Helpful ReplyHot!Routing with 3 fortigates IPSEC VPN!

Author
slispd
New Member
  • Total Posts : 6
  • Scores: 0
  • Reward points: 0
  • Joined: 2015/09/24 12:41:53
  • Status: offline
2019/02/17 11:07:12 (permalink)
0

Routing with 3 fortigates IPSEC VPN!

Hello,
 
I have 3 fortigates A, B and C.
The fortigate B connects to the A and C fortigade with IPSEC vpn.
In fortigate A I have internal network 10.0.10.0/24
In fortigate B I have internal network 10.0.20.0/24
In C fortigate I have internal network 10.0.30.0/24
The network 10.0.20 accesses the networks 10.0.10 and 10.0.30, but I need to make the network 10.0.10 access the network 10.0.30, passing through the fortigate B.
Making vpn between Fortigates A and C is not an option.
How do I do this?
 
TKS for all.
 
#1
Dai
New Member
  • Total Posts : 9
  • Scores: 2
  • Reward points: 0
  • Joined: 2019/02/22 02:48:37
  • Location: Tokyo, Japan
  • Status: offline
Re: Routing with 3 fortigates IPSEC VPN! 2019/02/25 20:57:17 (permalink)
0
There is no problem if both A and C have reachability.
Note the setting of policy (Allow UDP 500)
#2
Margim Jmaes
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/25 21:18:20
  • Location: New York
  • Status: offline
Re: Routing with 3 fortigates IPSEC VPN! 2019/02/25 21:20:30 (permalink)
0
The policy is Allow UDP 500. I think there is no problem.
post edited by Margim Jmaes - 2019/02/25 21:54:47
#3
ede_pfau
Expert Member
  • Total Posts : 6028
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Routing with 3 fortigates IPSEC VPN! 2019/02/26 04:52:00 (permalink) ☄ Helpfulby lobstercreed 2019/04/07 15:30:40
5 (1)
Strange answers. This is not about an additional VPN but simple routing and policies.
 
To go from A to C, via B:
1. on FGT A:
- add a static route for the network C, gateway interface is the tunnel to B, no gateway address
- the tunnel between A and B should have 2 phase2's:
one from network A to network B
one from network A to network C (so this one needs to be added)
- in the policy from A to B, add network C's address range as destination address
 
2. on FGT C:
- add a static route for the network A, gateway interface is the tunnel to B, no gateway address
- the tunnel between C and B should have 2 phase2's:
one from network C to network B
one from network C to network A (so this one needs to be added)
- in the policy from C to B, add network A's address range as destination address
 
3. on FGT B:
- create 2 new policies:
   - from tunnel A to tunnel C
   - from tunnel C to tunnel A
with the correct source and destination addresses.
 
 
So, in short words, make sure the tunnel carries 2 destination networks (via 2 phase2's) and the policy allows the remote network. FGT B will do the routing, the transit traffic is allowed by 2 additional policies.
 
Let us know if this works for you.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#4
rwpatterson
Expert Member
  • Total Posts : 8404
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: Routing with 3 fortigates IPSEC VPN! 2019/02/26 06:03:31 (permalink) ☄ Helpfulby lobstercreed 2019/04/07 15:30:43
5 (1)
Also, you must create the VPNs in interface mode. Policy mode will not allow the routing you wish.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#5
ede_pfau
Expert Member
  • Total Posts : 6028
  • Scores: 480
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: Routing with 3 fortigates IPSEC VPN! 2019/02/26 07:46:52 (permalink)
5 (1)
jeez, who still knows policy based VPN, let alone use it...:-)

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#6
rwpatterson
Expert Member
  • Total Posts : 8404
  • Scores: 195
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: offline
Re: Routing with 3 fortigates IPSEC VPN! 2019/02/26 07:57:10 (permalink)
5 (1)
LOL! Covering all bases. ;-)

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.19-b0694
FWF60B
FWF80CM (4)
FWF81CM (2)
 
#7
capricorn80
Silver Member
  • Total Posts : 75
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/08/17 05:05:31
  • Status: offline
Re: Routing with 3 fortigates IPSEC VPN! 2019/07/15 05:01:56 (permalink)
0
Hi!
I am in same situation and did the steps as mentioned but cannot ping from A to C.
What type of phase2 settings should I setup between A and C? I did same for A and C
Will they both match with each other or 
it should same as A and B and B and C?
 
Thanks
#8
Jump to:
© 2019 APG vNext Commercial Version 5.5