Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Paschalis_Hadjithoma
New Contributor

IPSec VPN to IPSec VPN communication

Hello everyone,

 

I am trying to configure inter-communication between some IPsec VPN tunnels.

I configured the tunnels and i managed to do the communication from my internal network to VPN users and respectively (VPN users to Internal network). I did that for all of my tunnels and it's working.

 

The demand is,(customer wants), that i need also to configure a communication from one vpn tunnel to other vpn tunnel. I tried to create a firewall policy from "Tunnel1" as src to "Tunnel2" as dst but it doesn't work.

Any suggestions? Does it need more configuration?

 

Fortigate version is 7.2.3

13 REPLIES 13
seshuganesh
Staff
Staff

Hello,

 

Please correct me if i am wrong. 

Network-A-------FGT1---IPSEC-----FGT2-----IPSEC----FGT3---networkB

So when computers in Network A pinging to computers in network B, traffic should hit FGT1. In FGT1 we need to understand whether traffic is forwarding to FGT2 or not:

You can execute these commands in the FGT1:

diag debug reset

diag debug disable

diag debug flow filter addr a.b.c.d (where a.b.c.d is the destination IP which you are pinging)

diag debug flow filter proto 1

diag debug flow show function-name enable

diag debug flow trace start 1000

diag debug enable

 

Once you get the debug logs you can disable debug using this command "diag debug disable"

 

Now if the traffic is hitting FGT2, we need to take debug flow in FGT2 to understand what is the flow:

diag debug reset

diag debug disable

diag debug flow filter addr a.b.c.d (where a.b.c.d is the destination IP which you are pinging)

diag debug flow filter proto 1

diag debug flow show function-name enable

diag debug flow trace start 1000

diag debug enable

 

Once you get the debug logs you can disable debug using this command "diag debug disable"

 

Please keep us posted.

 

Paschalis_Hadjithoma

I have only 1 Fortigate machine and i configured 2 IPSEC VPN Tunnels. One tunnel for dynamic lease users and 1 tunnel for static lease users. The two tunnels are client-to-site configured.

Can i configure communication from 1 tunnel to the other tunnel?

seshuganesh

Yes its possible, we just need to have firewall policy from "one vpn interface to other vpn interface" in both ways.

If still its not working share me the debug log output:

diag debug reset

diag debug disable

diag debug flow filter addr a.b.c.d (where a.b.c.d is the destination IP which you are pinging)

diag debug flow filter proto 1

diag debug flow show function-name enable

diag debug flow trace start 1000

diag debug enable

 

Once you get the debug logs you can disable debug using this command "diag debug disable"

 

Paschalis_Hadjithoma

I did the two firewall policies but nothing happened and i tried the debug commands you said and i didn't get any logs.

gfleming

Are the phase-2 selectors configured properly on both sides? That is the remote customer has put in the other remote customer's VPN networks in their phase-2 selectors? Do they match everywhere?

Cheers,
Graham
IT_Ahan2
New Contributor III

could you please let me know your current configuration 

Paschalis_Hadjithoma

Hello IT_Ahan2,


I have only 1 Fortigate machine and i configured 2 IPSEC VPN Tunnels. One tunnel for dynamic lease users and 1 tunnel for static lease users. The two tunnels are client-to-site configured.

Can i configure communication from 1 tunnel to the other tunnel?

IT_Ahan2

Try to do without Split tunnel 

pbangari

Yes, have routes back and forth traffic and Firewall Policies.

Labels
Top Kudoed Authors