Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
D-hg
New Contributor III

Created on ‎04-02-2023 03:11 AM

Access remote network between 2 IPsec tunnel

 
 

2023-04-02 11_50_08-Schema.jpg ‎- Fotos.jpg

 

Hello,

 

I drew something to be more understandable.

 

Basically, I would like from the Mikrotik LAN, access to the servers connected at the "Fortigate Server", passing through the "Fortigate Main" IPsec tunnel.

I don´t know if it's possible, that's why I am asking if you know about it?

 

I tried in the "Main Fortigate" to accept traffic between the IPsec tunnel Mikrotik and the IPsec tunnel Fortigate Servers in both directions.

In the "Fortigate Server", I added the Mikrotik subnet in both rules " IPsec Main Fortigate"  -> "Lan Servers" and "Lan Servers" -> "IPsec Main Fortigate"

I put the route in the "Fortigate Server" toward the Subnet Mikrotik through the tunnel.

I put the firewall rule in the Mikrotik toward the "Fortigate Server" subnet.

 

Your help will be appreciated. (In case this solution is not possible, I will create a tunnel IPsec From the Mikrotik router and the Fortigate Server and that's all.)

 

Can't wait your expertise about this topic !

 

See you soon guys.

Labels:
1150
0 Kudos
6 REPLIES 6
funkylicious
SuperUser
SuperUser

Created on ‎04-02-2023 09:35 AM

I would personally avoid the hustle and just create an IPsec between the two.

geek
geek
1132
0 Kudos
gfleming
Staff
Staff

Created on ‎04-02-2023 08:45 PM

This is possible. There's no reason for it not to work assuming things are configured properly.

You just need to figure out what the issue is that's blocking it. Without more info we can't really help you though.

 

Do you have routes configured properly on all devices?

Do your IPSec tunnels allow the encryption/decryption of traffic from all subnets involved in the traffic flows?

Do you have firewall policies allowing all traffic everywhere in the chain?

 

What do your traceroutes look like?


What do your IPSec debug logs look like?

 

Etc. etc. etc.

 

Cheers,
Graham
1122
0 Kudos
D-hg
New Contributor III

Created on ‎04-04-2023 05:12 AM

Hello Funky, you mean that passing through more than 1 tunnel is not good for security or some reasons?

 

Hello Graham, I will answered you as soon as I come back home !

 

Many thanks

1099
0 Kudos
fredery
Staff
Staff
In response to D-hg

Created on ‎04-04-2023 07:02 AM

Hello,

 

Here is the rational:

 

  • If the LAN/Microtik does not need to communicate thru the first IPSec tunnel with other networks reachable thru the Main FortiGate (other than Server/FortiGate Server)

and

 

  • If the Main FortiGate does no apply security services that that FortiGate Server does not; like doing UTM.

or

 

  • Or you need the visibility of the LAN/Server traffic in the Main Fortigate for auditing or reporting as the FortiGate server is not under the same administrative control

 

Then the hassle of 2x IPsec configurations and the added complexity to operate and troubleshoot does not make sense. It is not a security issue per se.

 

Still as a general principle, complexity is not a friend of security...

1085
0 Kudos
vbandha
Staff
Staff

Created on ‎04-04-2023 06:30 AM

It is possible. Here are a few things you can check are configured properly:

I am assuming that your tunnel from mikrotik to Main fortigate and from Main Fortigate to Fortigate server is working fine and that your issue is for passing traffic between Mikrotik to Fortigate server and vice versa.

IP Sec Phase 2 selector:

On edge fortigates: Make sure the Fortigate server is added as remote subnet on Mikrotik and local subnet is selected as the Mikrtotik lan that you want to have access.
Same thing on the Fortigate server side. Make sure you have Fortigate server subnet as local and Mikrtik lan is remote subnet

On Main Fortigate: Make sure you add phase 2 selectors with Mikrotik as local and Fortigate server as remote and also with Fortigate server as remote and Mikrotik as local subnet.


Firewall polcies:
You have to add 2 Firewall policies on all these fortigates: Ip sec tunnel ---> local subnet. Local subnet -----> IP Sec tunnel.
Make sure you allow the relevant subnets to pass in the firewall policy.

Static Route:
You will also need static routes for the relevant subnets out the IP sec tunnel.

Here is an IP Sec troubleshooting document you can refer to for troubleshooting:
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Troubleshooting-IPsec-Site-to-Site-T...

If you run into any issues, let me know.

Cheers,
Varun

1091
0 Kudos
D-hg
New Contributor III

Created on ‎04-04-2023 01:10 PM Edited on ‎04-04-2023 01:15 PM

Many thanks for your help everyone.

 

The Mikrotik is configured in full remote browsing until the Main Fortigate, then even if I create a second tunnel toward the Fortigate Server, I cannot access to the servers if I don´t disable the Remote Browsing tunnel. I can understand why, but I think that's why I need to passing through both IPsec tunnel, or maybe you have another solution?

EDIT: F**k, as soon as I changed the order of the tunnel in my Mikrotik, everything worked well.. I can understand the importance of the order of tunnels now !

 

Many thanks !

1077
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.