Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
headbull
New Contributor

Routing traffic between multiple vpn sites

Hello,

 

Sorry if this question has been responded to earlier - but I struggle to find exactly what to search for. Im quite new to fortigate products - and I need some help with this issue.

 

We have one main location, where our different sites are connected (see attached drawing). We want to allow traffic coming from one location (site) to enter the main location, and then be allowed to also connect to the other vpn sites that are connected. I would also like some help in the correct name/term used to explain this traffic. Meaning that clients on the one site, can access servers/clients on the other sites that are connected to the main VPN connection.

 

If someone could give me a short explenation on how this is setup in the Fortigate GUI/web interface, it would be much appreciated. 

4 REPLIES 4
rwpatterson
Valued Contributor III

Welcome to the forums.

 

It's basically just routing. In order for this to happen on a Fortigate, the VPN tunnels should be configured in interface mode. Once this happens, policies can be built between interfaces (AKA tunnels or sites) just like any interface native to the firewall. That is a very general explanation, but it's accurate.

 

Bob

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
headbull

Thanks for your reply!

 

I was hoping somebody could give a close description of the theory behind it and setup. Right now I have two vpn tunnels setup (site-to-site) on my primary fortigate/HQ. But clients on one site cant reach the people on the other site. Both both can without problem reach the clients connected to the HQ site.

tanr
Valued Contributor II

There are some examples of hub and spoke configurations that allow communication between the spokes in the online manuals.  The examples include both the routing and the security policies needed.  

 

For 5.4.x hub and spoke examples:

http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ipsecvpn-54/Hub_and_Spoke_Config/hub-...

 

Note that if your various spokes or the hub have overlapping subnets you'll have to work around that.  A cookbook article on this is at http://cookbook.fortinet.com/vpn-overlapping-subnets/.

 

For safety/security, you should use local-in policy to blackhole all RFC1918 private networks unless they go through your VPN, so that if your VPN is down you don't accidentally route vpn traffic elsewhere.  Discussion at:

https://forum.fortinet.com/tm.aspx?m=100686 and https://forum.fortinet.com/tm.aspx?m=87069#87069.

 

Hope this helps.

jaikishan100

I need help on the same matter, we have 3 location  (A, B AND C ) in the different part of the country...

lets A be HQ and B and  C are the branches.

now, how can I configure on FortiGate so that A, B, and C can be communicated with each other?

 

Please explain me the procedure in details ...thnx 

Labels
Top Kudoed Authors