Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
manatnatt
New Contributor

Route within the same firewall for 2 site-to-site VPN

Hi all,

 

First time post but long time follower!

 

I have a scenario where the firewall I currently managed has 2 site-to-site VPN connected from different location from draytek router on each end.

 

Draytek ---VPN--- Fortigate ---VPN--- Draytek

 

Question is, I want these 2 networks to be able to reach each other.

 

I tried adding the policy but it didn't work.

 

Do I have to add static route in the Draytek router?

 

Thanks in advance.

1 REPLY 1
ede_pfau
Esteemed Contributor III

hi,

 

and welcome to the forums, as a contributor :)

 

Yours is a routing problem, not so much a problem with VPN or policies.

In your mind, move to every router in that chain and ask yourself:

- do I have a route to the destination?

- does my VPN transport this network (phase2 selectors)?

- do I have a policy for this traffic? do I have one for incoming and one for outgoing direction?

 

Helpful to know:

1- the FGT will discard any traffic which comes from an "unknown" source. To make a source network "known", you need to create a static route to it.

2- if you use '0.0.0.0/0' as the phase2 selector in the FGT VPN, it will be used as a wildcard. I know this will work for multiple arbitrary networks between 2 FGTs. No experience with FGT-to-Draytek.

3- do not use NAT anywhere for this scenario. IMHO NAT often is a quick fix to cover up poor routing.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors