Skip to main content
kentbsece
kentbsece
New Member
October 11, 2016
Solved

3 Sites via IPSEC VPN

  • October 11, 2016
  • 1 reply
  • 19775 views

Hello,

 

I would like to ask some advise and recommendations as well with our Site-to-Site IPSEC VPN.

Below are the scenarios. Please refer on the attached diagram.

 

We have an existing Site-to-Site IPSEC which is Site A going to Site C. Since we are expanding our site, we are creating a new site which is site B. The problem is, it has the same IP segment, 192.168.18.xx.

 

[strike]Also, our main goal is to be able to communicate site A and site B without changing the IP Networks on both sites. Meaning, we will use 192.168.18.xxx on both sites. Is it possible?[/strike] Already achieved this goal.

 

Next, let's say we were able to achieve our main goal above. [strike]Our next goal is to be able to communicate site B to site C without changing configurations on site A to site C which is our existing site-to-site IPSEC.[/strike] Mission complete. :D

 

 

Thank You.

Best answer by kentbsece

Thanks for the response guys!

I was able to achieve our goals. :D

1 reply

oheigl
oheigl
New Member
October 11, 2016

Looking at your diagram, it's not the same subnet on site A and site B, because of the subnet mask /27. So you don't have any issues at all, otherwise you could use a link network with a different IP range, like this:

 

Site A: 192.168.18.0 -> NAT to -> 192.168.19.0

Site B: 192.168.18.0 -> NAT to -> 192.168.20.0

 

If you want to connect from site Site A to Site B for example, you would use the 192.168.20.0 destination address

 

Edit: There are several articles on the KB, here is one example with overlapping subnets and site to site VPN:

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=92348486&stateId=0%200%2092350547

 

kentbsece
kentbseceAuthor
New Member
October 12, 2016

oheigl wrote:

Looking at your diagram, it's not the same subnet on site A and site B, because of the subnet mask /27. So you don't have any issues at all, otherwise you could use a link network with a different IP range, like this:

 

Site A: 192.168.18.0 -> NAT to -> 192.168.19.0

Site B: 192.168.18.0 -> NAT to -> 192.168.20.0

 

If you want to connect from site Site A to Site B for example, you would use the 192.168.20.0 destination address

 

Edit: There are several articles on the KB, here is one example with overlapping subnets and site to site VPN:

http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD33872&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=92348486&stateId=0%200%2092350547

 

Hello, We were able to communicate the PC1 and PC2 on Site A and Site B through IPSEC. Now, our next problem is how to be able to communicate the PC2 in Site B to the server farm through Site A and Site C.

oheigl
oheigl
New Member
October 12, 2016

Have you checked the routing and policies? Site C FortiGate needs a route through Site A for the local network in Site B. The easiest way to find out where the packets are not forwarded correctly is to start an endless ping on PC2:

 

ping <serverfarmip> -t

 

After that, start the following command on all FortiGates, and see on which FortiGate the ping is not being forwarded (no out interface):

 

diag sniffer packet any 'host <PC2ip> and host <Serverfarmip>' 4 0 1

 

You should always see one entry for the incoming packet, and one entry for the outgoing forwarded packet. If there is no out entry, check the policy and routing settings on this unit. If it's still not working, post the sniffer logs and maybe routing tables and so on, so we can figure out what's wrong

Terms & ConditionsAccessibility statement