Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
slispd
New Contributor

Routing with 3 fortigates IPSEC VPN!

Hello,

 

I have 3 fortigates A, B and C.

The fortigate B connects to the A and C fortigade with IPSEC vpn. In fortigate A I have internal network 10.0.10.0/24 In fortigate B I have internal network 10.0.20.0/24 In C fortigate I have internal network 10.0.30.0/24

The network 10.0.20 accesses the networks 10.0.10 and 10.0.30, but I need to make the network 10.0.10 access the network 10.0.30, passing through the fortigate B. Making vpn between Fortigates A and C is not an option.

How do I do this?

 

TKS for all.

 

2 Solutions
ede_pfau
Esteemed Contributor III

Strange answers. This is not about an additional VPN but simple routing and policies.

 

To go from A to C, via B:

1. on FGT A:

- add a static route for the network C, gateway interface is the tunnel to B, no gateway address

- the tunnel between A and B should have 2 phase2's:

one from network A to network B

one from network A to network C (so this one needs to be added)

- in the policy from A to B, add network C's address range as destination address

 

2. on FGT C:

- add a static route for the network A, gateway interface is the tunnel to B, no gateway address

- the tunnel between C and B should have 2 phase2's:

one from network C to network B

one from network C to network A (so this one needs to be added)

- in the policy from C to B, add network A's address range as destination address

 

3. on FGT B:

- create 2 new policies:

   - from tunnel A to tunnel C

   - from tunnel C to tunnel A

with the correct source and destination addresses.

 

 

So, in short words, make sure the tunnel carries 2 destination networks (via 2 phase2's) and the policy allows the remote network. FGT B will do the routing, the transit traffic is allowed by 2 additional policies.

 

Let us know if this works for you.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

Also, you must create the VPNs in interface mode. Policy mode will not allow the routing you wish.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
8 REPLIES 8
Dai
New Contributor II

There is no problem if both A and C have reachability. Note the setting of policy (Allow UDP 500)
Margim_Jmaes

The policy is Allow UDP 500. I think there is no problem.

CompTIA Exam Dumps
ede_pfau
Esteemed Contributor III

Strange answers. This is not about an additional VPN but simple routing and policies.

 

To go from A to C, via B:

1. on FGT A:

- add a static route for the network C, gateway interface is the tunnel to B, no gateway address

- the tunnel between A and B should have 2 phase2's:

one from network A to network B

one from network A to network C (so this one needs to be added)

- in the policy from A to B, add network C's address range as destination address

 

2. on FGT C:

- add a static route for the network A, gateway interface is the tunnel to B, no gateway address

- the tunnel between C and B should have 2 phase2's:

one from network C to network B

one from network C to network A (so this one needs to be added)

- in the policy from C to B, add network A's address range as destination address

 

3. on FGT B:

- create 2 new policies:

   - from tunnel A to tunnel C

   - from tunnel C to tunnel A

with the correct source and destination addresses.

 

 

So, in short words, make sure the tunnel carries 2 destination networks (via 2 phase2's) and the policy allows the remote network. FGT B will do the routing, the transit traffic is allowed by 2 additional policies.

 

Let us know if this works for you.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

Also, you must create the VPNs in interface mode. Policy mode will not allow the routing you wish.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
ede_pfau
Esteemed Contributor III

jeez, who still knows policy based VPN, let alone use it...:-)


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
rwpatterson
Valued Contributor III

LOL! Covering all bases. ;)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
capricorn80

Hi!

I am in same situation and did the steps as mentioned but cannot ping from A to C.

What type of phase2 settings should I setup between A and C? I did same for A and C

Will they both match with each other or 

it should same as A and B and B and C?

 

Thanks

davidwilly
New Contributor

Awesome post. I would love to see true life prepared to walk, so please share more informative updates. Great work keeps it up. https://tinyurl.com/2p9a9mu8

Labels
Top Kudoed Authors