Hey, I just start working with Fortigate 60D routers, everything was fine but now our company need to setup some routes to make all locations visible to each other.
For example:
Office1 with IP 10.0.1.1 connected to MAIN location 10.0.0.1 with side-to-side vpn
Office2 with IP 10.0.2.1 connected to MAIN location 10.0.0.1 with side-to-side vpn
I need to forward traffic from Office1 to Office2. That's mean Office1 should see all network at MAIN location + Office2. And Office2 need to see MAIN location + Office1.
I tried:
1. Setup policies at MAIN location to allow traffic from Office1 to Office2.
2. Setup static route at Office1
3. Setup Policy Routes at MAIN location and Office1 location.
4. Setup Phase2 on VPN at Office1 with MAIN + Office2 network.
And Office1 still can't see Office2. Can anyone who did it before, help me with that, please. What I need to setup to make Office1 visible to Office2?
Thank you for any help!
Solved! Go to Solution.
Even from the first item you're missing the points I listed.
Main-Office1 VPN
At least two Phase2 selector sets need to exist
1) local subnet - Office1 subnet
2) Office2 subnet - Office1 subnet
otherwise, office1-office2 traffice never go through this VPN.
There are many similar discussions about "hub and spoke" set up problems in the forum. All go down to one of, or some of, below points:
1. phase2 selectors need to include the source-destination combinations
2. proper routes need to be in place for both directions at each hop
3. polices need to allow both direction at every hop
Then to troubleshoot, use sniffing on vpn interfaces to see if traffic goes in the tunnel and comes out on the other end step by step from the source toward the destination. You need to disable ASIC offloading at least at the policies ("set auto-asic-offload disable") to see packets in/out tunnels in sniffing.
toshiesumi wrote:There are many similar discussions about "hub and spoke" set up problems in the forum. All go down to one of, or some of, below points:
1. phase2 selectors need to include the source-destination combinations
2. proper routes need to be in place for both directions at each hop
3. polices need to allow both direction at every hop
Then to troubleshoot, use sniffing on vpn interfaces to see if traffic goes in the tunnel and comes out on the other end step by step from the source toward the destination. You need to disable ASIC offloading at least at the policies ("set auto-asic-offload disable") to see packets in/out tunnels in sniffing.
Thank you for reply! I'll try to search some answers, but can you please just doublecheck my steps to make sure that I did it all right, or may be I forgot something:
MAIN:
- VPN to Office1:
- Phase 1: Local IP(MAIN subnet) - Remote IP(Office1 subnet)
- VPN to Office2:
- Phase 1: Local IP(MAIN subnet) - Remote IP(Office2 subnet)
- Network > Static Route:
- Subnet(Office1 subnet), Interface (VPN to Office1)
- Subnet(Office2 subnet), Interface (VPN to Office2)
- Policy > IPv4 Policy
#for office1
- IN interface(VPN to Office1), OUT interface(internal), Source(Office1_subnet),Dest(Local_subnet), NAT(off)
- IN interface(internal), OUT interface(VPN to Office1), Source(Local_subnet),Dest(Office1_Subnet), NAT(off)
#for office2
- IN interface(VPN to Office2), OUT interface(internal), Source(Office2_subnet),Dest(local_subnet), NAT(off)
- IN interface(internal), OUT interface(VPN to Office2), Source(local_subnet),Dest(Office2_Subnet), NAT(off)
#to allow traffic between Office1 and Office2(may be here I did something wrong)
- IN interface(VPN to Office1), OUT interface(VPN to Office2), Source(Office1_subnet),Dest(Office2_subnet), NAT(off)
- IN interface(VPN to Office2), OUT interface(VPN to Office1), Source(Office2_subnet),Dest(Office1_subnet), NAT(off)
Office1:
- VPN to MAIN location:
- Phase 1: Local IP(Office1) - Remote IP(MAIN)
- Phase 2: Local IP(Office1) - Remote IP(Office2)
- Network > Static Route:
- Subnet(MAIN IP Subnet), Interface (VPN to MAIN)
- Subnet(Office2 IP Subnet) , Interface (VPN to MAIN)
- Policy > IPv4 Policy
- IN interface(VPN to MAIN), OUT interface(internal), Source(MAIN_subnet),Dest(Local_subnet), NAT(off)
- IN interface(internal), OUT interface(VPN to MAIN), Source(Local_subnet),Dest(MAIN_Subnet), NAT(off)
and
- IN interface(VPN to MAIN), OUT interface(internal), Source(MAIN_subnet),Dest(Office2_subnet), NAT(off)
- IN interface(internal), OUT interface(VPN to MAIN), Source(Office2_subnet),Dest(MAIN_Subnet), NAT(off)
Office2:
(same as Office1, but other way)
Is it all what I need to setup or something else?
Thank You for any help!
Even from the first item you're missing the points I listed.
Main-Office1 VPN
At least two Phase2 selector sets need to exist
1) local subnet - Office1 subnet
2) Office2 subnet - Office1 subnet
otherwise, office1-office2 traffice never go through this VPN.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.