Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vigorus
New Contributor

Adding a new FortiGate firewall to an existing IPsec VPN connection.

Hi guys

Need your help, we have an existing IPsec VPN tunnels (cisco) between our main office and our branches (hub and spokes) Several days ago we acquired a new FortiGate 301E. Initially, we would like to just forward a web traffic through it. With the main office, I achieve this without problems both devices are in the same subnet. But I could not do the same with branches despite the fact that I forwarded all web traffic to a FortiGate local IP address.

18 REPLIES 18
ede_pfau
Esteemed Contributor III

Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?

I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Vigorus

ede_pfau wrote:

Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?

I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...

Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

Vigorus

Vigorus wrote:

ede_pfau wrote:

Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

Ede, any idea?

ede_pfau
Esteemed Contributor III

Unfortunately, no, not from far away. You could sniff the traffic (diag sniffer packet ...) and/or trace it (diag debug flow ...) to see what happens. This would be a bit of an overkill for a forum post...


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Vigorus

ede_pfau, thank you for your time. Guys, can anyone help me?

ede_pfau
Esteemed Contributor III

Maybe someone (professional) is near you. Where are you located? I'm in Southern Germany but there are really apt partners nearly all over the globe.

(who sold you the FGT?)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Vigorus

Ede_Pfau, thx for the advice, appreciate that I will try to communicate with our apt partner. Sorry for so late respond.

ede_pfau
Esteemed Contributor III

You're welcome. Debugging this is best done live and with some experience.

I'm still confident it'll work in the end.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Vigorus

I hope so, thanks.

Labels
Top Kudoed Authors