Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eb40
New Contributor

Created on ‎01-13-2023 04:08 AM

Is it possible to use ipsec Over Ipsec.

Hello,

 

Currently I am working on configuration below and can not make it work. Point is that local PC and EC2 PC must communicate with each other. There is APN router which is not managed by me , so using red ipsec2 network to make required site to site connection. 

This scheme was used for long time but with additional PC in local network which was making required IPsec. Now I want to get rid of it and move everything to FortiGate. This is FortiGate F40 OS 7.0.0 . 

Ipsec configurationIpsec configuration

 

Could any body take a look and advise if this is even possible ? 

If it is maybe there some some special (like "site to site") name for configuration I could google?

 

Thanks in advance.

 

Labels:
4967
0 Kudos
22 REPLIES 22
atahir
Staff
Staff

Created on ‎02-20-2025 09:57 PM

I have tested the nested IPsec solution today and I can pass the traffic.
Design
PC1 - FGT1 - FGT2 - FGT3 - FGT4 - PC2
First IPsec Tunnel between FGT2 and FGT3
Second Tunnel between FGT1 and FGT4

once configured, PC1 can ping PC2 without any issue

FGT1 # diag vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=to_FGT4 ver=1 serial=2 172.16.100.10:0->172.16.101.10:0 tun_id=172.16.101.10 tun_id6=::172.16.101.10 dst_mtu=1500 dpd-link=on weight=1

bound_if=5 lgwy=static/1 tun=intf mode=auto/1 encap=none/544 options[0220]=frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

 

proxyid_num=1 child_num=0 refcnt=4 ilast=161 olast=161 ad=/0

stat: rxp=48 txp=49 rxb=4800 txb=4900

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to_FGT4 proto=0 sa=1 ref=2 serial=1

  src: 0:192.168.10.0-192.168.10.255:0

  dst: 0:192.168.40.0-192.168.40.255:0

  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=40838/0B replaywin=2048

       seqno=32 esn=0 replaywin_lastseq=00000031 qat=0 rekey=0 hash_search_len=1

  life: type=01 bytes=0/0 timeout=42897/43200

  dec: spi=92e4a4d9 esp=des key=8 7b8d77ce79c64f9e

       ah=md5 key=16 991058ac9e5fab61f3b88b61761183d1

  enc: spi=cb360c16 esp=des key=8 5fe9ca44b0d7bf6f

       ah=md5 key=16 385c796ef416622b7fd61aafab1f36b9

  dec:pkts/bytes=96/9600, enc:pkts/bytes=98/12348

  npu_flag=00 npu_rgwy=172.16.101.10 npu_lgwy=172.16.100.10 npu_selid=1 dec_npuid=0 enc_npuid=0

run_tally=0

FGT-2 # diag vpn tunnel list

list all ipsec tunnel in vd 0

------------------------------------------------------

name=to_FGT3 ver=1 serial=1 172.16.200.1:0->172.16.200.2:0 tun_id=172.16.200.2 tun_id6=::172.16.200.2 dst_mtu=1500 dpd-link=on weight=1

bound_if=4 lgwy=static/1 tun=intf mode=auto/1 encap=none/544 options[0220]=frag-rfc  run_state=0 role=primary accept_traffic=1 overlay_id=0

 

proxyid_num=1 child_num=0 refcnt=4 ilast=128 olast=128 ad=/0

stat: rxp=4 txp=4 rxb=608 txb=608

dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=1

natt: mode=none draft=0 interval=0 remote_port=0

proxyid=to_FGT3 proto=0 sa=1 ref=3 serial=1

  src: 0:172.16.100.0-172.16.100.255:0 0:192.168.10.0-192.168.10.255:0

  dst: 0:172.16.101.0-172.16.101.255:0 0:192.168.40.0-192.168.40.255:0

  SA:  ref=3 options=30202 type=00 soft=0 mtu=1446 expire=42772/0B replaywin=2048

       seqno=5 esn=0 replaywin_lastseq=00000005 qat=0 rekey=0 hash_search_len=1

  life: type=01 bytes=0/0 timeout=42903/43200

  dec: spi=5d4b34e6 esp=des key=8 a4d3b9029f127585

       ah=md5 key=16 eaed56d4a022251c3e204c4d2dcd6f4d

  enc: spi=b5c50064 esp=des key=8 658337c42cf9db34

       ah=md5 key=16 e394d7b9aa09833291c2e94b1ea5186f

  dec:pkts/bytes=8/1216, enc:pkts/bytes=8/1440

  npu_flag=00 npu_rgwy=172.16.200.2 npu_lgwy=172.16.200.1 npu_selid=0 dec_npuid=0 enc_npuid=0

run_tally=0

 

FGT-2 #

 

Connectivity

HOST#ping vrf host-a 192.168.40.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.40.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/15 ms

HOST#

AT
93
0 Kudos
elbig
New Contributor
In response to atahir

Created on ‎03-02-2025 05:02 AM

@atahiron your setup there's an extra fortigate?

I'm currently facing the same problem as @eb40 as i'm trying to make an "innertunnel" between a teltonika device and the "central" fortigate. I'm able to create the "outertunnel" between central and APN provider and i need to make the inner tunnel, between the teltonika device and the central device. I cannot make the inner tunnel comeup. When I've tried to put another device (call it device2) behind the central, I could comeup with the innertunnel, between  device2 and teltonika, using the outertunnel  (Central<=>APN), but this needs a second device, like in your setup.

73
0 Kudos
elbig
New Contributor

Created on ‎03-02-2025 05:11 AM

@eb40did you finally manage to come up with a solution? Believe it or not, I'm trying to make the same setup as you, with fortigates and Teltonika devices :)

65
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.