Theoretical problem about IPSEC (Can IPSEC have transitive property?)

Forum|Forum|5 years ago
June 25, 2020
2 replies
5709 views

This is the problem.

Site A (10.0.0.0/24) ------ VPN IP SEC -----> Site B (192.168.0.0/24) ----- VPN IP SEC -----> Site C (192.168.10.0/24)

Can Site A reach Site C via Site B without direct StS connection?

I was able to do it with the clients, my VPN Clients can reach the VPN IPSec setted on my fortigate (from home to our customer company networks).

CtS -> StS OK!

StS -> StS ???

Regards,

Graziano.

ede_pfau

SuperUser

Yes, why not?

If traffic traverses the first VPN tunnel, it's traffic on site A like any other. Further destinations are found via routing. As long as you supply routes to distant networks (that is, networks behind the next hop firewall) this will work.

Of course, as firewalls are "security aware" routers, you need appropriate policies in addition.

emnoc

New Member

Also to add you need a phase2 SA for that destination if your not doing quad 0s ( 0.0.0.0/0:0 )

Ken Felix

ede_pfau

SuperUser

Absolutely, I recommend to use the wildcard (quad 0) in this case. Much less effort then.

Andreas_H

New Member

As long as you set a route on Site A that Site C (192.168.10.0/24) is behind the remote interface of Site B, it should work. Be sure to also set a Route for Site A on Site C.

This is under the assumption, that the following routes are already set up:

[ul]

Site A to Site B and vice-versa

Site B to Site C and vice-versa[/ul]

lunhas2k4

Explorer II

Just to add to the list of great answers.

It is 100% doable as already mentioned taking the precautions mentioned before.

There are recent versions of FortiOS that allow you to do ADVPN (not sure if that is the right acronym) basically allowing VPN's to be formed automatically between sites, without having the need to backhaul the traffic on site B.

Give that a try as well.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded