Hello everyone,
I am trying to configure inter-communication between some IPsec VPN tunnels.
I configured the tunnels and i managed to do the communication from my internal network to VPN users and respectively (VPN users to Internal network). I did that for all of my tunnels and it's working.
The demand is,(customer wants), that i need also to configure a communication from one vpn tunnel to other vpn tunnel. I tried to create a firewall policy from "Tunnel1" as src to "Tunnel2" as dst but it doesn't work.
Any suggestions? Does it need more configuration?
Fortigate version is 7.2.3
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
your vpn clients have to have a route to the other vpn. Hence routes are ip/subnet based this might require using mode_config. The only other way would be to have all traffic hit the FGT but even then routing is still required hence the routing table is the first thing that is looked at when a packet hits the FGT.
The best solution in my opionion would be to use mode config to define a subnet for each vpn and additionally use split tunneling to set the routes on the clients.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
In our case we have:
- IPSEC Pase-1 for Gateway ti Gateway Tunnel
- IPSEC Pase-2 for the traffic allowed to go through the tunnel
- Routes directing the traffic to the Tunnel
- Firewall Policy to allow the traffic
All these pointes should be checked.
Have you configured phase-2 of the VPN to allow the traffic?
Solution to this:
1. For Dynamic lease users, configure vpn tunnel and add to the split tunnel the subnet that you are targeting to go (in that case, the target subnet is the subnet that vpn static lease users are getting IP address in).
2. For all static lease users, configure forticlient with all necessary options to established the connection and also add to the split tunnel settings the subnet for Dynamic users
3. Add 2 firewall policies for both directions of traffic (ex. Dynamic_Users_VPN to Static_Users_VPN)
what does trace routes from vpn1 to vpn2 show?
When running the traces run packet sniffer on Fortigate CLI that's handling the connections:
diag sniffer packet any 'host IP of machine doing trace route" 4 999 l
That should show you what the issue is. If not, use the diag debug commands which give you very good details that can be invaluable . The script below will specify the source address, destination port. etc. of the traffic as it comes into the FW and what decisions that the FW made on that traffic, IE: dropped, routed to WAN, etc.
diag debug reset
diag debug flow filter clear
diag debug flow filter saddr 192.168.6.53 {Your VPN client running trace routes}
diag debug flow filter port 80 {Leave this line off or change so that packets match traces}
diag debug flow show console enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug console timestamp enable
diag debug enable
diag debug flow trace start 1000
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.