Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
vedranOP
New Contributor

Please Help: connect 2 site to site VPN tunels

Hi,

 

I have the following scenario:

Site A: 10.149.3.0/27

Site B: 192.168.0.0/24

Site C:  172.31.10.140/20

Site A and Site C must cummunicate.

FG is located in site B.

On FG in sTie B Site to site VPN A<->B and B<->C is configured.

Site to site VPN A-B uses NAT with following configuration:

External IP Range172.31.254.9 - 172.31.254.14Internal IP Range192.168.0.1 - 192.168.0.254

 

Can please assist how to make A<->C communication. Thank you!

1 Solution
sw2090
Honored Contributor

Basically this means:

 

there is no S2S VPN (or vpn at all) from A to C, so the only way fro A to C is through B.

This means:

1. the Gw on Site A has to know a route for C that has the FGT at B as Gateway.

2. the FGT on Site B has to know a route for C over the S2S  and also back to A (might already be there with the S2S, since required for commnication B<->C too).

3. the FGT on Site B has to have a policy that allows traffic from A to C to flow coming from S2S A<-> B and going to S2S B<->C

4. the Gw on Site C has to know a route back to A with FGT at B as Gateway

 

I currently don't know if our NAT affects anything in here as I don't use NAT on S2S Tunnels here.

I thus have a similar case here:

 

I got a Webservice that only allows access from our wan IPS at HQ. So all Sites have to access this via us.

So this has to go from Site <= S2S => HQ <= SDWAN => Website. Since in routing and polcies that's all down to interfaces that is basically the same...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

1 REPLY 1
sw2090
Honored Contributor

Basically this means:

 

there is no S2S VPN (or vpn at all) from A to C, so the only way fro A to C is through B.

This means:

1. the Gw on Site A has to know a route for C that has the FGT at B as Gateway.

2. the FGT on Site B has to know a route for C over the S2S  and also back to A (might already be there with the S2S, since required for commnication B<->C too).

3. the FGT on Site B has to have a policy that allows traffic from A to C to flow coming from S2S A<-> B and going to S2S B<->C

4. the Gw on Site C has to know a route back to A with FGT at B as Gateway

 

I currently don't know if our NAT affects anything in here as I don't use NAT on S2S Tunnels here.

I thus have a similar case here:

 

I got a Webservice that only allows access from our wan IPS at HQ. So all Sites have to access this via us.

So this has to go from Site <= S2S => HQ <= SDWAN => Website. Since in routing and polcies that's all down to interfaces that is basically the same...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post