- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- 3 Sites via IPSEC VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 Sites via IPSEC VPN
Hello,
I would like to ask some advise and recommendations as well with our Site-to-Site IPSEC VPN.
Below are the scenarios. Please refer on the attached diagram.
We have an existing Site-to-Site IPSEC which is Site A going to Site C. Since we are expanding our site, we are creating a new site which is site B. The problem is, it has the same IP segment, 192.168.18.xx.
[strike]Also, our main goal is to be able to communicate site A and site B without changing the IP Networks on both sites. Meaning, we will use 192.168.18.xxx on both sites. Is it possible?[/strike] Already achieved this goal.
Next, let's say we were able to achieve our main goal above. [strike]Our next goal is to be able to communicate site B to site C without changing configurations on site A to site C which is our existing site-to-site IPSEC.[/strike] Mission complete. :D
Thank You.
Solved! Go to Solution.
Labels:
- Labels:
-
4.0MR3
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11 REPLIES 11
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking at your diagram, it's not the same subnet on site A and site B, because of the subnet mask /27. So you don't have any issues at all, otherwise you could use a link network with a different IP range, like this:
Site A: 192.168.18.0 -> NAT to -> 192.168.19.0
Site B: 192.168.18.0 -> NAT to -> 192.168.20.0
If you want to connect from site Site A to Site B for example, you would use the 192.168.20.0 destination address
Edit: There are several articles on the KB, here is one example with overlapping subnets and site to site VPN:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oheigl wrote:Hello, We were able to communicate the PC1 and PC2 on Site A and Site B through IPSEC. Now, our next problem is how to be able to communicate the PC2 in Site B to the server farm through Site A and Site C.Looking at your diagram, it's not the same subnet on site A and site B, because of the subnet mask /27. So you don't have any issues at all, otherwise you could use a link network with a different IP range, like this:
Site A: 192.168.18.0 -> NAT to -> 192.168.19.0
Site B: 192.168.18.0 -> NAT to -> 192.168.20.0
If you want to connect from site Site A to Site B for example, you would use the 192.168.20.0 destination address
Edit: There are several articles on the KB, here is one example with overlapping subnets and site to site VPN:
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you checked the routing and policies? Site C FortiGate needs a route through Site A for the local network in Site B. The easiest way to find out where the packets are not forwarded correctly is to start an endless ping on PC2:
ping <serverfarmip> -t
After that, start the following command on all FortiGates, and see on which FortiGate the ping is not being forwarded (no out interface):
diag sniffer packet any 'host <PC2ip> and host <Serverfarmip>' 4 0 1
You should always see one entry for the incoming packet, and one entry for the outgoing forwarded packet. If there is no out entry, check the policy and routing settings on this unit. If it's still not working, post the sniffer logs and maybe routing tables and so on, so we can figure out what's wrong
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oheigl wrote:Haven't set up the routing and policy yet on Site B to Site C since we are looking on how can we route it on the second firewall on site A (the one who has IP 10.10.10.2). Since Site A and Site C has an existing route and able to communicate from PC1 of site A to Server Farm on Site C. For now below are working.Have you checked the routing and policies? Site C FortiGate needs a route through Site A for the local network in Site B. The easiest way to find out where the packets are not forwarded correctly is to start an endless ping on PC2:
ping <serverfarmip> -t
After that, start the following command on all FortiGates, and see on which FortiGate the ping is not being forwarded (no out interface):
diag sniffer packet any 'host <PC2ip> and host <Serverfarmip>' 4 0 1
You should always see one entry for the incoming packet, and one entry for the outgoing forwarded packet. If there is no out entry, check the policy and routing settings on this unit. If it's still not working, post the sniffer logs and maybe routing tables and so on, so we can figure out what's wrong
Site A (second firewall with IP 10.10.10.1) to Site C (with IP 10.10.10.2) via IPSEC
Site B to Site A (first firewall with IP 10.10.10.5 and 10.10.10.1) via IPSEC Remaining is Site B to Site C passing through the first Firewall of Site A via IPSEC then passing to the second Firewall of Site A, then passing through the Site C firewall via IPSEC.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Okay, so you need the following routes:
Firewall 2: 192.168.18.32/27 via 10.10.10.1
Firewall 4: 192.168.18.32/27 via IPsec
and the corresponding policies
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oheigl wrote:Firewall 2: 192.168.18.32/27 via 10.10.10.1Okay, so you need the following routes:
Firewall 2: 192.168.18.32/27 via 10.10.10.1
Firewall 4: 192.168.18.32/27 via IPsec
and the corresponding policies
-> We already have that in Firewall 2.
Question: How can PC2 pass through Firewall 2 and Firewall 3?
Existing Route: (PC2 to PC 1) Firewall 3: 192.168.18.0/27 via 10.10.10.5 (IPSEC)
Firewall 1: 192.168.18.32/27 via 10.10.10.6 (IPSEC)
Existing Route: (PC1 to Server Farm) Firewall 2: 192.168.18.0/27 via 10.10.10.1 (Point to Point - not IPSEC) Firewall 1: 192.168.18.0/27 (Policy Route) via 10.10.10.2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
On Firewall 3, do you have a route for the server farm network? It would be easier if you could post every routing configuration from all your FortiGates, like this:
show router static
Otherwise we will message back and forward 10x 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
oheigl wrote:I haven't started any config yet for our last goal which is to communicate PC2 going to Server Farm.On Firewall 3, do you have a route for the server farm network? It would be easier if you could post every routing configuration from all your FortiGates, like this:
show router static
Otherwise we will message back and forward 10x
I'm not sure what or who will I route from Firewall 3. As you requested, please see our static routing on the attached file.
Above is from Firewall 2 and the bottom is from Firewall 1.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
None of the above is relevant unless the routes are configured in interface mode. If you're using policy based VPNs (type IPSec), stop here.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Related Posts
- Way to see Destination IP behind... 89 Views
- VXLAN, Virtual Switch and MTU 74 Views
- IPSec tunnel error : no SA... 138 Views
- Does anyone know a tool/site to... 96 Views
- SD-WAN IPSec Main Backup tunnels with... 124 Views
Labels
-
FortiGate
6,527 -
FortiClient
1,302 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
414 -
5.6
362 -
FortiSwitch
333 -
FortiAP
333 -
FortiClient EMS
263 -
6.2
251 -
FortiMail
242 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
150 -
6.4
128 -
FortiNAC
106 -
FortiGuard
102 -
FortiSIEM
88 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
69 -
Customer Service
69 -
4.0MR3
64 -
SSL-VPN
59 -
Wireless Controller
58 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
24 -
FortiConnect
23 -
FortiWAN
22 -
Firewall policy
22 -
FortiConverter
21 -
High Availability
20 -
VLAN
19 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
SAML
12 -
BGP
12 -
Routing
12 -
FortiAuthenticator
12 -
FortiCASB
12 -
Interface
11 -
Logging
11 -
FortiGate v5.0
10 -
LDAP
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
Virtual IP
9 -
NAT
9 -
4.0MR2
9 -
RADIUS
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
SSL SSH inspection
6 -
Security profile
6 -
Authentication
6 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
Traffic shaping policy
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
IPS signature
3 -
packet capture
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
Intrusion prevention
3 -
Automation
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
FortiDeceptor
2 -
FortiInsight
2 -
NAC policy
2 -
VoIP profile
2 -
Antivirus profile
2 -
Web profile
2 -
Traffic shaping profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Fortinet Engage Partner Program
2 -
trunk
2 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
FortiPAM
1 -
Application signature
1 -
Multicast routing
1 -
Authentication rule and scheme
1 -
Zone
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.