Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rsondal
Staff
Staff

Created on ‎01-28-2025 05:04 AM Edited on ‎03-11-2025 06:02 AM By Community Manager

Article Id 372893

Technical Tip: How to pass traffic between three FortiGates through an IPsec tunnel without creating tunnels between all FortiGates

Description This article describes, in detail, how traffic can flow between three FortiGates in the GUI.
Scope FortiGate.
Solution
  1. The three FortiGates in this example are Glendale(A), Moon(B), Iron(C).
  2. The tunnels from Glendale to Moon (A<->B) and Glendale to Iron (A<->B) are already working.

 

Glendale IPsec tunnels:

 

1.JPG

 

Moon IPsec tunnel:

 

2.JPG

 

Iron IPsec tunnel:

 

3.JPG

 

  1. The desired outcome is to have all of the traffic from Moon to Iron and Iron to Moon (B<->C) pass through Glendale only.

14.JPG

 

  1. To configure for this scenario, follow the steps in the images below to see what the phase 2 selector, static routes, and policies should look like on all FortiGates.
  2. Phase 2 selectors on each FortiGate's should be looks like below.

 

Glendale FortiGate(A)-> On the Glendale FortiGate, just create an Iron to Moon phase 2 selector under the Glendale to Moon IPsec tunnel, and a Moon to Iron phase 2 selector under Glendale to Iron IPsec tunnel.

 

16.JPG

 

15.JPG

 

For the Moon FortiGate(B)->, just create a phase 2 selector To Iron on the Moon FortiGate under the Moon to Glendale IPsec tunnel.

 

17.JPG

 

For the Iron FortiGate(C), just create a phase 2 selector on the Iron FortiGate to Moon under the Iron to Glendale IPsec tunnel.

 

18.JPG

 

  1. The Static route on each FortiGate should look like the following.

 

On the Glendale FortiGate(A), there is no need to add any static route, as the routes to Iron(C) and to Moon(B) are already there.

 

19.JPG

 

On the Moon FortiGate(B), it is only necessary to add one route for the Iron(C) destination IP through the Glendale tunnel.

 

20.JPG

 

On the Iron FortiGate(C), it is only necessary to add one route for the Moon(B) destination IP through the Glendale tunnel. 

 

21.JPG

 

  1. The policies on each FortiGate should look like the following.

On the Glendale FortiGate(A), it is only necessary to add two policies: one from Iron to Moon(C->B), and another one from Moon to Iron(B->C).

 

22.JPG

 

On the Moon FortiGate(B), it is only necessary to add two policies: one towards Iron(C), and a second in reverse.

 

23.JPG

 

On the Iron FortiGate(C), it is only necessary to add two policies: one towards Moon(B), and a second in reverse.

 

24.JPG

 

  1. This setup will pass traffic from Moon to Iron and Iron to Moon (B<->C) through Glendale only.

 

To establish communication between the three sites through an IPsec tunnel, see Technical Tip: Configuration steps required to reach Site C from Site A or vice versa when both site....
476
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.