- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Route/grant access from a Site to Site VPN to ano...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route/grant access from a Site to Site VPN to another Site to Site VPN
Hello All,
This is my first time to be here hope that I could also contribute something in this forum. Right now I will need your help.
My scenario is this:
Our company have 2 offices Main and a Remote Branch. Both are geographically far from each other. Both sites are currently connected with an IPsec Site to Site VPN, both sites are using FortiGate firewalls. Because of this, the remote branch can access services/servers in the Main branch. Recently we acquire Azure services, we placed some of our servers in Azure. The main branch have a Route based VPN Tunnel to Azure, so the main branch can access the servers in Azure. My problem is with the remote branch it cannot access the azure servers. Although this problem can be solved by creating a VPN tunnel between Azure and the remote branch, the management is reluctant to do this because of the addition cost. Because of this, I need the remote branch to access Azure via Main branch existing VPN tunnel to Azure. I have tried but I failed, I was not even sure if i was a doing it in a correct direction. I've been struggling with this for a while now, that is why I'm here seeking for your help on how this can be don in FortiGate.
Additional Info:
Main Branch is using: FortiGate 200E
Remote Branch is using: FortiGate 50E
Hope you can help me. Please also see attached image for the diagram
Regards
John
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know about Azure side but assume it's just adding another or more subnets to the tunnel with the Main to pass the traffic for the remote branch. As you can find many discussions in this forum similar to your case, hub-and-spoke, you just need to take care of three things over the existing tunnel between main and remote.
[ul]Then the rest would be some sniffing (diag debug sniffer packet), which you can find everywhere online.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Welcome to the forums.
In the main office, how is the tunnel configured (to Azure)? If it is interface based (policy action is ALLOW), then you simply need to allow the IP address subnet for the remote site through. If it is policy based (policy action is IPSec), then there is no way to do it if the subnet is not directly connected to the main FGT. I would recommend you change it (not very hard, but down time is required) to Interface based. It will save you headaches in the future. The policy based (IPSec) style is older and far less robust.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello rwpatterson,
The vpn to azure is using route based vpn this is probably what you meant by interface based vpn. I'm using this KB (link here) to configure azure vpn. You can confirm if my route based vpn is what you meant. And yes, this setup cannot be implemented in Policy based VPN. Just a question though, I'm using fortigate built-in vpn template in configuring vpn tunnel between Main office and remote branch. Does this template use a policy based VPN?
Regards
John
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It depends on the code version you are running. I'm not sure when the default switched but I believe it was well before the E series were released. That being said, I believe you should be. Look at the policy between the sites. If the action is 'ACCEPT' then you are good.
Basically on the main FGT you have to:
* Add a static route to the remote subnet with a lower distance than the default back to the remote site(s)
(This should have already been done since you are communicating with it already)
* Create an IP pool with a single unused IP address that would be allowed over the Azure VPN
* Create a policy from the remote site (subnet) to Azure and add the IP pool to the policy
On the remote FGT you have to:
* Create a policy to Azure pointing down the VPN
* Create a static route to the Azure subnet with a lower distance than the default pointing down the VPN
All from the top of my head, I believe that should do it. The reason for the IP pool is that the remote subnet may not be allowed over the tunnel, so you are simply masquerading it as an allowed IP address. If the remote subnet is allowed, the IP pool steps may be left out.
Hope that helps
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello rwpatterson,
I actually resolved the issue, I simulated this with another location (not Azure) and it was working perfect. I recreated the VPN tunnel. I did not use the Site to Site VPN template for FortiGate devices, I used custom instead and configure a route based vpn from Remote branch to Main. From the Main office to the other location I have to enable natting in the policy (to mask the original IP) and it went fine. The culprit was the Site to Site VPN template for Fortigate devices, I'm convinced that his template was using policy based vpn which does not allow this kind of setup.
Regards
John
Related Posts
- Native VLAN keeps changing from 254... 76 Views
- FORTMAIL EXTERNAL USERS AUTHENTICATION THROUGH FORTIMAIL 107 Views
- ZTNA for Android 79 Views
- IP sec tunnel connection from fortiweb 139 Views
- Options to pass a VLAN through... 176 Views
Labels
-
FortiGate
6,679 -
FortiClient
1,330 -
5.2
801 -
5.4
639 -
FortiManager
578 -
FortiAnalyzer
422 -
6.0
416 -
5.6
362 -
FortiSwitch
342 -
FortiAP
339 -
FortiClient EMS
272 -
FortiMail
259 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
159 -
6.4
128 -
FortiNAC
110 -
FortiGuard
106 -
FortiSIEM
92 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
79 -
FortiToken
73 -
Customer Service
70 -
SSL-VPN
67 -
4.0MR3
64 -
Wireless Controller
58 -
FortiProxy
46 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
40 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
33 -
FortiSandbox
31 -
FortiSwitch v6.4
30 -
SD-WAN
30 -
Firewall policy
29 -
High Availability
24 -
FortiConnect
24 -
VLAN
22 -
FortiWAN
22 -
FortiConverter
21 -
FortiAuthenticator
20 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Interface
14 -
Certificate
14 -
BGP
13 -
DNS
13 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Logging
13 -
LDAP
12 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
10 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
Authentication
8 -
SSL SSH inspection
8 -
Traffic shaping
8 -
SSO
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Application control
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
4.0MR1
1 -
Users
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.