Hello
A question, please..
Our company B has a Ipsec VPN with one company of our customer C.
From our company A that has an Ipsec VPN with B, can i arrive to company C without create another Ipsec VPN (A->B->C)?
If yes, how it can (with route etc)?
Thanks a lot (excuse my english)
Regards
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
So-called "hub and spoke" you can search in this forum or on the internet. You would find many. In your case B is the hub. You need to take care of three things; 1) phase2 selectors on both VPNs to pass src<->dst network combinatins, 2) routing at all nodes for the src and dst subnets, just think those FGTs as simple routers, and 3) policies at all nodes to allow src/dst traffic. That's all and nothing more.
Yes what you want can be acheived.
Assume Company A has subnet 172.20.0.0/16, Comany B has 172.21.0.0/16 and Company C has 172.22.0.0/16
Config would be:
Create tunnels between companies:
Company A Company B Company C 172.20.0.0/16<---tunnel_AB-->172.21.00/16<---tunnel_BC-->172.22.0.0/16
(LanA) (LanB) (LanC)
Add static routes to each firewall: A static routes B static routes C static routes destination gateway destination gateway destination gateway 172.21.0.0/16 tunnel_AB 172.20.0.0/16 tunnel_AB 172.20.0.0/16 tunnel_BC 172.22.0.0/16 tunnel_AB 172.22.0.0/16 tunnel_BC 172.21.0.0/16 tunnel_BC Firewall Rules: LanA to tunnel_AB LanB to tunnel_AB LanC to tunnel_BC tunnel_AB to LanA LanB to tunnel_BC tunnel_BC to LanC
tunnel_AB to Tunnel_BC
tunnel_BC to tunnel_AB tunnel_AB to LanB tunnel_BC to LanB
NOTE: on Comapny B firewall, create a zone and add tunnels AB and BC to simplify number of rules required.
so firewall B rules becomes:
LanB to Zone
zone to zone
zone to LanB
Agreed that best way would be to have a tunnel direct and not go through B.
However, he specifically states he wants to do without creating an additional tunnel.
If company C is not part of his company and he only has a tunnel to B and wants to also access from A then there is no other way of doing it other than hoping via B
Ok guys
Thanks for your reply.
You are great.
The best way would be to have a tunnel direct and not go through B.
Thanks again
Regards
Yes you could do that, but why? The traffic will travel over the internet two times to get to C. Very poor design imho and waste of internet bandwidth. I would make a site from A to C and B to C and call it quits.
Also if you do what your proposing A to B and to C, if B goes down, A is hosed until B is restored.
just my 2ct observation
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.