Hi forum.
I have not too much experience with Fortigate VPN but I have searched the forum and did not found the answer to my question since my setup is very unlikely.
I needed to connect two offices via two identical Fortigate 30E and due to internal policies of the company, while HQ_1 uses the Fortigate as Router and firewall and has its WAN directly connected to the Public IP address, the HQ_2 uses a proprietary router and their Fortigate 30E WAN is connected to one LAN port of the router in the internal subnet.
Have forwarded inside the proprietary router 4500 and 500 pointed.
I have drawn the configuration in order to explain better my case.
In order to instantiate a VPN between the two offices, I have followed the good guide and different thread I have found in this forum. And the VPN is up.
However following problems occur:
inside the CLI of Fortigate HQ_2 (the one behind the NAT) I can ping and see:
Fortigate of HQ_1
all devices in subnet of Office 1.
inside the CMD line of any device inside subnet of HQ_2 (the one behind the NAT) I cannot ping nor see devices in subnet of Office 1.
And
inside the CLI of Fortigate HQ_1 I cannot ping FortigateRouter2, the local IP address of proprietary router nor any devices in subnet of Office 2.
but:
inside the CMD of any device inside subnet of HQ_1 (the one behind the NAT) I ping successfully FortigateRouter2, but cannot all devices in subnet of Office 2.
So the question is:
Does such a configuration present some major error?
Can anone help to explain this?
Best regards and thank You all
Steve
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It's about the 3rd party router, more than about FG30E, at HQ.2. Your set-up is "VPN FW on a stick". If the LAN1 and LAN2 on the router are just switch port with 1 interface IP like .254 it would probably work with the default GW pointing to.253 at all devices including the PC1 in the diagram. Otherwise, the router needs to have a static route for 192.168.3.0/24 toward .253.
But what I really recommend it put the 30E at HQ.2 in-line between the router and all devices by assigning a /30 subnet between the router and the 30E. It would make all troubleshoot much easier.
Thank You really, Toshi Esumi, for your quick reply.
When you say: "Otherwise, the router needs to have a static route for 192.168.3.0/24 toward .253" you mean obviously the 3rd part router right? I think yes but need confirmation.
So all the local subnet traffic (also non VPN) should first pass via Fortigate, right?
Sadly putting it in-line is not permitted by IT manager of the company.
Thank You again.
Regards
Yes. The bottom line is the packets destined to 192.168.3.0/24 at HQ.2 need to hit the 30E to get into the tunnel. So either by default gateway at each device or static route at the router if that's the default GW.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.