B<->C) through Glendale only.

To establish communication between the three sites through an IPsec tunnel, see Technical Tip: Configuration steps required to reach Site C from Site A or vice versa when both sites terminate IPSEC VPN at site B.