Is it possible to use ipsec Over Ipsec.

eb40 · ‎01-13-2023

Hello,

Currently I am working on configuration below and can not make it work. Point is that local PC and EC2 PC must communicate with each other. There is APN router which is not managed by me , so using red ipsec2 network to make required site to site connection.

This scheme was used for long time but with additional PC in local network which was making required IPsec. Now I want to get rid of it and move everything to FortiGate. This is FortiGate F40 OS 7.0.0 .

Ipsec configuration

Could any body take a look and advise if this is even possible ?

If it is maybe there some some special (like "site to site") name for configuration I could google?

Thanks in advance.

scan888 · ‎01-19-2023

Maybe you are right.

I don't know over the forum threat and without access to the infrastructure.
May the Fortinet TAC Support can help you.

Sorry, for that. :(

- Have you found a solution? Then give your helper a "Like" and mark the solution.

gfleming · ‎01-19-2023

Can you ping Teltonika 192.168.11.2 from Fortinet 192.168.1.159 IP?

It might be worth trying to set up the tunnel from port1 on Fortinet to Teltonika.

Cheers,
Graham

gfleming · ‎01-13-2023

Does the teltonika (?) firewall/router not have a route directly to the Fortigate? Can you explain why you cannot make direct connection between those two devices for its own IPSec tunnel?

Or, why EC2 cannot just route to Local PC over existing connections?

Cheers,
Graham

eb40 · ‎01-14-2023

Teltonika has, and without ipsec2 i can ping Local PC from EC2, but problem is that I can not access/ping EC2 from Local PC.

This problem is because APN is mobile provider router which gives private VPN for teltonika, but does not have route to EC2. I can not access APN to add the route so I am creating ipsec2.

gfleming · ‎01-14-2023

If you can ping EC2 from Local PC then there absolutely is a route on APN to EC2. Your problem sounds like a firewall policy is not allowing that traffic.

Does Teltonika firewall allow the traffic from local PC?

Cheers,
Graham

eb40 · ‎01-15-2023

I can ping from EC2, because EC2 packets are masquraded in teltonika nad goes to ipsec1 as teltonikas original source, which ipsec1 recognizes, if ir ping from local, then i get error from ipsec1 that "No matchingipsec selector, drop: this is because EC21 is not a subnet in Ipsec1

gfleming · ‎01-16-2023

OK in that case, how does internet-based traffic flow from EC2? Does it go out Teltonika, get masqueraded and then routed to internet via APN? If so can you create an IPSec tunnel over the internet through the APN router (and not over the existing IPSec tunnel)?

Or alternatively can you create a DNAT rule on the Teltonika router that provides access to EC2?

Cheers,
Graham

eb40 · ‎01-16-2023

Internet is not accessible for Teltonika. So the only option to make ipsec2 is over private net.

Dnat I could create, but I think there is no reason because ping packets are droped already on the Fortinet side, because I am pinging EC2 which is out of ipsec1 subnets and i can not add subnets to ipsec1.

Regards,

Andrius

gfleming · ‎01-16-2023

Sorry I am not following—how are ping packets dropped on the Fortinet for EC2? I thought you said you could ping EC2 from Local PC which goes through the Fortinet?

Cheers,
Graham

eb40 · ‎01-16-2023

No, I can ping from EC2 to Local, and I cannot(but need to) ping from Local to EC2

In reality there will be few devices in place of EC2 it must be a subnet so port forwarding of EC2 devices is not a solution for me.

Regards,

Andrius.