Route/grant access from a Site to Site VPN to another Site to Site VPN

Forum|Forum|8 years ago
December 13, 2017
1 reply
9223 views

Hello All,

This is my first time to be here hope that I could also contribute something in this forum. Right now I will need your help.

My scenario is this:

Our company have 2 offices Main and a Remote Branch. Both are geographically far from each other. Both sites are currently connected with an IPsec Site to Site VPN, both sites are using FortiGate firewalls. Because of this, the remote branch can access services/servers in the Main branch. Recently we acquire Azure services, we placed some of our servers in Azure. The main branch have a Route based VPN Tunnel to Azure, so the main branch can access the servers in Azure. My problem is with the remote branch it cannot access the azure servers. Although this problem can be solved by creating a VPN tunnel between Azure and the remote branch, the management is reluctant to do this because of the addition cost. Because of this, I need the remote branch to access Azure via Main branch existing VPN tunnel to Azure. I have tried but I failed, I was not even sure if i was a doing it in a correct direction. I've been struggling with this for a while now, that is why I'm here seeking for your help on how this can be don in FortiGate.

Additional Info:

Main Branch is using: FortiGate 200E

Remote Branch is using: FortiGate 50E

Hope you can help me. Please also see attached image for the diagram

Regards

John

Toshi_Esumi

SuperUser

I don't know about Azure side but assume it's just adding another or more subnets to the tunnel with the Main to pass the traffic for the remote branch. As you can find many discussions in this forum similar to your case, hub-and-spoke, you just need to take care of three things over the existing tunnel between main and remote.

[ul]

IPSec traffic(network) selectors for additional Azure subnets (unless you use 0/0<->0/0 )

routing for Azure subnets

policies to accommodate Azure subnets (if not all<->all)[/ul]

Then the rest would be some sniffing (diag debug sniffer packet), which you can find everywhere online.

rwpatterson

New Member

Welcome to the forums.

In the main office, how is the tunnel configured (to Azure)? If it is interface based (policy action is ALLOW), then you simply need to allow the IP address subnet for the remote site through. If it is policy based (policy action is IPSec), then there is no way to do it if the subnet is not directly connected to the main FGT. I would recommend you change it (not very hard, but down time is required) to Interface based. It will save you headaches in the future. The policy based (IPSec) style is older and far less robust.

johntampacAuthor

New Member

Hello rwpatterson,

The vpn to azure is using route based vpn this is probably what you meant by interface based vpn. I'm using this KB (link here) to configure azure vpn. You can confirm if my route based vpn is what you meant. And yes, this setup cannot be implemented in Policy based VPN. Just a question though, I'm using fortigate built-in vpn template in configuring vpn tunnel between Main office and remote branch. Does this template use a policy based VPN?

Regards

John

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded