Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marklar
New Contributor

Route from different subnet

Hello all...I have what must be a very simple problem for most that I can' t seem to figure out. http://puu.sh/afnui/df6c65200f.jpg ..thats all it is. The 4.x subnet can talk to and see the 3.x subnet just fine, but the 1.x subnet across the WAN via site-site can' t talk to 4.x and 4.x can' t talk to 3.x. The 4.x subnet " sees" the 3.x subnet via 192.168.3.79. Not sure why avaya set it up that way, but that' s how it is. What do i need to add to these firewalls to pass 4.x traffic (coming from 3.79) seamlessly across the wan? Here are my static routes: http://puu.sh/afovP/ba731e78a0.png What the !(*& am I missing?!? Thanks!
12 REPLIES 12
ede_pfau
Esteemed Contributor III

hi, you write about .3.79 being the VPN endpoint but in your routing table .3.99 is listed. Typo? I' m curious what exactly .3.79 is - a router, or a NAT device? If the latter then you will probably never be able to ping across it (by nature of NAT). As for routes, make sure that each Fortigate knows about each remote subnet by way of a static route - I mean, each one, even if behind a different, neigboring subnet.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Marklar
New Contributor

3.79 appears to be an avaya switch port that then connects to our core switch. 3.79 is also listed in the static route as the gateway for 192.168.4.0 traffic. Thing is, from 3.x we can connect to 4.x no problem and from 4.x we can ping and connect to 3.x no problem also, so that works great. The only problem is 1.x can' t connect to 4.x and 4.x can' t connect to 1.x.
ede_pfau
Esteemed Contributor III

3.79 is also listed in the static route as the gateway for 192.168.4.0 traffic.
No, not according to the routing table you posted.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Marklar
New Contributor

Really? try this: http://puu.sh/afrdx/3ae5324e47.png
ede_pfau
Esteemed Contributor III

OK, got it, sorry. At which FGT' s routing table are we looking at? Seems to be the site with LAN .4.x.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Marklar
New Contributor

That is correct.
ede_pfau
Esteemed Contributor III

Well then, the .1 LAN is not to be found using WAN1, but the VPN tunnel between the .3 LAN and the .1 LAN. The route should point to .3.79. Next, the Quick Mode selectors for the tunnel should accomodate the .4 LAN as well as the .3 LAN as source subnets. Usually, you would just create one phase2 for each source subnet. And at last, when traffic from the .4 LAN arrives at .1 LAN they should know where it is coming from, and that it is legitimate. So, you need a route back to the .4 LAN pointing to the tunnel. The FGT on the .3 LAN then will use it' s routing table to redirect it to .3.79 which will route it (it' s a routing switch) to the .4 LAN.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Marklar
New Contributor

Thanks so much for the help..I' m almost following you, though this confuses me..here is the Phase2 for the existing site-site from 3.x > 1.x : http://puu.sh/afz5D/b20f9e0cca.png ..shouldn' t that accept " all" source subnets including 4.x with that config? Or are you saying I have to specify source and destination where each red arrow is and create multiple phase 2' s?
ede_pfau
Esteemed Contributor III

Yes, " should" . My personal experience is that if I specify the correct subnets (source and destination) it always works. With a Fortigate, you just need a second phase2 (a copy of the first) to be able to specify the second source subnet. Added benefit: you' ll see 2 tunnels in the VPN monitor, one for each set of proxy IDs (= subnets). Have you checked the routing of FGT .1 and .3? You need the route to the .4 LAN on FGT .1 .

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors