Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GJ
New Contributor

IP Sec VPN With Cisco Layer3 Switch Subnets

Hello Team,

How to Access a Remote Subnet which is configured on a Layer3 Cisco Switch not on Fortigate Interface ?

 

Using FW 100D 

Suppose .. My HQ Fortigate Internal Interface(Port1) IP is 192.168.10.254 which is Connected with a Cisco Layer 3 Switch (Gi0/1 - access vlan 10 and VLAN SVI is 192.168.10.1). And have many VLAN's Configured on this Cisco L3 switch(IP Routing Enabled)

Cisco L3 Switch VLAN's

VLAN 11(Server) - 192.168.11.0/24 (SVI 192.168.11.1) VLAN 12(User) - 192.168.12.0/24 (SVI 192.168.12.1) VLAN 13(VOICE) - 192.168.13.0/24 (SVI 192.168.13.1)

Could you Please explain how can we access Server/User/Voice VLAN's Subnet from Branch Office Subnet

Branch office Fortigate has its Internal(Port1) IP 192.168.100.254 which connects with a Cisco Layer2 Switch, All the Systesm connected to this Cisco layer2 switch getting IP Scope from Fortigate Firewall(Port1) - Subnet 192.168.100.0/24

Could you please Explain in this scenario how can i access my HQ Subnets and Branch Office Subnet and Vice Versa. Appreciate your Suggestions.

2 REPLIES 2
Oliver_FTNT
Staff
Staff

Hello GJ,

 

assuming you did the site-2-site IPsec between the FortiGates with the wizzard and the HQ FGT has all the routes to the local networks in place (192.168.11.0/24,192.168.12.0/24,192.168.13.0/24), it should be fairly straight forward.

 

On the branch FGT you need to configure the routes to the networks on the HQ site going to the IPsec interface:

Via GUI navigate to Network -> Static Routes -> Create New

      Destination: 192.168.11.0/24

      Device: <IPsec_Interface_to_HQ>

   Repeat that for 192.168.12.0/24 and 192.168.13.0/24

 

  Now create policies to allow the traffic between the networks and interfaces.

  For example: From IPsec interface -> port1, and vice versa

 

On the HQ FGT you need a static route to the 192.168.100.0/24 network, also pointing to the IPsec interface.

Make sure you have policies to allow traffic from the branch (IPsec interface) to the local networks (port1), and also from the branch office to the local networks.

Toshi_Esumi
Esteemed Contributor II

If you haven't created any site-to-site vpn between two FGs before the best option would be using IPsec wizard [Site to site] to create all config for one pair of source and destination subnet (192.168.10.0/24<->192.168.100.0/24) first. You can find some cookbooks for this part if you google it.  Then learn via CLI what the wizard generated under:

[ul]
  • config vpn ipsec phase1-interface
  • config vpn ipsec phase2-interface
  • config firewall address
  • config firewall policy
  • config router static[/ul]

    Then modify those that includes 192.168.10.0/24 to like 192.168.10.0/22 to include all subnets on the switch. 

    I would assume static routes to get to the switch for those subnets are already there in the HQ FG but if not you need to add them.