Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FTAdmin
New Contributor III

Created on ‎01-03-2024 08:42 AM

Passing traffic from a remote office to the main office and then to a 3rd party

A IPSEC tunnel is already working from the main office to the Web App (3rd Party). What we need is traffic destined for the third party to pass through the main office from the remote office, which already is using an IPSEC tunnel for traffic to the main office. The company has only paid for 1 VPN tunnel, so I can't go directly from the remote office. I would appreciate any help. If more information/images are required, please let me know.

 

Both the remote and main office firewalls are using Firmware v7.2.5 build1517 (Feature)

 

brave_89Ixr22pWB.png

Labels:
876
0 Kudos
5 REPLIES 5
ebilcari
Staff
Staff

Created on ‎01-03-2024 08:59 AM

If you can't change the VPN configurations in the 3rd party side and if it's configured to reach only one subnet than a solution could be to NAT the requests coming from the Remote office using one of the IP of the Main office.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
869
hbac
Staff
Staff

Created on ‎01-03-2024 10:36 AM

Hi @FTAdmin

 

You will need to add 3rd party and remote office networks to phase2 selectors of IPsec tunnels and create firewall policies to allow traffic between 3rd party and remote office tunnels. 

 

Regards, 

847
FTAdmin
New Contributor III
In response to hbac

Created on ‎01-03-2024 10:43 AM

Edit the phase 2 selectors of the main office IPsec tunnel to the 3rd party to include the remote office network the workstations are using?

844
0 Kudos
SAJUDIYA
Staff
Staff

Created on ‎01-03-2024 11:11 AM

@FTAdmin You need to follow steps as below:

1. You need to add 3rd party address in phase-2 selectors of main firewall if that traffic is behind  main firewall

2. You can configure SNAT/DNAT for this traffic to moved traffic from main to third party web app if traffic is doing NATing after hitting to main firewall

TAC
837
dingjerry_FTNT
Staff
Staff

Created on ‎11-11-2024 04:10 PM

Hi @FTAdmin ,

 

1) The Web App (3rd Party) IP has to be part of the remote for the Selector in phase 2 settings of the IPSec VPN between Remote Office FGT and Main Office FGT.  If it is 0.0.0.0/0.0.0.0, you may skip this step.

 

2) On the Main Office FGT, the Remote Office subnet needs to be part of the local for the Selector in Phase2 settings of the IPSec VPN to the Web App.   Make sure that the selector settings are matching on the Main Office and Web App.

 

3) I assume that the IPSec VPNs are both Interface-based. You need to create two firewall policies on Main Office FGT to allow traffic between those two IPSec VPN tunnels  (using the IPSec VPN tunnel interfaces as source/destination Interfaces).

 

4) If Web App side does not have the Remote Office subnet as a part of the remote in Selector settings for Phase 2 settings and they do not want to modify the Selector settings, you may consider enabling NAT in the above firewall policy in Step 3.

Regards,

Jerry
198
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.