Hot!Adding a new FortiGate firewall to an existing IPsec VPN connection.

Author
Vigorus
New Member
  • Total Posts : 8
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/10/25 05:42:42
  • Status: offline
2018/10/25 07:00:06 (permalink)
0

Adding a new FortiGate firewall to an existing IPsec VPN connection.

Hi guys
Need your help, we have an existing IPsec VPN tunnels (cisco) between our main office and our branches (hub and spokes) Several days ago we acquired a new FortiGate 301E.
Initially, we would like to just forward a web traffic through it. With the main office, I achieve this without problems both devices are in the same subnet. But I could not do the same with branches despite the fact that I forwarded all web traffic to a FortiGate local IP address.
#1

12 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5721
    • Scores: 387
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/25 13:47:07 (permalink)
    0
    It would greatly help if you could put up a diagram showing sites and subnets.
     
    Generally, the FGT needs to know the route to a remote subnet or it will silently drop traffic from there. This is easy to overlook as traffic comes in OK (the remote router has a matching route), but traffic will die on it's way through the FGT. Make sure you have valid routes for all remote spoke subnets on the FGT.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Vigorus
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 05:42:42
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/26 12:50:21 (permalink)
    0
    Hi, ede_pfau. Thanks for so prompt response. Yeap sure. I added a general topology.
    post edited by Vigorus - 2018/10/26 12:52:14

    Attached Image(s)

    #3
    ede_pfau
    Expert Member
    • Total Posts : 5721
    • Scores: 387
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/27 06:22:56 (permalink)
    0
    The FGT needs to have a port in the 20.20.2.0/24 subnet (which isn't shown in your diagram). And a route to '20.20.2.0/24' via this port and gw 20.20.2.2.
    As a rule: the gw needs to be within a local subnet. One subnet per port (or VLAN).

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    Vigorus
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 05:42:42
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/27 09:26:38 (permalink)
    0
    Thanks for the reply. Forgot to mention that we use PBR to forward all web traffic from one local subnet to another. In this scenario, I used PBR to forward all web traffic from 20.20.2.2 to 20.20.1.200 through VPN tunnel.
    #5
    ede_pfau
    Expert Member
    • Total Posts : 5721
    • Scores: 387
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/27 10:33:48 (permalink)
    0
    OK, still, the FGT needs to "know" where that traffic is coming in through, so it needs a static route back. Otherwise, if there is no route to traffic with a specific source address the FGT will silently drop the traffic.
     
    The 'route of last resort' a.k.a. default route usually points to the WAN interface. If traffic from 20.20.2.2 is not coming in through that interface (like in your case, it's coming in on the tunnel interface) then the default route does not apply - hence traffic is dropped.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #6
    Vigorus
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 05:42:42
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/27 10:51:03 (permalink)
    0
    You're right. I've already added a static route on FortiGate(all traffic destined to 20.20.2.0 it forwards to 20.20.1.2), and I can ping from one side (20.20.2.2) to another(20.20.1.200) and vice versa. The issue is that I can't make it work, I don't see any traffic on FGT from 20.20.2.2 despite the fact that I've already forward all traffic to it and add a filter to accept any packet from any source.
    #7
    ede_pfau
    Expert Member
    • Total Posts : 5721
    • Scores: 387
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/27 11:32:24 (permalink)
    0
    If you can ping then only from .2.2 to .1.2 (what is .1.200?) because that is not restricted "web only".
    About the FGT, which address does it have in the .2.0 network?

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #8
    Vigorus
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 05:42:42
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/27 22:50:18 (permalink)
    0
    ede_pfau
    About the FGT, which address does it have in the .2.0 network?

    Right now we don't have any.
     
    1.200 is an FGT Local address. My bad, forgot to mention in the diagram that I am planning to forward all web traffic from 2.2 to FGT which is on a different subnet, how can I achieve that, right now I am forwarding all web traffic from 1.2 to 1.200, I would like to do the same with 2.2 . Do I need to create a Virtual interface on FGT for it to be able to receive traffic from 2.2 ?
    #9
    ede_pfau
    Expert Member
    • Total Posts : 5721
    • Scores: 387
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/28 04:10:14 (permalink)
    0
    Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?
    I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #10
    Vigorus
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 05:42:42
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/10/28 08:22:12 (permalink)
    0
    ede_pfau
    Not a virtual interface but just an interface. If you terminate on the same interface to which you redirect traffic from .1.x just use a secondary IP address from the .2.x subnet. Otherwise, how would the left-most Cisco know where to send the redirected traffic?
    I really wonder how you are able to see pings going through. The VPN would be the only way for this. You should see it stopping if you deny PING on one of the VPN policies...


    Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.
    #11
    Vigorus
    New Member
    • Total Posts : 8
    • Scores: 0
    • Reward points: 0
    • Joined: 2018/10/25 05:42:42
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/11/01 06:50:10 (permalink)
    0
    Vigorus
    ede_pfau
    Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

    Main Office and Cisco are on the same subnet after I add a static route to FGT which say route all traffic destined to 20.20.0.0 through the gateway 10.10.1.2 I was able to ping FGT from 2.2 router. Now after your advice to add a secondary address on my local interface I did that and also added new static routes on both routers for them to learn about this new address on FGT, unfortunately, no reaction, no PING.

    Ede, any idea?
    #12
    ede_pfau
    Expert Member
    • Total Posts : 5721
    • Scores: 387
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Adding a new FortiGate firewall to an existing IPsec VPN connection. 2018/11/05 05:21:28 (permalink)
    0
    Unfortunately, no, not from far away. You could sniff the traffic (diag sniffer packet ...) and/or trace it (diag debug flow ...) to see what happens. This would be a bit of an overkill for a forum post...

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #13
    Jump to:
    © 2018 APG vNext Commercial Version 5.5