Site to Site VPN: Can I put 2 LANs network behind one firewall

Question

Hi Expert,I was able to created Site to Site VPN between Fortigate 100D with Checkpoint firewall appliance last week and it works fine. The Setup is just straight forward, like this: SiteA-LAN1--->Fortigate 100D<=====> CheckPoint3200<------SiteB-LAN1 Site A office has more than 1 local network, it linked to another port on Fortigate 100D, and the fortigate 100D only has one WAN connection. Now it requested SiteA office LAN2 also need ride on this VPN to talk to Site B LAN1, i modify the VPN settings by add SiteA-LAN2 at fortigate site, I also reflect the changes on checkpoint site, however it not working, I can not ping SiteA-LAN2 from SiteB office, however the old VPN network is not impacted. (That means I can still pint SiteA-LAN1 from Site B office)So I would like to ask if such setup is supported by fortigate and is there any else configuration I might miss? Many thanks in advanced Shermaine

Toshi_Esumi · Answer

First, you need to verify if FGT is dropping it, if not Checkpoing must be dropping it.

To do that, you need to sniff traffic into the tunnel interface after enabling "auto-asic-offload" at the pair of policies you must have (even if your FGT model doesn't have ASIC chip it might be required to see traffic).

You can find many articles how to sniff on the internet.

Then if not going into the tunnel, you need to check why the FGT is dropping it by running "flow debug". This flow debug also be foundable on the internet in addition to this forum.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded