Currently have two fortigate set up with site-to-site VPN. Each fortigate has its own Remote VPN profiles. We are able to RDP into each other's computer when on the office network, however I can't establish RDP sessions or access shared server resources from Site B to Site A, vice-versa.
Is it possible to set up a Remote VPN such that it can access both sites within one Remote VPN setup? As of right now, I have individual Remote VPN profiles set for reach site.
Not sure if this is possible or not. Or perhaps certain firewall policies need to be set such that one site can access different other site while Remote VPN?
Hello,
First: number one is to define what VPN type is this. site-to-site says normally IPSec, but in later fortiOS versions s2s is also possible with SSLVPN. Setup is very different.
Second: Each FortiGate needs to have a set of static routes that will direct traffic for the other site through the tunnel interface. Be it forward traffic or return traffic.
Third: firewall policies on both FGTs are needed. For the originating traffic site, traffic from internal toward tunnel, for the destination site: traffic from the tunnel to the internal subnet.
If you consider those points, you will not need to consider symmetric setups etc. It is needed in some way, but it is better to consider the traffic that is supposed to flow in both directions.
Best regards,
Markus
Hi Markus,
Thank you for replying. Both sites are set as IPSec configuration. I'm a bit confused for the second and third item you listed. Sorry, I'm a bit new to the Fortigate and network configuration. Pretty much a novice.
Hi Jasuncion,
no problem. Both FortiGates will receive traffic, and they will need information in terms of a static route as to which destination traffic has to be led through the tunnel. Otherwise, the most fitting route will be the default route.
Traffic for 192.168.48.0/24 on the other end of a tunnel requires a static route to dst 192.168.48.0/24 with the interface of the tunnel. Otherwise, the traffic destined for 192.168.48.0 would leave the wan interface.
The IPsec tunnel wizard does a good job for this. It creates the routes and policies.
In case of IPSec you will also need to add the address networks of the other site you intent to reach as selectors.
This might help for some guide on how to set it up:
Best regards,
Markus
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.