Can I change an IPsec VPN setup that was originally setup from FortiGate to Cisco, to FortiGate to FortiGate? I guess when multiple subnets are on the remote or local network, this setup matters. My case is the following. I'm updating a lot of Sophos firewalls, I need to setup the VPN from FortiGate to Cisco for swapping out units. Then when I swap out the last unit at our main location, which all the other locations connect to, can I simply update the VPN with some type of command line command. If I had to setup a new VPN starting from scratch, then a lot of rules and other things would also need to be updated. Updating the VPN type would make this upgrade process a lot easier. Is this possible?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Better yet, can I just setup 2 FortiGate firewalls with a IPsec VPN with selecting the device type of Other? Then I can just use the same IPsecVPN when swapping and not change anything. Is there an advantage to selecting device type of FortiGate?
Hi @fortiNoob007,
I believe it is possible. You just need to make sure all settings match on both FortiGates.
Regards,
You can do it, but you need to make sure all settings are identical with the remote peer.
I would say the easiest way will be Fortinet IPSEC wizard on the new device, you can just enter the subnets and it will do the rest ( policy and routes)
you many need to input the pre shared key, because when you use the wizard it generates a random pre shared key.
I have the IPsec VPNs working. However, there is an issue. I have 2 subnets at the firewall that is a Sophos firewall. If I add both remote networks to the setup, the tunnel seems to randomly work with 1 of the 2 subnets. Both the Sophos firewall and the Fortigate show the tunnel working fine, but only traffic from 1 subnet will work. If I force the tunnel down, then up, they both work for about a minute, then 1 randomly stops and the other keeps working. I have it setup for testing now with only 1 subnet on each end, it has been working without disruption for around 2 days now. But the problem seems to be when I add the 2nd remote subnet. I have multiple Sophos firewalls with multiple subnets routing between them without any issues. I check my static routes and the firewall rules, all traffic is setup to correctly route and allow the flow. I have confirmed if I add say subnet A only, it works fine, then I remove subnet A and add subnet B as the remote network and it works fine again. But when both are added, it seems to get really goofy. I found this article, but I haven't tried these steps yet. Any thoughts?
Hi @fortiNoob007,
How many phase2 selector do you have? You can use 'addr_subnet' instead of 'Named address'.
Regards,
Trust me, I've tried it all. I'm now going to try this thought process in the link below. Seems like that would be the most combatable across all firewall operating systems. Just need to make sure the routing is correct and the rules are set, which isn't an issue at all. I'll update after I have time after hours to try this setup.
https://www.reddit.com/r/fortinet/comments/g146ns/ipsec_s2s_vpn_with_multiple_subnets_on_each_site/
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.