Skip to main content
GiGi
GiGi
New Member
September 29, 2022
Solved

IPSec remote => IPSec site to site (Cloud based)

  • September 29, 2022
  • 1 reply
  • 2114 views

Hey everyone,

 

First of all, we've search for our problem on the forum but even if there were posts about it, we couldn't find any solution.

 

We're facing a problem right now regarding the VPN of our company.

 

Our devices :

- 2 x Fortigate 100F (HA) in HQ with 7.0.1 Firmware.
- 1x FortiGate VM64-AZURE on Azure with 6.4.8 Firmware.
- Forticlient VPN for remote users.

 

At the moment we have SSL and IPSec remote connections to HQ for remote users and everything works fine.

When we've added a platform on Azure Cloud as you can see on the topology below, we created an IPSec site to site VPN.

 

VPN problems.png

 

It's working fine for the users on the LAN and we've modified the firewall configuration for the SSL VPN so the remote users can access the Azure Cloud.

The problem is that we don't know how to do the same with the IPSec remote users as when we configure the remote IPSec tunnel, we can't chose the VPN (Azure) interface, only local interfaces can be added.

We've kind of replicated the topology in a lab and tried different approaches but still aren't able to make the IPSec remote => IPsec site to site connection to be successful.

 

I'd like to know if you could help us understand how to do the configuration, if it's even possible :).

 

Thank you very much,

 

GiGi.

Best answer by akristof

Hello,

Do you mean that in firewall policy to allow traffic from Remote access Ipsec to site-to-site?

Mainly, in Ipsec configuration you need to add Azure subnet if you have split-tunnel enabled. Then you need just firewall policy that is allowing traffic from remote Ipsec to site-to-site.

1 reply

akristof
Staff
akristofAnswer
Staff
September 29, 2022

Hello,

Do you mean that in firewall policy to allow traffic from Remote access Ipsec to site-to-site?

Mainly, in Ipsec configuration you need to add Azure subnet if you have split-tunnel enabled. Then you need just firewall policy that is allowing traffic from remote Ipsec to site-to-site.

GiGi
GiGiAuthor
New Member
September 29, 2022

Hello Adrian,

 

Thanks for your reply.

 

Yes, we have split-tunnel enabled. I already had the Azure subnet on the Remote IPSec tunnel and the FW policies to point each directions.

 

So I tough the problem came from the IPsec site-to-site as it was already setup with the HQ but it didn't include the remote IPsec subnet. I wanted to add it  to the existing address group but the address didn't show up.

 

So I deleted the VPN site-to-site and set it up again so I could add manually the remote IPsec subnet. I configured the FW policies accordingly and it's now working properly, I can access the Cloud from remote users.

 

There is one thing that annoy me : Why can't we add address to an existing address group made by the wizard from the IPsec tunnel?

 

*** I'm saying that because in our lab it's easy to delete and remake, but on the live network it's not the same and there are many subnets/FW rules and sometimes there is even a need to add new subnets.

 

*** I edit my answer even if I didn't post it yet. I have made an address group and there I could add any address I wanted, so next time I know that I don't have to delete the IPsec tunnel to add a subnet, but just replace the group made by the wizard by a new one.

 

If you have some good practice about that, I'm all ears though.

 

Thanks again,

 

GiGi.

akristof
Staff
akristof
Staff
September 29, 2022

Hi,

Good to hear that it is working now.

Regarding your question with editing of address-group. Unless the address that you want to add has enabled option of "static route configuration", you will not be able to add it:

akristof_0-1664454020772.png

This is because when you create tunnel with wizard, it enable this option on all members of the group and group itself.

Terms & ConditionsAccessibility statement