Routing with 3 fortigates IPSEC VPN!

slispd · ‎02-17-2019

Hello,

I have 3 fortigates A, B and C.

The fortigate B connects to the A and C fortigade with IPSEC vpn. In fortigate A I have internal network 10.0.10.0/24 In fortigate B I have internal network 10.0.20.0/24 In C fortigate I have internal network 10.0.30.0/24

The network 10.0.20 accesses the networks 10.0.10 and 10.0.30, but I need to make the network 10.0.10 access the network 10.0.30, passing through the fortigate B. Making vpn between Fortigates A and C is not an option.

How do I do this?

TKS for all.

ede_pfau · ‎02-26-2019

Strange answers. This is not about an additional VPN but simple routing and policies.

To go from A to C, via B:

1. on FGT A:

- add a static route for the network C, gateway interface is the tunnel to B, no gateway address

- the tunnel between A and B should have 2 phase2's:

one from network A to network B

one from network A to network C (so this one needs to be added)

- in the policy from A to B, add network C's address range as destination address

2. on FGT C:

- add a static route for the network A, gateway interface is the tunnel to B, no gateway address

- the tunnel between C and B should have 2 phase2's:

one from network C to network B

one from network C to network A (so this one needs to be added)

- in the policy from C to B, add network A's address range as destination address

3. on FGT B:

- create 2 new policies:

- from tunnel A to tunnel C

- from tunnel C to tunnel A

with the correct source and destination addresses.

So, in short words, make sure the tunnel carries 2 destination networks (via 2 phase2's) and the policy allows the remote network. FGT B will do the routing, the transit traffic is allowed by 2 additional policies.

Let us know if this works for you.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

rwpatterson · ‎02-26-2019

Also, you must create the VPNs in interface mode. Policy mode will not allow the routing you wish.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

View solution in original post

Dai · ‎02-25-2019

There is no problem if both A and C have reachability. Note the setting of policy (Allow UDP 500)

Margim_Jmaes · ‎02-25-2019

The policy is Allow UDP 500. I think there is no problem.

CompTIA Exam Dumps

ede_pfau · ‎02-26-2019

Strange answers. This is not about an additional VPN but simple routing and policies.

To go from A to C, via B:

1. on FGT A:

- add a static route for the network C, gateway interface is the tunnel to B, no gateway address

- the tunnel between A and B should have 2 phase2's:

one from network A to network B

one from network A to network C (so this one needs to be added)

- in the policy from A to B, add network C's address range as destination address

2. on FGT C:

- add a static route for the network A, gateway interface is the tunnel to B, no gateway address

- the tunnel between C and B should have 2 phase2's:

one from network C to network B

one from network C to network A (so this one needs to be added)

- in the policy from C to B, add network A's address range as destination address

3. on FGT B:

- create 2 new policies:

- from tunnel A to tunnel C

- from tunnel C to tunnel A

with the correct source and destination addresses.

So, in short words, make sure the tunnel carries 2 destination networks (via 2 phase2's) and the policy allows the remote network. FGT B will do the routing, the transit traffic is allowed by 2 additional policies.

Let us know if this works for you.

Ede Kernel panic: Aiee, killing interrupt handler!

rwpatterson · ‎02-26-2019

Also, you must create the VPNs in interface mode. Policy mode will not allow the routing you wish.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

ede_pfau · ‎02-26-2019

jeez, who still knows policy based VPN, let alone use it...:-)

Ede Kernel panic: Aiee, killing interrupt handler!

rwpatterson · ‎02-26-2019

LOL! Covering all bases. ;)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

capricorn80 · ‎07-15-2019

Hi!

I am in same situation and did the steps as mentioned but cannot ping from A to C.

What type of phase2 settings should I setup between A and C? I did same for A and C

Will they both match with each other or

it should same as A and B and B and C?

Thanks

Routing with 3 fortigates IPSEC VPN!

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website