IPSec S2S allowing different subnet through tunnel

Forum|Forum|5 years ago
May 21, 2021
2 replies
6725 views

Hi,

I have configured a site2site ipsec tunnel, but I have one issue I need to figure out.

On the branch network, the modem is connected to a switch which then has the FortiGate and multiple wifi access points connected. The FortiGate has a .200 subnet, and the wifi has a .1, if I connect directly to the FortiGate I am able to connect to the HQ network through the IPsec tunnel, but I need to be able to to access the tunnel through the .1 subnet. Is this possible, and can anyone point me in the right direction as to solve this?

I have attached a photo of how I want the network set up.

download.png

IPsec

Toshi_Esumi

SuperUser

It's the same with "hub and spoke" network, connecting a spoke to another spoke via hub. In your case, the blanch FGT is the hub. I assume you meant like 192.168.200.0/24 with .200 and 192.168.1.0/24 with .1 subnet.

You need to solve three things, 1) phase2 network selectors, 2) routing, and 3) policies.

For 1) the selector needs to include 192.168.1.0/24 from/to HQ subnet, if not 0/0<->0/0

For 2) HQ needs to route .1.0/24 into the tunnel.

For 3) both FGTs needs to have proper policy allowing .1.0/24 to connect to HQ network.

torhsAuthor

New Member

Hi,

Thanks for taking the time to reply to my post. I believe I have everything set up as you describe, but I still get nowhere. When I connect to the switch I'm routed out the default gateway 192.168.1.1 when I try to access the server on the HQ network. However, if I connect directly to the FortiGate and get the 192.168.206.0/24 I am able to access the HQ server.

I thought maybe virtual IP/dnat would allow me to do what I am trying to achieve: Where a device with 192.168.1.0/24 subnet accesses 192.168.1.4 (fortigates IP) and gets routed to the HQ server, wouldn't that be possible?

Thanks in advance for any help!

torhsAuthor

New Member

I created another diagram to better show what I am trying to achieve.

The ipsec tunnel is working fine if I connect directly to the branch fortigate, and receive a 192.168.200.x-address, but not if I connect to the switch and receive a 192.168.1.x-address, that's where my issue is.

I want to be able to access the server on HQ through any device connected directly to the switch or any of the access points, so basically, 192.168.1.2-192.168.1.254 should be able to access the server.

I am not sure I have set things up correctly for that to work, but as you can see in my diagram, on the branch, a modem is connected to a port on the switch, from there we have several wifi access points, and the fortigate is connected to the switch through the WAN port on the fortigate, and a gateway is connected to the fortigates port 1.

It all works, except one thing, accessing the server from 192.168.1.0/24. Is there a way I can configure this to work? Can it be done by using dnat/virtual ip and access the fortigates 192.168.1.x address and be "forwarded" to the servers 10.200.1.123 address through the IPsec tunnel, or any other ways?

Thanks in advance for any help!

network.jpg

Toshi_Esumi

SuperUser

If the switch is actually doing routing, like wifi client's default GW lives on it then route internet without going though the FGT, you still have a routing issue to be solved on the switch.

Use traceroute from the client device to see if it's hitting the FGT. If it is, then you need to figure out why it doesn't go into the tunnel by "flow debug". There should be no NAT/VIP needed to route through the tunnel.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded