Linking two sites with dedicated P2P question

fguser33 · ‎03-08-2010

Currently I have a IPSEC VPN connection setup between site1 and site2. Everything works fine 98% of the time however it does eat up some bandwidth on our main line and we do have a dedicated Point to Point line we pay for (P2P). The current setup can be seen in the first graphic.

My goal is to connect site1 and site2 together using the 2Mb dedicated line we pay for from our ISP. I initially tired to setup this connection however something was wrong with my config and I couldn' t get it to work on that day and I shelved it until I could get the time to revisit which is now. I basically need to connect both LAN together since all the servers are at site2. The graphic below illustrates what the connection will look like in the end with the P2P line in use.

Basically my initial config for the site to site P2P connection was the following. Site1 - FG-110C: Port1 = LAN (192.168.7.1) Port2 = P2P Connection (192.168.9.2).......(maybe I should have made this interface IP 192.168.7.2 instead to match LAN?) Port3 = INTERNET Site2 = FG-300A: Port1 = LAN (192.168.0.1) Port2 = P2P Connection (192.168.9.1).......(maybe I should have made this interface IP 192.168.0.2 instead to match LAN?) Port3= INTERNET Then I created a policy on each Fortigate that said Port1 to Port2 Allow ANY and Port2 to Port1 Allow ANY. I also needed to setup a static route but cannot remember what I put. I feel the problem is in the static route setting. Does anyone have any advice on the config? I setup multiple variations of the config but I never could get the connection to work between the two sites. Just a side note; the P2P line does work indeed. If I take both ends of the P2P connection and plug them into one of the LAN switches on both ends, traffic flows. So the P2P connection does work, I jsut cannot get it configured correctly using the two fortigates.

emnoc · ‎03-09-2010

Everything you did is correct and sounds firm. Do a " show router static " to see what you have configured, and then do a " get router info routing-table all" to see if the p2p subnet and static routes are in the table. Sounds to me like a layer1 issues with the P2P. How is the p2p terminated and on what ?

PCNSE

NSE

StrongSwan

fguser33 · ‎03-09-2010

Emnoc The P2P connection goes as folllows: ONT is mounted on the wall, and an ethernet cable goes from the ONT to PORT2 on the Fortigate. The same setup for both site1 and site2. I will issue the commands and let you konw what I find out.

abelio · ‎03-10-2010

Then I created a policy on each Fortigate that said Port1 to Port2 Allow ANY and Port2 to Port1 Allow ANY. I also needed to setup a static route but cannot remember what I put. I feel the problem is in the static route setting. Does anyone have any advice on the config?

If everything is working and in place, just add static routes like: on 110C

 config router
   edit <id>
     set device port2
     set distance <something appropiate>
     set dst 192.168.0.0  255.255.255.0
     set gateway 192.168.9.2
   next  
 end

on the 300A

 config router
   edit <id>
     set device port2
     set distance <something appropiate>
     set dst 192.168.7.0  255.255.255.0
     set gateway 192.168.9.1
   next  
 end

regards

/ Abel

fguser33 · ‎03-10-2010

Abelio Thank you your post ensured me that I was on the right track. I finaly got the connection to work and I used your static route suggestion and changing which interface my static route was applied to. I was selecting what I thought was the logical choice but I was wrong. I got it working so thanks for the help guys.

abelio · ‎03-10-2010

glad it worked it out, (there was a typo/error in my post, the right command is ' config router static' ) regards,

regards

/ Abel

Linking two sites with dedicated P2P question

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website