Hi,
I have configured a site2site ipsec tunnel, but I have one issue I need to figure out.
On the branch network, the modem is connected to a switch which then has the FortiGate and multiple wifi access points connected. The FortiGate has a .200 subnet, and the wifi has a .1, if I connect directly to the FortiGate I am able to connect to the HQ network through the IPsec tunnel, but I need to be able to to access the tunnel through the .1 subnet. Is this possible, and can anyone point me in the right direction as to solve this?
I have attached a photo of how I want the network set up.
It's the same with "hub and spoke" network, connecting a spoke to another spoke via hub. In your case, the blanch FGT is the hub. I assume you meant like 192.168.200.0/24 with .200 and 192.168.1.0/24 with .1 subnet.
You need to solve three things, 1) phase2 network selectors, 2) routing, and 3) policies.
For 1) the selector needs to include 192.168.1.0/24 from/to HQ subnet, if not 0/0<->0/0
For 2) HQ needs to route .1.0/24 into the tunnel.
For 3) both FGTs needs to have proper policy allowing .1.0/24 to connect to HQ network.
Hi,
Thanks for taking the time to reply to my post. I believe I have everything set up as you describe, but I still get nowhere. When I connect to the switch I'm routed out the default gateway 192.168.1.1 when I try to access the server on the HQ network. However, if I connect directly to the FortiGate and get the 192.168.206.0/24 I am able to access the HQ server.
I thought maybe virtual IP/dnat would allow me to do what I am trying to achieve: Where a device with 192.168.1.0/24 subnet accesses 192.168.1.4 (fortigates IP) and gets routed to the HQ server, wouldn't that be possible?
Thanks in advance for any help!
I created another diagram to better show what I am trying to achieve.
The ipsec tunnel is working fine if I connect directly to the branch fortigate, and receive a 192.168.200.x-address, but not if I connect to the switch and receive a 192.168.1.x-address, that's where my issue is.
I want to be able to access the server on HQ through any device connected directly to the switch or any of the access points, so basically, 192.168.1.2-192.168.1.254 should be able to access the server.
I am not sure I have set things up correctly for that to work, but as you can see in my diagram, on the branch, a modem is connected to a port on the switch, from there we have several wifi access points, and the fortigate is connected to the switch through the WAN port on the fortigate, and a gateway is connected to the fortigates port 1.
It all works, except one thing, accessing the server from 192.168.1.0/24. Is there a way I can configure this to work? Can it be done by using dnat/virtual ip and access the fortigates 192.168.1.x address and be "forwarded" to the servers 10.200.1.123 address through the IPsec tunnel, or any other ways?
Thanks in advance for any help!
If the switch is actually doing routing, like wifi client's default GW lives on it then route internet without going though the FGT, you still have a routing issue to be solved on the switch.
Use traceroute from the client device to see if it's hitting the FGT. If it is, then you need to figure out why it doesn't go into the tunnel by "flow debug". There should be no NAT/VIP needed to route through the tunnel.
Accoarding to your Diagram I'd assume that your FGT aswell as you wifi client get an ipv4 in 192.168.1.x from the modem. So I assume they also get the modem as default gw via dhcp.
That would then mean that all traffic coming/going to/from your wifi client will not pass through branch FGT.
So there is no route that matches HQ Subnet except from the default route. And that is exactly what you described.
So I'd simply try following (because it is th easiest way in my opinion): give the FGT a dhcp reservation or static ip in 192.168.1.x (so it allways will have the same ip there). Then reconfigure the dhcp on your wifi to dristibute the FGT IP as default gw. Then on wifi client your default route will send all traffic to the FGT which can route it on then.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Solved this issue using dnat/vip, I could not interfere or change anything on the current network and ended up mapping the fortigate's WAN IP (192.168.1.0/24) to the server through the ipsec tunnel, this way, any device on the wifi can visit the fortigates IP (e.g. 192.168.1.20) and get routed through the tunnel.
Thanks for the help though!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.