Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pfc
New Contributor

Created on ‎09-14-2019 12:52 AM

How to reach two different LAN Network / IP-ranges through VPN Tunnel

Hi all,

 

we have two locations with the following IP settings

Location 1: 192.168.1.0

Location 2: 192.168.2.0 and on a lot of clients secondary IPs of the 192.168.3.0 network

 

The Fortigate on Location 2 has on the LAN facing Interface 192.168.2.x and a secondary ip 192.168.3.x

 

The VPN is up and running and communication between both locations is possible. Clients from 192.168.1.x can reach clients 192.168.2.x and vice versa.

 

192.168.1.x can not reach 192.168.3.x

 

On Location 1 i have a static route with the subnet 192.168.3.x into the VPN Interface (VPN to Location 2).

 

But no communnication to the "second" LAN is possible.

 

The log shows that the ping hits the correct VPN Tunnel, but there is no reply:

 

21.730555 VPN-to-Location 2 out 180.22.x.x -> 192.168.3.15: icmp: echo request 22.740695 VPN-to-Location 2 out 180.22.x.x -> 192.168.3.15: icmp: echo request

any advice?

thanks a lot in advance

4083
0 Kudos
5 REPLIES 5
orani
Contributor II

Created on ‎09-14-2019 02:15 AM

From location 1 firewall can you reach lacation's 2 firewall with ip 192.168.3.x (gateway secondary ip)?

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
3064
0 Kudos
pfc
New Contributor
In response to orani

Created on ‎09-14-2019 04:10 AM

Hi orani,

 

with administrativ access enabled for ping on that secondary IP on location 2 firewall, there is no ping reply.

 

7.592865 VPN-to-Location 2 out 180.22.x.x -> 192.168.3.250: icmp: echo request 8.608995 VPN-to-Location 2 out 180.22.x.x -> 192.168.3.250: icmp: echo request

(also no reply when I add the interface to use for "execute ping" on location 1 firewall, like using the location 1 LAN interface)

3064
0 Kudos
orani
Contributor II
In response to pfc

Created on ‎09-14-2019 06:36 AM

So it seems that there is no route to that subnet... you can run traceroute (tracert on windows pc) to see the path that your traffic goes through. You might need to configure a static route on location 1 or maybe at both locations

Orestis Nikolaidis

Network Engineer/IT Administrator

Orestis Nikolaidis Network Engineer/IT Administrator
3064
0 Kudos
brittany
New Contributor

Created on ‎09-16-2019 09:00 AM

You would need the subnets to be separate. you would either need to migrate to a different subnet or split the subnet.

3064
0 Kudos
rwpatterson
Valued Contributor III
In response to brittany

Created on ‎09-16-2019 10:31 AM

In your phase two settings, add that 192.168.3.x subnet to both sides along with the appropriate policies. You already added the routes.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3064
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.