Skip to main content
yrani
yrani
New Member
October 22, 2018
Question

IPsec VPN and routing

  • October 22, 2018
  • 2 replies
  • 6774 views

Hi, I trying to have routed traffic through a IPsec VPN but I dont understand how to do it if it is even possible.

Please see the attached network map, I want unit 1 to be able to access unit 6.

 

-There is a working VPN between unit 4 and 5.

-Units 2, 3, 4 and 5 are all able to ping unit 6.

-Unit 1 is not able to ping unit 6.

-For testing purposes firewall rules in units 2, 4 and 5 allow all traffic from unit 1 to unit 6.

-Unit 4 IPsec phase 2: local 172.24.16.0/22, remote 172.24.32.0/22

-Unit 5 IPsec phase 2: local 172.24.32.0/22, remote 172.24.16.0/22

 

Any help is much appreciated.

Thanks

 

    2 replies

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 22, 2018

    unit4 needs a route to 172.24.32.0 or it will drop the traffic.

    Check with "diag deb enable", "diag sniffer packet any 'icmp' 4" on unit4 while "ping -t" between the hosts.

    yrani
    yraniAuthor
    New Member
    October 22, 2018

    Thank you very much for the reply! Both unit 4 and unit 5 have the relevant routes (units 2, 3 and 4 can reach unit 6).

     

    With the debugging command I can see icmp packets coming into unit 4 on the lan interface and going out on the VPN interface. In both cases from 172.24.0.20 to 172.24.32.10

    But there is not traffic in unit 5 with the same command.

     

    In unit 5 I have this firewall rule:

    -in interface=vpn, out interface=lan, source=all, destination=all, service=all, schedule=always, action=allow

    I dont have anny deny rules except the implicit deny rule.

     

    I used the policy lookup button: source interface=vpn, protocol=ping request, source=172.24.0.20 (unit1), destination=172.24.32.10 (unit 6)

    The policy lookup says "Failed to perform lookup policy" which is weird.

     

    rwpatterson
    rwpatterson
    New Member
    October 22, 2018

    Is the subnet on unit 1 allowed through every VPN on the way to unit 6? Try NATting the traffic from unit 1 and if that works, there's your answer.

     

    yrani wrote:
    -Unit 4 IPsec phase 2: local 172.24.16.0/22, remote 172.24.32.0/22 -Unit 5 IPsec phase 2: local 172.24.32.0/22, remote 172.24.16.0/22

     

    I don't see any phase 2 that covers the 172.24.0.0/x subnet range...

    yrani
    yraniAuthor
    New Member
    October 22, 2018

    There is only 1 VPN, between unit 4 and 5.

    I am familiar with the concept of NAT but I am not sure how to enable it in FortiOS. Is it as simples as enabling it in the firewall rule?

     

    Is it not possible to achieve what I want without NAT?

    rwpatterson
    rwpatterson
    New Member
    October 22, 2018

    It is as simple as enabling it in the policy. All traffic in that policy will have the address of the interface facing the VPN (172.24.16.253) or by using an IP Pool, you can specify another address on that subnet. The other  way to achieve this without NAT is to create another phase 2 on that phase 1 with endpoints 172.24.0.0/22 <==> 172.24.32.0/22 as in below:

     

    -Unit 4 IPsec phase 2: local 172.24.0.0/22, remote 172.24.32.0/22 -Unit 5 IPsec phase 2: local 172.24.32.0/22, remote 172.24.0.0/22

    Terms & ConditionsAccessibility statement