Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
eb40
New Contributor

Created on ‎01-13-2023 04:08 AM

Is it possible to use ipsec Over Ipsec.

Hello,

 

Currently I am working on configuration below and can not make it work. Point is that local PC and EC2 PC must communicate with each other. There is APN router which is not managed by me , so using red ipsec2 network to make required site to site connection. 

This scheme was used for long time but with additional PC in local network which was making required IPsec. Now I want to get rid of it and move everything to FortiGate. This is FortiGate F40 OS 7.0.0 . 

Ipsec configurationIpsec configuration

 

Could any body take a look and advise if this is even possible ? 

If it is maybe there some some special (like "site to site") name for configuration I could google?

 

Thanks in advance.

 

Labels:
4936
0 Kudos
22 REPLIES 22
scan888
Contributor
In response to eb40

Created on ‎01-19-2023 02:38 AM

Maybe you are right.

I don't know over the forum threat and without access to the infrastructure.
May the Fortinet TAC Support can help you.

 

Sorry, for that. :(

- Have you found a solution? Then give your helper a "Like" and mark the solution.
- Have you found a solution? Then give your helper a "Like" and mark the solution.
1535
0 Kudos
gfleming
Staff
Staff
In response to eb40

Created on ‎01-19-2023 09:33 AM

Can you ping Teltonika 192.168.11.2 from Fortinet 192.168.1.159 IP?


It might be worth trying to set up the tunnel from port1 on Fortinet to Teltonika.

Cheers,
Graham
1529
0 Kudos
gfleming
Staff
Staff

Created on ‎01-13-2023 12:56 PM

Does the teltonika (?) firewall/router not have a route directly to the Fortigate? Can you explain why you cannot make direct connection between those two devices for its own IPSec tunnel?


Or, why EC2 cannot just route to Local PC over existing connections?

Cheers,
Graham
1644
0 Kudos
eb40
New Contributor
In response to gfleming

Created on ‎01-14-2023 01:32 AM

Teltonika has, and without ipsec2 i can ping Local PC from EC2, but problem is that I can not access/ping EC2 from Local PC.

This problem is because APN is mobile provider router which gives private VPN for teltonika, but does not have route to EC2. I can not access APN to add the route so I am creating ipsec2.

1635
0 Kudos
gfleming
Staff
Staff
In response to eb40

Created on ‎01-14-2023 08:21 AM

If you can ping EC2 from Local PC then there absolutely is a route on APN to EC2. Your problem sounds like a firewall policy is not allowing that traffic. 

 

Does Teltonika firewall allow the traffic from local PC?

 

 

Cheers,
Graham
1615
0 Kudos
eb40
New Contributor
In response to gfleming

Created on ‎01-15-2023 11:28 PM

I can ping from EC2, because EC2 packets are masquraded in teltonika nad goes to ipsec1 as teltonikas original source, which ipsec1 recognizes, if ir ping from local, then i get error from ipsec1 that "No matchingipsec selector, drop: this is because EC21 is not a subnet in Ipsec1

1598
0 Kudos
gfleming
Staff
Staff
In response to eb40

Created on ‎01-16-2023 08:42 AM

OK in that case, how does internet-based traffic flow from EC2? Does it go out Teltonika, get masqueraded and then routed to internet via APN? If so can you create an IPSec tunnel over the internet through the APN router (and not over the existing IPSec tunnel)?

 

Or alternatively can you create a DNAT rule on the Teltonika router that provides access to EC2?

Cheers,
Graham
1585
0 Kudos
eb40
New Contributor
In response to gfleming

Created on ‎01-16-2023 08:48 AM

Internet is not accessible for Teltonika. So the only option to make ipsec2 is over private net.

Dnat I could create, but I think there is no reason because ping packets are droped already on the Fortinet side, because I am pinging EC2 which is out of ipsec1 subnets and i can not add subnets to ipsec1.

 

Regards,

Andrius

1574
0 Kudos
gfleming
Staff
Staff
In response to eb40

Created on ‎01-16-2023 09:50 AM

Sorry I am not following—how are ping packets dropped on the Fortinet for EC2? I thought you said you could ping EC2 from Local PC which goes through the Fortinet?

Cheers,
Graham
1563
0 Kudos
eb40
New Contributor
In response to gfleming

Created on ‎01-16-2023 11:46 PM

No, I can ping from EC2 to Local, and I cannot(but need to) ping from Local to EC2

In reality there will be few devices in place of EC2 it must be a subnet so port forwarding of EC2 devices is not a solution for me.

 

Regards,

Andrius.

1548
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.