- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Accessing other networks through VPN
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accessing other networks through VPN
Hello!
I'm trying to figure out how VPN things works in a company (I just joined and exam existing configs)
So we've got 100D as a core router & firewall & vpn server and several 30Ds as spokes.
Using a console on 100D I can access all local networks such as 192.168.10.0/24 and other network for which 100D has static routes, e.g. 192.168.80.0/24. 100D has one phase1-interface VPN and many phase2-interface configured for each spoke.
So spokes dial 100D and establish a VPN and from the console of each spoke I can ping 192.168.10.0/24 only but not 192.168.80.0/24 even if I have a static route on a spoke e.g. 192.168.80.0/24 -> VPN_to_100D
Could you please help to understands what's wrong with this configuration?
Many thanks in advance.
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Two things have to match to allow access to a remote network:
VPN / phase2 / Quick mode selectors / remote subnet
and
dest/source address in the policy on both the remote and the central FGT (on spoke: internal -> tunnel, hub: tunnel -> internal)
The QM selectors determine what kind of traffic is allowed to negotiate the tunnel setup.
On the spoke FGT, use one phase2 for each subnet behind the hub FGT.
For a second subnet, on the spoke you just need to add
- a route
- a subnet address to the outgoing policy
Of course, the hosts in the second subnet behind the hub FGT should know where to find the remote hosts, usually by following their default route to the hub's FGT.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for helping me.
So, if I create a rule/policy (and put them on top) on both FGT (inbound and outbound) with something like:
1. From: internal To: VPN_to_HUB Source: LocalLAN (192.168.55.0/24) Dest: RemoteLAN (192.168.0.0/16) ALWAYS ALL ACCEPT
2. From: VPN_to_HUB To: internal Source: RemoteLAN (192.168.0.0/16) Dest: LocalLAN (192.168.55.0/24) ALWAYS ALL ACCEPT
and so on... will this allow to access all networks within 192.168.0.0/16 from the spoke or I have to specify explicitly each subnet? Hopefully I shouldn't ;) Of course there are some routes on spokes like:
192.168.70.0/24 0.0.0.0 VPN_to_HUB and so on
and of course FGT installs some static routes when stablish VPNs... so on the HUB I can see a static route:
192.168.55.0/24 0.0.0.0 VPN_HUB
On the hub vpn setup looks like this:
FGT# show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "VPN_HUB"
set type dynamic
set interface "External"
set ike-version 2
set local-gw Hub_Public_IP
set proposal aes192-sha1 aes128-sha1
set psksecret ENC secret
next
FGT# show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "VPN_Remote1_p2"
set dst-addr-type name
set keepalive enable
set phase1name "VPN_HUB"
set proposal 3des-sha1 aes128-md5
set src-addr-type name
set dst-name "RemoteLAN (55.0/24)"
set src-name "LocalLAN (.0.0/16)"
next
On the spoke vpn setup is like this:
FGTSPOKE # show vpn ipsec phase1-interface
config vpn ipsec phase1-interface
edit "VPN_to_HUB"
set interface "wan"
set ike-version 2
set proposal aes192-sha1 aes128-sha1
set remote-gw Public_IP_of_HUB
set psksecret ENC secret
next
end
FGTSPOKE # show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "VPN_to_HUB_p2"
set auto-negotiate enable
set dst-addr-type name
set keepalive enable
set phase1name "VPN_to_HUB"
set proposal 3des-sha1 aes128-md5
set src-addr-type name
set dst-name "RemoteLAN"
set src-name "LocalLAN"
next
end
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@DenJS:
Correct. This is called a "supernet" where all subnets can be summarized to one network with a wider netmask. Smart move if you have the opportunity to create all spoke networks from scratch.
On the hub, you have "dynamic" routes, not static, as they are only inserted on tunnel-up. Which doesn't change a thing :)
As for the other suggestions later, I don't think changing from IKEv2 to IKEv1 will help much. Negotiations are longer, IKEv2 is relatively new and will best run between gateways of the same vendor...there are pros and cons. I'd stick with it unless this scheme could not be realized with IKEv2.
Personally, I avoid having a wildcard '0.0.0.0/0' address in the phase2 setup. Wildcards work between FGT and FGT sometimes but why not be specific? 'explicit is better than implicit'
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Related Posts
- Novice Needing Help Setting Up FortiGate... 95 Views
- max number of sessions 86 Views
- Accessing SSL VPN addresses from a... 206 Views
- Wifi access with Single Sign-ON 160 Views
- FortiGate IP address Policy Restriction 89 Views
Labels
-
FortiGate
6,587 -
FortiClient
1,312 -
5.2
801 -
5.4
639 -
FortiManager
570 -
6.0
416 -
FortiAnalyzer
415 -
5.6
362 -
FortiSwitch
338 -
FortiAP
337 -
FortiClient EMS
268 -
6.2
251 -
FortiMail
246 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
151 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
84 -
IPsec
73 -
FortiToken
71 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
62 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
43 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
FortiConverter
21 -
High Availability
20 -
FortiPortal
18 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiAuthenticator
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
Interface
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
SNMP
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.