Route within the same firewall for 2 site-to-site VPN

Forum|Forum|7 years ago
June 5, 2019
1 reply
2413 views

Hi all,

First time post but long time follower!

I have a scenario where the firewall I currently managed has 2 site-to-site VPN connected from different location from draytek router on each end.

Draytek ---VPN--- Fortigate ---VPN--- Draytek

Question is, I want these 2 networks to be able to reach each other.

I tried adding the policy but it didn't work.

Do I have to add static route in the Draytek router?

Thanks in advance.

ede_pfau

SuperUser

hi,

and welcome to the forums, as a contributor :)

Yours is a routing problem, not so much a problem with VPN or policies.

In your mind, move to every router in that chain and ask yourself:

- do I have a route to the destination?

- does my VPN transport this network (phase2 selectors)?

- do I have a policy for this traffic? do I have one for incoming and one for outgoing direction?

Helpful to know:

1- the FGT will discard any traffic which comes from an "unknown" source. To make a source network "known", you need to create a static route to it.

2- if you use '0.0.0.0/0' as the phase2 selector in the FGT VPN, it will be used as a wildcard. I know this will work for multiple arbitrary networks between 2 FGTs. No experience with FGT-to-Draytek.

3- do not use NAT anywhere for this scenario. IMHO NAT often is a quick fix to cover up poor routing.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded