Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lgupta
Staff
Staff

Created on ‎09-05-2022 09:11 PM Edited on ‎09-05-2022 09:11 PM By Community Manager

Article Id 222933

Technical Tip: Configuration steps required to reach Site C from Site A or vice versa when both sites terminate IPSEC VPN at site B

Description

 

This article describes how to establish connectivity from Hosts of Site_A to Hosts of Site_C using IPsec Tunnel,

 

OR

 

Configuration steps required to reach Site C from Site A or vice versa when both sites terminate IPsec VPN at site B.

 

Site_A = 192.168.10.0/24

Site_B = 192.168.20.0/24

Site_C = 192.168.30.0/24

 

Scope

 

FortiGate.

 

Solution

 

Topology:

lgupta_0-1662435473984.png

 

Prerequisites:

 

- Site A – Site B IPsec Tunnel should be established and working fine.

- Site B – Site C IPsec Tunnel should be established and working fine.

 

Solution.

 

Site A configuration: reach Site C.

Here, there is one IPsec tunnel configured for connectivity to Site B (A_to_B).

 

1) Add Phase 2 Selectors for Site C in that A_to_B tunnel. Local = Site A and Remote = Site C.

 

lgupta_1-1662435518698.png

 

2) Create a Static Route for Site C destination to enter the A_to_B Tunnel Interface.

 

lgupta_2-1662435518700.png

 

3) Create a Firewall Policies for Site A and Site C for Inbound and outbound traffic.

 

lgupta_3-1662435518701.png

 

Site B configuration:  connect Site A and Site C.

Here, there are two IPsec tunnels configured. One for connectivity to Site A (B_to_A) and other for Site C (B_to_C).

 

Note.

No need to configure new Static Routes as there are already present as a part of B_to_A and B_to_C IPsec tunnels.

 

1) Add Phase 2 Selectors for Site A and Site C in B_to_A IPsec tunnel. Local = Site C and Remote = Site A.

 

lgupta_4-1662435518702.png

 

2) Add Phase 2 Selectors for Site A and Site C in B_to_C IPsec tunnel. Local = Site A and Remote = Site C.

lgupta_5-1662435518702.png

 

3) Create a new Firewall Policy which allows traffic from Site A to Site C and reverse, using the Incoming and Outgoing port as Tunnel Interfaces of both IPsec tunnel configured on Site B as shown in the image below.

 

The multiple interfaces have been used in one policy.

 

lgupta_6-1662435518704.png

 

 

Site C configuration: reach Site A.

Here, there is one IPsec tunnel configured for connectivity to Site B (C_to_B).

 

1) Add Phase 2 Selectors for Site A in that C_to_B tunnel. Local = Site C and Remote = Site A.

 

lgupta_7-1662435518704.png

 

2) Create a static route for Site A destination to enter the C_to_B tunnel interface.

 

lgupta_8-1662435518705.png

 

3) Create a firewall policies for Site C and Site A for Inbound and Outbound Traffic.

 

lgupta_9-1662435518707.png

 

Result:  Ping from 192.168.10.2 (Site_A) to 192.168.30.2 (Site_C) and it will work.

Labels:
1318
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.