Routing over s2s VPN problem

Forum|Forum|4 years ago
September 17, 2021
2 replies
5429 views

Hi,

I have 3 sites connected by VPN and got problem with communication from LAN2 to LAN3 by 2 VPN tunnels.

Take a look at attached network diagram.

The VPNs are working fine so hosts from LAN1 could connect to LAN2 and to 172.20.88.83 and vice-versa. But I couldn't get a connection from 10.120.146.0 to 172.20.88.83 via 10.120.144.5 router (orange line with arrows on the diagram). I tried a few static routes or policy routes but traffic stucks on 10.120.146.254 and doesn't go outside first tunnel. Could someone help?

Fortigate routing.jpg

Toshi_Esumi

SuperUser

So there are 3 hops from the source before the destination. How far can you get when you traceroute/tracert from a device in LAN1? If you can't see the 2nd hop after hitting the local FGT, that means VPN is not passing the ping. Then check 1) network selectors, 2) routes(going and coming back directions), and 3) policies on both sides.

That should be the beginning of your network troubleshooting process.

ywzz07

New Member

Hi,

Is the correct route written to the tunnel for 172.20.88.0/24 on the fw in front of LAN2 and are the necessary rules defined for this connection? Or is there a VIP object related to the 172.20.88.0/24 network written on this firewall?

Did you check these?

Best Regards

tomasztorunAuthor

New Member

Thank you for replies. I got more time yesterday and realised that I have to add all the subnets to Phase 2 of the VPN. So when I add them everything started to working fine. So the problem is resolved. :)

sw2090

SuperUser

either that or set the p2 selectors to 0.0.0.0/0.0.0.0 and handle it with policies for each subnet (Or adrress group)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded