Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vigorus
New Contributor

Adding a new FortiGate firewall to an existing IPsec VPN connection.

Hi guys

Need your help, we have an existing IPsec VPN tunnels (cisco) between our main office and our branches (hub and spokes) Several days ago we acquired a new FortiGate 301E. Initially, we would like to just forward a web traffic through it. With the main office, I achieve this without problems both devices are in the same subnet. But I could not do the same with branches despite the fact that I forwarded all web traffic to a FortiGate local IP address.

18 REPLIES 18
ede_pfau
Esteemed Contributor III

It would greatly help if you could put up a diagram showing sites and subnets.

 

Generally, the FGT needs to know the route to a remote subnet or it will silently drop traffic from there. This is easy to overlook as traffic comes in OK (the remote router has a matching route), but traffic will die on it's way through the FGT. Make sure you have valid routes for all remote spoke subnets on the FGT.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Vigorus

Hi, ede_pfau. Thanks for so prompt response. Yeap sure. I added a general topology.

ede_pfau
Esteemed Contributor III

The FGT needs to have a port in the 20.20.2.0/24 subnet (which isn't shown in your diagram). And a route to '20.20.2.0/24' via this port and gw 20.20.2.2.

As a rule: the gw needs to be within a local subnet. One subnet per port (or VLAN).


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Vigorus
New Contributor

Thanks for the reply. Forgot to mention that we use PBR to forward all web traffic from one local subnet to another. In this scenario, I used PBR to forward all web traffic from 20.20.2.2 to 20.20.1.200 through VPN tunnel.

ede_pfau
Esteemed Contributor III

OK, still, the FGT needs to "know" where that traffic is coming in through, so it needs a static route back. Otherwise, if there is no route to traffic with a specific source address the FGT will silently drop the traffic.

 

The 'route of last resort' a.k.a. default route usually points to the WAN interface. If traffic from 20.20.2.2 is not coming in through that interface (like in your case, it's coming in on the tunnel interface) then the default route does not apply - hence traffic is dropped.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Vigorus

You're right. I've already added a static route on FortiGate(all traffic destined to 20.20.2.0 it forwards to 20.20.1.2), and I can ping from one side (20.20.2.2) to another(20.20.1.200) and vice versa. The issue is that I can't make it work, I don't see any traffic on FGT from 20.20.2.2 despite the fact that I've already forward all traffic to it and add a filter to accept any packet from any source.

ede_pfau
Esteemed Contributor III

If you can ping then only from .2.2 to .1.2 (what is .1.200?) because that is not restricted "web only".

About the FGT, which address does it have in the .2.0 network?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Vigorus

1.200 is an FGT Local address. My bad, forgot to mention in the diagram that I am planning to forward all web traffic from 2.2 to FGT which is on a different subnet, how can I achieve that, right now I am forwarding all web traffic from 1.2 to 1.200, I would like to do the same with 2.2 . Do I need to create a Virtual interface on FGT for it to be able to receive traffic from 2.2 ?

Vigorus

ede_pfau wrote:

About the FGT, which address does it have in the .2.0 network?

Right now we don't have any.

 

1.200 is an FGT Local address. My bad, forgot to mention in the diagram that I am planning to forward all web traffic from 2.2 to FGT which is on a different subnet, how can I achieve that, right now I am forwarding all web traffic from 1.2 to 1.200, I would like to do the same with 2.2 . Do I need to create a Virtual interface on FGT for it to be able to receive traffic from 2.2 ?