Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DavidC
New Contributor

Created on ‎12-11-2020 07:18 AM

Routing problem between 2 FG Tunnel VPN IPsec

Hello,

 

I need help solving a routing problem.

 

HQ and Brand Fortigate FW are connected via VPN IPsec Site to Site, everything is working fine, we can ping and have access from servers and ressources LAN to LAN from both side. 

 

I created a static route from Brand's LAN 10.0.151.0/24 to HQ's router 10.0.78.253 on Firewall Arkoon.

 

We host a SaaS solution with a service provider and this one to authorize the different lan to connect to the solution (France agencies + UK agency)

 

On our Arkoon Firewall, we have authorized the different LANs that must have access to the LAN of the SaaS solution, 192.168.100.0/24.

 

This works very well for all the agencies in France, except for the UK LAN with 10.0.151.0/24 addressing.

 

When i do tracert cmd from a computer brand's LAN 10.0.151.109, I can ping 10.0.78.253 and 10.0.78.254.

But, when I try ping or tracert with 192.168.100.20 it cannot found a route and it fails at first jump after 10.0.151.254.

 

Thank you in advance.

 

You can find on my screenshoot : Fortigate FW UK - static routes, ipv4 rules and topology network.

Regards,

fgp.png
Preview file
56 KB
16345
0 Kudos
1 Solution
Phil_Lofthouse
New Contributor III
In response to DavidC

Created on ‎12-23-2020 07:46 AM

Hi David.

 

It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.

 

Regards,

Phil

View solution in original post

13679
0 Kudos
13 REPLIES 13
DavidC
New Contributor
In response to Phil_Lofthouse

Created on ‎01-05-2021 01:58 AM

Phil Lofthouse wrote:

Hi David.

 

It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.

 

Regards,

Phil

I added the additional phase 2 as shown and by changing the ipv4 policy from HQ to branch.

It works perfectly, thank you all for your help.

3124
0 Kudos
DavidC
New Contributor
In response to Phil_Lofthouse

Created on ‎01-05-2021 01:58 AM

Phil Lofthouse wrote:

Hi David.

 

It looks like you will need an additional Phase 2 configuring on the Branch FortiGate, to allow 10.0.151.0/24 (local) to have a tunnel to 192.168.100.0/24 (remote), with the opposite configured on the HQ FortiGate.

 

Regards,

Phil

I added the additional phase 2 as shown and by changing the ipv4 policy from HQ to branch.

It works perfectly, thank you all for your help.

3124
0 Kudos
Terrell761
New Contributor
In response to Phil_Lofthouse

Created on ‎04-07-2022 11:48 AM

Phil, for my education; what did you see from the information provided to provide that answer? I am looking and I see nothing about Phase 2 mismatched. But, I am a novice.

2510
0 Kudos
Yurisk
SuperUser
SuperUser
In response to DavidC

Created on ‎12-23-2020 09:44 AM

What Phil says, David, beyond routing to the 192.168 via VPN tunnel interface, you have to add Phase 2 Selectors for the networks in question as well.

In Phase 2, I have set Local Address Branch-to-HQ_local 10.0.151.0/24 and Branch-to-HQ_remote 10.0.78.0/24.

 Thank you in advance, 

 Regards.

https://yurisk.info
https://yurisk.info
3124
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.