- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- IPSec S2S allowing different subnet through tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSec S2S allowing different subnet through tunnel
Hi,
I have configured a site2site ipsec tunnel, but I have one issue I need to figure out.
On the branch network, the modem is connected to a switch which then has the FortiGate and multiple wifi access points connected. The FortiGate has a .200 subnet, and the wifi has a .1, if I connect directly to the FortiGate I am able to connect to the HQ network through the IPsec tunnel, but I need to be able to to access the tunnel through the .1 subnet. Is this possible, and can anyone point me in the right direction as to solve this?
I have attached a photo of how I want the network set up.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's the same with "hub and spoke" network, connecting a spoke to another spoke via hub. In your case, the blanch FGT is the hub. I assume you meant like 192.168.200.0/24 with .200 and 192.168.1.0/24 with .1 subnet.
You need to solve three things, 1) phase2 network selectors, 2) routing, and 3) policies.
For 1) the selector needs to include 192.168.1.0/24 from/to HQ subnet, if not 0/0<->0/0
For 2) HQ needs to route .1.0/24 into the tunnel.
For 3) both FGTs needs to have proper policy allowing .1.0/24 to connect to HQ network.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for taking the time to reply to my post. I believe I have everything set up as you describe, but I still get nowhere. When I connect to the switch I'm routed out the default gateway 192.168.1.1 when I try to access the server on the HQ network. However, if I connect directly to the FortiGate and get the 192.168.206.0/24 I am able to access the HQ server.
I thought maybe virtual IP/dnat would allow me to do what I am trying to achieve: Where a device with 192.168.1.0/24 subnet accesses 192.168.1.4 (fortigates IP) and gets routed to the HQ server, wouldn't that be possible?
Thanks in advance for any help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I created another diagram to better show what I am trying to achieve.
The ipsec tunnel is working fine if I connect directly to the branch fortigate, and receive a 192.168.200.x-address, but not if I connect to the switch and receive a 192.168.1.x-address, that's where my issue is.
I want to be able to access the server on HQ through any device connected directly to the switch or any of the access points, so basically, 192.168.1.2-192.168.1.254 should be able to access the server.
I am not sure I have set things up correctly for that to work, but as you can see in my diagram, on the branch, a modem is connected to a port on the switch, from there we have several wifi access points, and the fortigate is connected to the switch through the WAN port on the fortigate, and a gateway is connected to the fortigates port 1.
It all works, except one thing, accessing the server from 192.168.1.0/24. Is there a way I can configure this to work? Can it be done by using dnat/virtual ip and access the fortigates 192.168.1.x address and be "forwarded" to the servers 10.200.1.123 address through the IPsec tunnel, or any other ways?
Thanks in advance for any help!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the switch is actually doing routing, like wifi client's default GW lives on it then route internet without going though the FGT, you still have a routing issue to be solved on the switch.
Use traceroute from the client device to see if it's hitting the FGT. If it is, then you need to figure out why it doesn't go into the tunnel by "flow debug". There should be no NAT/VIP needed to route through the tunnel.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Accoarding to your Diagram I'd assume that your FGT aswell as you wifi client get an ipv4 in 192.168.1.x from the modem. So I assume they also get the modem as default gw via dhcp.
That would then mean that all traffic coming/going to/from your wifi client will not pass through branch FGT.
So there is no route that matches HQ Subnet except from the default route. And that is exactly what you described.
So I'd simply try following (because it is th easiest way in my opinion): give the FGT a dhcp reservation or static ip in 192.168.1.x (so it allways will have the same ip there). Then reconfigure the dhcp on your wifi to dristibute the FGT IP as default gw. Then on wifi client your default route will send all traffic to the FGT which can route it on then.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
--
"It is a mistake to think you can solve any major problems just with
potatoes." - Douglas Adams
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Solved this issue using dnat/vip, I could not interfere or change anything on the current network and ended up mapping the fortigate's WAN IP (192.168.1.0/24) to the server through the ipsec tunnel, this way, any device on the wifi can visit the fortigates IP (e.g. 192.168.1.20) and get routed through the tunnel.
Thanks for the help though!
Related Posts
- IPSec client is blocked by implicit... 226 Views
- VPN connected clients only allowed to... 148 Views
- Fortinac allow internet access (Guest Network)... 367 Views
- allow port access for specific ip 147 Views
- Trouble Receiving DHCP Packet Over S2S... 229 Views
Labels
-
FortiGate
6,460 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.