Description

This article describes how to establish connectivity from Hosts of Site_A to Hosts of Site_C using an IPsec Tunnel, or the configuration steps required to reach Site C from Site A or vice versa when both sites terminate IPsec VPN at Site B.

Site_A = 192.168.10.0/24.

Site_B = 192.168.20.0/24.

Site_C = 192.168.30.0/24.

Scope

FortiGate.

Solution

Topology:

Prerequisites:

• Site A – Site B IPsec Tunnel should be established and working fine.
• Site B – Site C IPsec Tunnel should be established and working fine.

Solution

Site A configuration: reach Site C.

Here, there is one IPsec tunnel configured for connectivity to Site B (A_to_B).

1. Add Phase 2 Selectors for Site C in that A_to_B tunnel. Local = Site A and Remote = Site C.

2. Create a Static Route for the Site C destination to enter the A_to_B Tunnel Interface.

    

   

    

    

3. Create a Firewall policy for Site A and Site C for Inbound and outbound traffic.

    

Site B configuration: connect Site A and Site C.

Here, there are two IPsec tunnels configured. One for connectivity to Site A (B_to_A) and the other for Site C (B_to_C).

Note.

No need to configure new Static Routes as they are already present as a part of B_to_A and B_to_C IPsec tunnels.

1. Add Phase 2 Selectors for Site A and Site C in the B_to_A IPsec tunnel. Local = Site C and Remote = Site A.

2. Add Phase 2 Selectors for Site A and Site C in the B_to_C IPsec tunnel. Local = Site A and Remote = Site C.
                                        

   

    

    

3. Create a new Firewall Policy which allows traffic from Site A to Site C and vice versa, using the Incoming and Outgoing port as Tunnel Interfaces of both IPsec tunnels configured on Site B, as shown in the image below.

    

The multiple interfaces have been used in one policy.

Site C configuration: reach Site A.

Here, there is one IPsec tunnel configured for connectivity to Site B (C_to_B).

1. Add Phase 2 Selectors for Site A in that C_to_B tunnel. Local = Site C and Remote = Site A.

2. Create a static route for Site A destination to enter the C_to_B tunnel interface.

    

   

    

    

3. Create a firewall policy for Site C and Site A for Inbound and Outbound Traffic.

    

Result: Ping from 192.168.10.2 (Site_A) to 192.168.30.2 (Site_C) and it will work.

Useful commands for troubleshooting:

1. With debug flow, capture traffic:

diagnose debug flow filter add x.x.x.x  <- Replace with host ip i.e. 192.168.10.2.

diagnose debug flow filter proto 1 <- Protocol used is ICMP (ping).
diagnose debug flow show function-name enable <- This will show the function name in the flow.
diagnose debug flow trace start 100  <- This will capture 100 packets.
diagnose debug enable <- This will start the debugging.

2. Packet sniffer to see if the packet is leaving FortiGate at all:

diagnose sniffer packet any "host 172.16.1.2 and host 8.8.8.8 and icmp" 4 3 l  <- Here, capture is filtered to 2 hosts and 1 protocol. Values 4 2 l (lower L) mean that it is only necessary to capture the packet headers (4), and only 3 packets (2) are needed. The intent is to capture the timestamp in local FW time.

Related article:
Troubleshooting Tip: Initial troubleshooting steps for traffic blocked by FortiGate