Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
xypher
New Contributor

Site to Site Custom tunnel with VLAN

Good day!

I am having trouble with my configuration, I can successfully established connection with both firewall but I cannot access the VLAN on the branch firewall.

 

Here is my config:

 

HQ

Local Subnet: 192.168.100.0/24

Remote Subnet: 192.168.50.0/24

 

BRANCH

Local Subnet: 192.168.50.0/24

Remote Subnet: 192.168.100.0/24

 

Static Route HQ:

Destination: 192.168.50.0/24

Gateway: 122.8.182.207

 

Static Route BRANCH:

Destination: 192.168.100.0/24

Gateway: 222.81.180.201

 

My firewall policies:

HQ FIREWALL

 

VPN1:

incoming interface: hq-to-branch

outgoing interface: lan

source: all

destination: all

service:all

NAT: disabled

 

VPN2:

incoming interface: lan

outgoing interface: hq-to-branch

source: all

destination: all

service:all

NAT: disabled

 

BRANCH FIREWALL

 

VPN1:

incoming interface: hq-to-branch

outgoing interface: lan

source: all

destination: all

service:all

NAT: disabled

 

VPN2:

incoming interface: lan

outgoing interface: hq-to-branch

source: all

destination: all

service:all

NAT: disabled

 

My problem is I cannot access the following VLAN subnet in the branch firewall

10.10.20.0/24

10.10.30.0/24

 

Thank you in advance!

 

1 Solution
sw2090
Honored Contributor

either that or leave the p2 selector at 0.0.0.0/0.0.0.0 and have routing plus policy handle the rest.

Also on s2s you don't need to enter a gateway. The IPSec Tunnel as destination interface for the static route is  enough.

Works fine here this way with various vlans on both sides :)


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

3 REPLIES 3
seshuganesh
Staff
Staff

Hi Team,

 

I could see you have added "192.168.100.0" and "192.168.50.0" as local and remote phase 2 selectors, you need to add the networks which you want to access in the local and remote phase 2 selectors.

Then you need to configure static routes for the same.

Here in your scenario, you did not defined "10.10.20.0" and "10.10.30.0" networks in  phase 2 selectors of the firewall.

You can use this article for your reference:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/281288/site-to-site-ipsec-vpn-with-two-f...

andreaable

Thanks for share great information.
Defined "10.10.20.0" and "10.10.30.0" networks in  phase 2 selectors of the firewall.

You can use this article for your reference:

https://docs.fortinet.com/document/fortigate/6.0.0/cookbook/281288/ slope 2 unblocked site-to-site-ipsec-vpn-with-two-fortigate-devices 

sw2090
Honored Contributor

either that or leave the p2 selector at 0.0.0.0/0.0.0.0 and have routing plus policy handle the rest.

Also on s2s you don't need to enter a gateway. The IPSec Tunnel as destination interface for the static route is  enough.

Works fine here this way with various vlans on both sides :)


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams