I have a site in Azure connected to my on-prem fortigate via site to site VPN. That is working. I have a second physical site connected to the main on-prem fortigate via site to site VPN. That is working also. I cannot get traffic to pass from Azure VM to the second site. I am trying to do this without setting up another site to site VPN from secondary to Azure but if thats the answer I can try and figure something out there. I just figure passing traffic through the main site would be fine.
Topology 1:
Azure-VM --- S2S --- On-Prem
Topology 2:
Phy-FGT --- S2S --- On-Prem
Topology 3:
Azure-VM --- S2S --- On-Prem --- S2S --- Phy-FGT
Is this your topology? If yes, you can just update the routing table and point the destination to the correct outgoing interface.
Run the below command on all the FGT to find the best route.
get router info routing-table details <destination-ip>
If not, please update the topology.
Yes that is the topology.
I have added a route for the second site to point the subnet for the Azure VM to the main on-prem. That did not work.
Additional details:
Azure Subnet - 10.0.0.0/24
Main on-prem subnet:192.168.168.0/24
Secondary on-prem: 192.168.169.0/24
Static route on Secondary Fortigate: 10.0.0.0/24 -> S2S interface for main on-prem
Hello @columbiavalley
Could you please share your desired network topology and configuration goals?
Additionally, I'd like to understand your requirements better - what is the reason for not wanting to implement an IPsec site-to-site tunnel between the Azure VM and the second site?
Thanks,
Amandeep
Added that information to another comment.
I tried setting up another S2S from second site to Azure exactly like the first but it isnt working. Something wrong with phase 1.
I've never done it this way personally (though it seems like it should work). But if you want another custom solution where you can selectively choose which clients route through the S2S and which use local internet, you can check out the split-vpn script. It definitely works properly with that script in my experience https://tutuapp.uno/ .
To go from A to C, via B:
1. on FGT A:
- add a static route for the network C, gateway interface is the tunnel to B, no gateway address
- the tunnel between A and B should have 2 phase2's:
one from network A to network B
one from network A to network C (so this one needs to be added)
- in the policy from A to B, add network C's address range as destination address
2. on FGT C:
- add a static route for the network A, gateway interface is the tunnel to B, no gateway address
- the tunnel between C and B should have 2 phase2's:
one from network C to network B
one from network C to network A (so this one needs to be added)
- in the policy from C to B, add network A's address range as destination address
3. on FGT B:
- create 2 new policies:
- from tunnel A to tunnel C
- from tunnel C to tunnel A
with the correct source and destination addresses.
So, in short words, make sure the tunnel carries 2 destination networks (via 2 phase2's) and the policy allows the remote network. FGT B will do the routing, the transit traffic is allowed by 2 additional policies.
Let us know if this works for you
What you are saying makes sense other than C is not a fortigate but a Virtual Network Gateway in Azure.
That being said I have set A and B correctly. I have the static route and NSG (policies) set in Azure as well but still not passing traffic.
Also, you must create the VPNs in interface mode. Policy mode will not allow the routing you wish.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.