Skip to main content
firewalled
firewalled
Visitor III
June 3, 2022
Solved

Site to Site Custom tunnel with VLAN

  • June 3, 2022
  • 2 replies
  • 4913 views

Good day!

I am having trouble with my configuration, I can successfully established connection with both firewall but I cannot access the VLAN on the branch firewall.

 

Here is my config:

 

HQ

Local Subnet: 192.168.100.0/24

Remote Subnet: 192.168.50.0/24

 

BRANCH

Local Subnet: 192.168.50.0/24

Remote Subnet: 192.168.100.0/24

 

Static Route HQ:

Destination: 192.168.50.0/24

Gateway: 122.8.182.207

 

Static Route BRANCH:

Destination: 192.168.100.0/24

Gateway: 222.81.180.201

 

My firewall policies:

HQ FIREWALL

 

VPN1:

incoming interface: hq-to-branch

outgoing interface: lan

source: all

destination: all

service:all

NAT: disabled

 

VPN2:

incoming interface: lan

outgoing interface: hq-to-branch

source: all

destination: all

service:all

NAT: disabled

 

BRANCH FIREWALL

 

VPN1:

incoming interface: hq-to-branch

outgoing interface: lan

source: all

destination: all

service:all

NAT: disabled

 

VPN2:

incoming interface: lan

outgoing interface: hq-to-branch

source: all

destination: all

service:all

NAT: disabled

 

My problem is I cannot access the following VLAN subnet in the branch firewall

10.10.20.0/24

10.10.30.0/24

 

Thank you in advance!

 

Best answer by sw2090

either that or leave the p2 selector at 0.0.0.0/0.0.0.0 and have routing plus policy handle the rest.

Also on s2s you don't need to enter a gateway. The IPSec Tunnel as destination interface for the static route is  enough.

Works fine here this way with various vlans on both sides :)

2 replies

seshuganesh
Staff
seshuganesh
Staff
June 3, 2022

Hi Team,

 

I could see you have added "192.168.100.0" and "192.168.50.0" as local and remote phase 2 selectors, you need to add the networks which you want to access in the local and remote phase 2 selectors.

Then you need to configure static routes for the same.

Here in your scenario, you did not defined "10.10.20.0" and "10.10.30.0" networks in  phase 2 selectors of the firewall.

You can use this article for your reference:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/281288/site-to-site-ipsec-vpn-with-two-fortigate-devices

andreaable
andreaable
New Member
June 3, 2022

Thanks for share great information.
Defined "10.10.20.0" and "10.10.30.0" networks in  phase 2 selectors of the firewall.

You can use this article for your reference:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/281288/ slope 2 unblocked site-to-site-ipsec-vpn-with-two-fortigate-devices 

sw2090
SuperUser
sw2090Answer
SuperUser
June 3, 2022

either that or leave the p2 selector at 0.0.0.0/0.0.0.0 and have routing plus policy handle the rest.

Also on s2s you don't need to enter a gateway. The IPSec Tunnel as destination interface for the static route is  enough.

Works fine here this way with various vlans on both sides :)

    Terms & ConditionsAccessibility statement