Routing Question Across Site-to-Site VPN

Forum|Forum|5 years ago
October 14, 2020
1 reply
3855 views

Working on a client build.

Site X has a Fortigate cluster, and uses 10.150.54.0/24 split into /25 for corp wired and wireless.

Site Y has a Fortigate cluster as well, and has a 10.10.120.0/24 network and other networks. The Fortigate interface is 10.10.120.10. The 10.10.120.1 is an old MPLS circuit that will soon be retired (within the next few months).

Traffic from Site X to Site Y works for other networks besides 10.10.120.0. When I try and reach a server 10.10.120.5 - it fails. In checking into it, the server and some other older gear has a gateway of 10.10.120.1 (the MPLS), and the MPLS has no route for 10.150.54.0 so the traffic drops.

I have temporarily worked around it by putting a persistent route on the server redirecting 10.150.54.0/24 through 10.10.100.10 and that resolved it.

I hate using these sorts of 'kludges' when I'm pretty sure there's another easier way I could have done this through the Fortigates.

Both sites are on 6.0.11 if that makes any difference.

Thoughts?

sw2090

SuperUser

Do you have static routes to the opposite subnet(s) on you FGT Clusters?

Usually you need static routing on both S2S VPN Endpoint plus some policy to allow traffic.

lobstercreed

New Member

Hey Brent,

I'm afraid what you call a "kludge" is basic routing. You can't fix the problem with the FGTs if the traffic never reaches a FGT, which it sounds like is the case since the default gateway on the server sends the traffic to the MPLS router instead of the FGT.

Either change the default gateway on the server so it sends all traffic to the FGT or add a route on your MPLS to send that traffic to the FGT. Or, if neither of those solutions are practical for one reason or the other, then I think you've done the best thing you can do already.

- Daniel

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded