Skip to main content
DrKranio
DrKranio
New Member
January 24, 2025
Question

[Solved] Configuration advice for routing through two fortigate connected in ipsec

  • January 24, 2025
  • 1 reply
  • 1672 views

Good morning everyone, I can't so much as ‘unravel’ a configuration and I'm trying to ask some of you if you can give me some advice.

 

Host from network 10.0.0/24 ping host to network 192.168.0.0/24

 

 

Screenshot 2025-01-24 alle 16.23.36.png

 

all ipsec between the three firewalls are configured and working

I can only configure the first two firewalls (from left to the right)
i have tried putting static routes, adding the 192.168.0.0 network in the vpn tunnels and also in the policies but i still cannot reach the host 192.168.0.20 from 10.0.0.20

 

Thanks a lot

 

1 reply

ebilcari
Staff
ebilcari
Staff
January 24, 2025

If you can't manage the 3rd firewall it may not be possible to route the traffic end to end. If an existing subnet on the 1st or 2nd firewall is able to reach (192.168.0.20) and if the requirement is to allow traffic initiated from 10.0.0.20, you can source NAT this traffic with one of the subnets. It is not an ideal solution but it's a workaround if you can't make changes on the 3rd firewall.

Emirjon
DrKranio
DrKranioAuthor
New Member
January 24, 2025

I misunderstood because it is complicated for me to do so. From firewall 2 to firewall 3 there is already an ipsec and I can ask the manager to make changes if needed. The networks that are in firewall 2 for example 10.0.2.0/24 already ping the network 192.168.0.0/24, I would need them to also ping it from firewall 1 through 2

dingjerry_FTNT
Staff
dingjerry_FTNT
Staff
January 24, 2025

Hi @DrKranio ,

 

1) You need to ensure that the Ping traffic from the 10.0.0.0/24 network hits the FGT2.

2) You need to ensure that the Ping traffic enters into the IPSec VPN tunnel on the FGT2.

3) I assume that you are using a Route-based (AKA Interface-based) IPSec VPN.  So we can confirm the above by this command on FGT2 by Pinging 192.168.0.20:

 

diag sniffer packet any 'icmp and host 192.168.0.20' 4

 

We are supposed to see the Ping packets coming out of the Left VPN tunnel and entering into the Right VPN tunnel.

 

If you can't see the Ping packets coming out, go back to the FGT1 running the same command to check the Ping flow.

 

If you see the Ping packets entering into the Right VPN tunnel, it's the FGT3 Admin to ensure to allow the Ping traffic.

Terms & ConditionsAccessibility statement