Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
BWiebe
Contributor

Routing Question Across Site-to-Site VPN

Working on a client build.

 

Site X has a Fortigate cluster, and uses 10.150.54.0/24 split into /25 for corp wired and wireless.

 

Site Y has a Fortigate cluster as well, and has a 10.10.120.0/24 network and other networks.  The Fortigate interface is 10.10.120.10.  The 10.10.120.1 is an old MPLS circuit that will soon be retired (within the next few months).

 

Traffic from Site X to Site Y works for other networks besides 10.10.120.0.  When I try and reach a server 10.10.120.5 - it fails.  In checking into it, the server and some other older gear has a gateway of 10.10.120.1 (the MPLS), and the MPLS has no route for 10.150.54.0 so the traffic drops.

 

I have temporarily worked around it by putting a persistent route on the server redirecting 10.150.54.0/24 through 10.10.100.10 and that resolved it.

 

I hate using these sorts of 'kludges' when I'm pretty sure there's another easier way I could have done this through the Fortigates.

 

Both sites are on 6.0.11 if that makes any difference.

 

Thoughts?

3 REPLIES 3
sw2090
Honored Contributor

Do you have static routes to the opposite subnet(s) on you FGT Clusters?

Usually you need static routing on both S2S VPN Endpoint plus some policy to allow traffic.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

lobstercreed
Valued Contributor

Hey Brent,

 

I'm afraid what you call a "kludge" is basic routing.  You can't fix the problem with the FGTs if the traffic never reaches a FGT, which it sounds like is the case since the default gateway on the server sends the traffic to the MPLS router instead of the FGT.

 

Either change the default gateway on the server so it sends all traffic to the FGT or add a route on your MPLS to send that traffic to the FGT.  Or, if neither of those solutions are practical for one reason or the other, then I think you've done the best thing you can do already.

 

- Daniel

BWiebe

Yeah - we have routes on both IPSec VPNs for these networks.

 

I was racking my brains to see if I could work around this at the firewalls - but I don't think I can.

 

The MPLS needs to be the default gateway for this server for various reasons, within the next 6 months or so it will be going away and the firewall will take over as the gateway.

 

Thanks for the help, gents.

 

Stupid setup... :)