Skip to main content
sunny007
sunny007
New Member
March 25, 2019
Solved

IPSEC VPN VLAN

  • March 25, 2019
  • 2 replies
  • 13562 views
Hi have an issue of with setting up an IPSEC VPN between two site.  WAN to WAN it works fine but LAN to LAN we have an issue. Config file removed
    Best answer by sw2090

    hmm

    I almost never define any subnet but 0.0.0.0/0.0.0.0 in phase2 selectors.

    With that you jsut need routing and policies to reach subnets over the vpn.

     

    And I didn't write anything about default routes. I just wrote that if the corresponding Fortigate on each side of the tunnel then it has to do the routing (and policies) for traffic over the tunnel.

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    March 25, 2019

    I'm not sure what you mean by "wan to wan works". But looks like you have a number of subnet behind the device with 192.168.51.2/30 (FGT has .1/30). Unless you put all of those in "pltotr" address group, they won't be able to reach the other side. Currently the phase2 selector has only the /30 in.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 25, 2019

    @sunny007:

    PLEASE do not post a complete config file with tons of sensitive data! If you can, edit your post and delete the attachment. If you need to post config info, post snippets and change all sensitive data like public IPs, passwords etc.

    sw2090
    SuperUser
    sw2090
    SuperUser
    March 27, 2019

    basically:

     

    once you have a vpn tunnel (e.g. IPSEC) set up, the rest is definied by policies and routing.

    So if you want user from network A to acces network B throuogh your VPN Tunnel you need:

     

    a route on the FGT which the user in network A uses as default gateway which goes to network B with the Tunnel as interface

    a route on the FGT which is the default gateway for network B which goes to network A with the Tunnel as interface.

     

    And then both sides need policies to allow the traffic....

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 31, 2019

    @sw2090

    Actually, you don't need to point your default route to the tunnel (interface), a simple static route for the remote subnet will suffice. The default route handles the remote FGT's WAN interface as well which is NOT reachable through the tunnel - you need to access it via WAN port.

    But I'm sure you meant that.

     

    Besides routing, one needs to

    - have all remote subnets in the phase2 quick mode selectors

    - have all remote subnets in the address fields of the tunnel-to-LAN/LAN-to-tunnel policies.

    sw2090
    SuperUser
    sw2090Answer
    SuperUser
    April 1, 2019

    hmm

    I almost never define any subnet but 0.0.0.0/0.0.0.0 in phase2 selectors.

    With that you jsut need routing and policies to reach subnets over the vpn.

     

    And I didn't write anything about default routes. I just wrote that if the corresponding Fortigate on each side of the tunnel then it has to do the routing (and policies) for traffic over the tunnel.

    Terms & ConditionsAccessibility statement