Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Storyteller
New Contributor

Theoretical problem about IPSEC (Can IPSEC have transitive property?)

This is the problem.

 

Site A (10.0.0.0/24) ------ VPN IP SEC -----> Site B (192.168.0.0/24) ----- VPN IP SEC -----> Site C (192.168.10.0/24)

 

Can Site A reach Site C via Site B without direct StS connection?

 

I was able to do it with the clients, my VPN Clients can reach the VPN IPSec setted on my fortigate (from home to our customer company networks). 

 

CtS -> StS OK!

StS -> StS ???

 

Regards,

Graziano.

7 REPLIES 7
ede_pfau
Esteemed Contributor III

Yes, why not?

 

If traffic traverses the first VPN tunnel, it's traffic on site A like any other. Further destinations are found via routing. As long as you supply routes to distant networks (that is, networks behind the next hop firewall) this will work.

Of course, as firewalls are "security aware" routers, you need appropriate policies in addition.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
emnoc
Esteemed Contributor III

Also to add you need a phase2 SA for that destination if your not doing quad 0s ( 0.0.0.0/0:0 )

 

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
ede_pfau
Esteemed Contributor III

Absolutely, I recommend to use the wildcard (quad 0) in this case. Much less effort then.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Johan_Witters

Make sure to correctly define your remote networks so each Fortigate knows how to reach the other sites.

Also to not forget to correctly define your access policies, especially on site B you need to make a policy allowing traffic between A and C.

 

If everything is correctly configured it should work...

 

Good luck.

Johan Witters

Network & Security Engineer

FCNSP V4/V5

 

BKM NV

Johan Witters Network & Security Engineer FCNSP V4/V5 BKM NV
Storyteller

On which tunnel do I need the quad 0s?

From A to B or from B to C??

 

My CtS -> StS rules works if I use Nat with static IP of the B network.

 

Regards,

Graziano. 

Andreas_H
New Contributor

As long as you set a route on Site A that Site C (192.168.10.0/24) is behind the remote interface of Site B, it should work. Be sure to also set a Route for Site A on Site C.

 

This is under the assumption, that the following routes are already set up:

[ul]
  • Site A to Site B and vice-versa
  • Site B to Site C and vice-versa[/ul]
  • lunhas2k4
    New Contributor II

    Just to add to the list of great answers.

    It is 100% doable as already mentioned taking the precautions mentioned before.

    There are recent versions of FortiOS that allow you to do ADVPN (not sure if that is the right acronym) basically allowing VPN's to be formed automatically between sites, without having the need to backhaul the traffic on site B.

    Give that a try as well.

    Carlitos loves firewalls

    NSE4 (5.4,6.0)

    NSE5 (Fortimanager 6.0, Fortianalyzer 6.0)

    NSE7 (Enterprise Firewall 6.0)

    Carlitos loves firewalls NSE4 (5.4,6.0) NSE5 (Fortimanager 6.0, Fortianalyzer 6.0) NSE7 (Enterprise Firewall 6.0)
    Labels
    Top Kudoed Authors