Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fabio74
New Contributor

Site To SIte

Good evening everyone. I have a question, if it is possible to realize this scene.

We have 2 sites (AeB) in ipvsec vpn. the first site A has class 192.168.0.0 the second B has class 192.168.1.0. In the first site we have another class 192.168.2.0 configured on port2 of the firewall. Is it possible to reach class 192.168.2.0 from Site B?

20 REPLIES 20
gfleming
Staff
Staff

You talk about using class A and B address space (which isn't really in use these days) and your diagram shows you are using Classless Interdomain Routing (CIDR) Notation on your subnets.


Can you confirm your subnets are all /24? That is all hosts are using 255.255.255.0 masks, including the FortiGate interfaces?

Cheers,
Graham
Fabio74

Hi Gfleming, yes yes, I confirm that they are all /24 . A and B work regularly from 192.168.1.0 to 192.168.40.0. But the class 192.168.10.0 to 192.168.40.0, nothing, it doesn't work. Thank

gfleming

Do you have a Firewall Policy that allows traffic from port2 to the IPSec tunnel?

Cheers,
Graham
Fabio74

Assolutamente si

IndianKid
New Contributor

Hi Fabio,

 

Yes, You can reach Site A to Site B and Site B to Site A.

while configuring VPN, make sure on-site A you added both networks 192.168.0.0/24 and 192.168.2.0/24 in the VPN source address and Add the same subnets in Site B Vpn Destination network. so from Site B, you can reach both sites A networks.

IndianKid
IndianKid
Fabio74

Hello and thanks. I added the static routes on A to B. On B for the moment there is actually only one static route or the main one, do I also add the second always from site A?

aionescu

I am not sure I understand your configuration but, on both firewalls you need to have routes towards each network. So, on B you would need routes towards both subnets that are behind firewall A.

Fabio74

Ok, perfetto. 

Grazie infinite a tutti, proverò aggiungendo l'altra rotta in B

 

 

aionescu

@Fabio74 Great. Let us know the outcome :).

mgoswami
Staff
Staff

Please execute the below commands and see if you are seeing any packets.

diag sniffer packet any 'host 192.168.10.0 and host 192.168.40.x and icmp' 4 0 a

Initiate a ping form the 10.0 towards 40.x post this.
Replace x with the remote subnet PC's IP.
Also do a tracert from your Local PC to the remote gateway to see where is the packet dropping.

Top Kudoed Authors