Hello everyone,
I am trying to configure inter-communication between some IPsec VPN tunnels.
I configured the tunnels and i managed to do the communication from my internal network to VPN users and respectively (VPN users to Internal network). I did that for all of my tunnels and it's working.
The demand is,(customer wants), that i need also to configure a communication from one vpn tunnel to other vpn tunnel. I tried to create a firewall policy from "Tunnel1" as src to "Tunnel2" as dst but it doesn't work.
Any suggestions? Does it need more configuration?
Fortigate version is 7.2.3
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Please correct me if i am wrong.
Network-A-------FGT1---IPSEC-----FGT2-----IPSEC----FGT3---networkB
So when computers in Network A pinging to computers in network B, traffic should hit FGT1. In FGT1 we need to understand whether traffic is forwarding to FGT2 or not:
You can execute these commands in the FGT1:
diag debug reset
diag debug disable
diag debug flow filter addr a.b.c.d (where a.b.c.d is the destination IP which you are pinging)
diag debug flow filter proto 1
diag debug flow show function-name enable
diag debug flow trace start 1000
diag debug enable
Once you get the debug logs you can disable debug using this command "diag debug disable"
Now if the traffic is hitting FGT2, we need to take debug flow in FGT2 to understand what is the flow:
diag debug reset
diag debug disable
diag debug flow filter addr a.b.c.d (where a.b.c.d is the destination IP which you are pinging)
diag debug flow filter proto 1
diag debug flow show function-name enable
diag debug flow trace start 1000
diag debug enable
Once you get the debug logs you can disable debug using this command "diag debug disable"
Please keep us posted.
I have only 1 Fortigate machine and i configured 2 IPSEC VPN Tunnels. One tunnel for dynamic lease users and 1 tunnel for static lease users. The two tunnels are client-to-site configured.
Can i configure communication from 1 tunnel to the other tunnel?
Yes its possible, we just need to have firewall policy from "one vpn interface to other vpn interface" in both ways.
If still its not working share me the debug log output:
diag debug reset
diag debug disable
diag debug flow filter addr a.b.c.d (where a.b.c.d is the destination IP which you are pinging)
diag debug flow filter proto 1
diag debug flow show function-name enable
diag debug flow trace start 1000
diag debug enable
Once you get the debug logs you can disable debug using this command "diag debug disable"
I did the two firewall policies but nothing happened and i tried the debug commands you said and i didn't get any logs.
Are the phase-2 selectors configured properly on both sides? That is the remote customer has put in the other remote customer's VPN networks in their phase-2 selectors? Do they match everywhere?
could you please let me know your current configuration
Hello IT_Ahan2,
I have only 1 Fortigate machine and i configured 2 IPSEC VPN Tunnels. One tunnel for dynamic lease users and 1 tunnel for static lease users. The two tunnels are client-to-site configured.
Can i configure communication from 1 tunnel to the other tunnel?
Try to do without Split tunnel
Yes, have routes back and forth traffic and Firewall Policies.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.