Route within the same firewall for 2 site-to-site VPN

New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/06/04 20:46:27
  • Status: offline
2019/06/04 20:49:21 (permalink)

Route within the same firewall for 2 site-to-site VPN

Hi all,
First time post but long time follower!
I have a scenario where the firewall I currently managed has 2 site-to-site VPN connected from different location from draytek router on each end.
Draytek ---VPN--- Fortigate ---VPN--- Draytek
Question is, I want these 2 networks to be able to reach each other.
I tried adding the policy but it didn't work.
Do I have to add static route in the Draytek router?
Thanks in advance.

1 Reply Related Threads

    Expert Member
    • Total Posts : 6340
    • Scores: 533
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Route within the same firewall for 2 site-to-site VPN 2019/06/05 01:43:09 (permalink)
    and welcome to the forums, as a contributor :-)
    Yours is a routing problem, not so much a problem with VPN or policies.
    In your mind, move to every router in that chain and ask yourself:
    - do I have a route to the destination?
    - does my VPN transport this network (phase2 selectors)?
    - do I have a policy for this traffic? do I have one for incoming and one for outgoing direction?
    Helpful to know:
    1- the FGT will discard any traffic which comes from an "unknown" source. To make a source network "known", you need to create a static route to it.
    2- if you use '' as the phase2 selector in the FGT VPN, it will be used as a wildcard. I know this will work for multiple arbitrary networks between 2 FGTs. No experience with FGT-to-Draytek.
    3- do not use NAT anywhere for this scenario. IMHO NAT often is a quick fix to cover up poor routing.


    " Kernel panic: Aiee, killing interrupt handler!"
    Jump to:
    © 2020 APG vNext Commercial Version 5.5