Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tomasztorun
New Contributor

Created on ‎09-17-2021 01:35 AM

Routing over s2s VPN problem

Hi,

I have 3 sites connected by VPN and got problem with communication from LAN2 to LAN3 by 2 VPN tunnels.

Take a look at attached network diagram.

The VPNs are working fine so hosts from LAN1 could connect to LAN2 and to 172.20.88.83 and vice-versa. But I couldn't get a connection from 10.120.146.0 to 172.20.88.83 via 10.120.144.5 router (orange line with arrows on the diagram). I tried a few static routes or policy routes but traffic stucks on 10.120.146.254 and doesn't go outside first tunnel. Could someone help?

 

Preview file
128 KB
3089
0 Kudos
4 REPLIES 4
Toshi_Esumi
SuperUser
SuperUser

Created on ‎09-17-2021 03:59 PM

So there are 3 hops from the source before the destination. How far can you get when you traceroute/tracert from a device in LAN1? If you can't see the 2nd hop after hitting the local FGT, that means VPN is not passing the ping. Then check 1) network selectors, 2) routes(going and coming back directions), and 3) policies on both sides.

That should be the beginning of your network troubleshooting process.

 

2023
0 Kudos
ywzz07
New Contributor

Created on ‎09-19-2021 01:12 PM

Hi,

 

Is the correct route written to the tunnel for 172.20.88.0/24 on the fw in front of LAN2 and are the necessary rules defined for this connection? Or is there a VIP object related to the 172.20.88.0/24 network written on this firewall?

Did you check these?

 

Best Regards

2023
0 Kudos
tomasztorun
New Contributor
In response to ywzz07

Created on ‎09-19-2021 01:23 PM

Thank you for replies. I got more time yesterday and realised that I have to add all the subnets to Phase 2 of the VPN. So when I add them everything started to working fine. So the problem is resolved. :)

2023
0 Kudos
sw2090
Honored Contributor
In response to tomasztorun

Created on ‎09-21-2021 07:07 AM

either that or set the p2 selectors to 0.0.0.0/0.0.0.0 and handle it with policies for each subnet (Or adrress group)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
2023
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.