Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Vigorus
New Contributor

Created on ‎10-25-2018 07:00 AM

Adding a new FortiGate firewall to an existing IPsec VPN connection.

Hi guys

Need your help, we have an existing IPsec VPN tunnels (cisco) between our main office and our branches (hub and spokes) Several days ago we acquired a new FortiGate 301E. Initially, we would like to just forward a web traffic through it. With the main office, I achieve this without problems both devices are in the same subnet. But I could not do the same with branches despite the fact that I forwarded all web traffic to a FortiGate local IP address.

15748
0 Kudos
18 REPLIES 18
ede_pfau
SuperUser
SuperUser
In response to Vigorus

Created on ‎10-28-2018 04:10 AM

Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?

I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3337
0 Kudos
Vigorus
New Contributor
In response to ede_pfau

Created on ‎10-28-2018 08:22 AM

ede_pfau wrote:

Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?

I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...

Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

3337
0 Kudos
Vigorus
New Contributor
In response to ede_pfau

Created on ‎11-01-2018 06:50 AM

Vigorus wrote:

ede_pfau wrote:

Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

Ede, any idea?

3337
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Vigorus

Created on ‎11-05-2018 05:21 AM

Unfortunately, no, not from far away. You could sniff the traffic (diag sniffer packet ...) and/or trace it (diag debug flow ...) to see what happens. This would be a bit of an overkill for a forum post...

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3337
0 Kudos
Vigorus
New Contributor
In response to ede_pfau

Created on ‎12-04-2018 06:11 AM

ede_pfau, thank you for your time. Guys, can anyone help me?

3337
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Vigorus

Created on ‎12-04-2018 08:52 AM

Maybe someone (professional) is near you. Where are you located? I'm in Southern Germany but there are really apt partners nearly all over the globe.

(who sold you the FGT?)

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3337
0 Kudos
Vigorus
New Contributor
In response to ede_pfau

Created on ‎01-16-2019 03:24 AM

Ede_Pfau, thx for the advice, appreciate that I will try to communicate with our apt partner. Sorry for so late respond.

3336
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to Vigorus

Created on ‎01-20-2019 05:23 AM

You're welcome. Debugging this is best done live and with some experience.

I'm still confident it'll work in the end.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3336
0 Kudos
Vigorus
New Contributor
In response to ede_pfau

Created on ‎01-23-2019 04:47 AM

I hope so, thanks.

3336
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.