Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

slispd
New Contributor

VPN IPSEC Routing

Hello,

I need help with routing between 3 fortigates.

I have 3 fortigates A, B and C.

In fortigate A I have the internal network 10.0.10.0/24
In fortigate B I have the internal network 10.0.20.0/24
In C fortigate I have the internal network 10.0.30.0/24

The fortigate B has vpn ipsec with A and B.
From network 10.0.20 I get the network 10.0.10 and 10.0.30, but I need the network 10.0.10 to access the network 10.0.30, passing through the fortigate B.
Making vpn between A and C is not an option.

How to do this?

Thanks.

------------------------------
Rodrigo [LastName] [Designation]
Any
[CompanyName]
[City] [State]
[Phone]
------------------------------
1 Solution
DeepKuma2
Contributor

Hi, I hope there are already configured VPN between devices as A to B and B to C. And as per your post, it is not possible a VPN between A to C. No issue:

Fortigate A Changes:
Add Fortigate C subnet on existing VPN  (A to B) Phase 2 configuration as Destination network, Add route and Add subnet in the Firewall Policy also.

Fortigate B Changes:
Add Fortigate C subnet on existing VPN  (A to B) Phase 2 configuration as Source network, Add subnet in the Firewall Policy also.
Add Fortigate A subnet on existing VPN  (B to C) Phase 2 configuration as Source network, Add subnet in the Firewall Policy also.

Add 1st New Firewall Policy for route traffic VPN to VPN (Source Network: A site subnet, Destination Subnet: C site subnet)
Add 2nd New Firewall Policy for route traffic VPN to VPN (Source Network: C site subnet, Destination Subnet: A site subnet)

Fortigate C Changes:
Add Fortigate A subnet on existing VPN  (B to C) Phase 2 configuration as Destination network, Add Route and  Add subnet in the Firewall Policy also

I hope it will work without any issue. 


------------------------------
Deepak Kumar
First Option General Trading LLC
Dubai
------------------------------
Deepak Kumar First Option General Trading LLC Dubai

View solution in original post

Deepak Kumar First Option General Trading LLC Dubai
2 REPLIES 2
justinpowell_FTNT

Rodrigo,
This would be as simple as making sure the VPNs are route-based instead of policy based and then installing the proper routes in each device.  Then you'll want to make sure that there is policy to allow the traffic to flow.

Your routes should have a next-hop of the appropriate VPN tunnel. 

Your policy should reference the same VPN tunnels.

------------------------------
Justin
------------------------------
-------------------------------------------
Original Message:
Sent: 02-17-2019 09:00
From: Rodrigo Jos� Petre�a
Subject: VPN IPSEC Routing

Hello,

I need help with routing between 3 fortigates.

I have 3 fortigates A, B and C.

In fortigate A I have the internal network 10.0.10.0/24
In fortigate B I have the internal network 10.0.20.0/24
In C fortigate I have the internal network 10.0.30.0/24

The fortigate B has vpn ipsec with A and B.
From network 10.0.20 I get the network 10.0.10 and 10.0.30, but I need the network 10.0.10 to access the network 10.0.30, passing through the fortigate B.
Making vpn between A and C is not an option.

How to do this?

Thanks.

------------------------------
Rodrigo [LastName] [Designation]
Any
[CompanyName]
[City] [State]
[Phone]
------------------------------
DeepKuma2
Contributor

Hi, I hope there are already configured VPN between devices as A to B and B to C. And as per your post, it is not possible a VPN between A to C. No issue:

Fortigate A Changes:
Add Fortigate C subnet on existing VPN  (A to B) Phase 2 configuration as Destination network, Add route and Add subnet in the Firewall Policy also.

Fortigate B Changes:
Add Fortigate C subnet on existing VPN  (A to B) Phase 2 configuration as Source network, Add subnet in the Firewall Policy also.
Add Fortigate A subnet on existing VPN  (B to C) Phase 2 configuration as Source network, Add subnet in the Firewall Policy also.

Add 1st New Firewall Policy for route traffic VPN to VPN (Source Network: A site subnet, Destination Subnet: C site subnet)
Add 2nd New Firewall Policy for route traffic VPN to VPN (Source Network: C site subnet, Destination Subnet: A site subnet)

Fortigate C Changes:
Add Fortigate A subnet on existing VPN  (B to C) Phase 2 configuration as Destination network, Add Route and  Add subnet in the Firewall Policy also

I hope it will work without any issue. 


------------------------------
Deepak Kumar
First Option General Trading LLC
Dubai
------------------------------
Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai