Hot!Implementing VPN by 2 sites with remote gateway

Author
simone.decina
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/01/25 01:29:18
  • Status: offline
2020/01/25 03:17:28 (permalink)
0

Implementing VPN by 2 sites with remote gateway

Hi everyone,
first of all, thank for all your support.
We have two sites (we'll call them S1 and S2) linked each other by IPSEC vpn by two Fortigate (FG). The IPSEC has been working for a while.
Now we've got a committee gateway (CGW) to one site (S1) to reach committee's services (http services, ad services, etc... we'll call them CSRV).
We cannot edit committee gateway routing and policy in any way.
 
We need to make some hosts, installed on the other site (S2), reach this gateway. The committee provide a /24 range of IP's for those hosts (SUBNET A or SBA). So we've tried in many ways to handle this problem with no success.
 
Configuration A
We've added SBA to the Phase 2 selectors for local and remote addresses on both FGs.
For S2 FG (FG2) we set a:
  • route policy for all traffic directed to CGW and CSRV to be directed on the virtual IPSEC interface.
For S1 FG (FG1) we set a:
  • route policy for all traffic directed to CGW and CSRV to be directed on the inside port where the CGW vlan is configured.
  • route policy for all traffic directed to SBA to be directed back on IPSEC on S2
For testing, we set up an all-all IPV4 policy between IPSEC interface and the FG port involved.
 
Configuration B
We logically split SBA into TWA /25 subnets (SBA1 and SBA2) and assign SBA1 (containing the CGW IP) to 
 
For S2 FG (FG2) we set a:
  • route policy for all traffic directed to SBA1 to be directed on the virtual IPSEC interface.
For S1 FG (FG1) we set a:
  • route policy for all traffic directed to CGW and CSRV to be directed on the inside port where the CGW vlan is configured.
  • route policy for all traffic directed to SBA2 to be directed back on IPSEC on S2
For testing, we set up an all-all IPV4 policy between IPSEC interface and the FG port involved.
 
Probably, no one of the configuration above can work until CGW is configured to be a gateway of /24 subnet and without a static route to address all packet for S2 to FG of S1.
 
So we're guessing to try a VXLAN and work at L2: but we can't find infos or tip about compatibility by VPN IPSEC E VXLAN considering that they will shar a part of the way.
 
Thanks a lot. Any kind of support will be appreciated.
You can find attached a short schema of the two configuration mentioned above.

Attached Image(s)

#1
Toshi Esumi
Expert Member
  • Total Posts : 2241
  • Scores: 215
  • Reward points: 0
  • Joined: 2014/11/06 09:56:42
  • Status: offline
Re: Implementing VPN by 2 sites with remote gateway 2020/01/25 14:02:07 (permalink)
0
If the CGW can handle accesses only from the local /24 subnet, wouldn't a (S)NAT at FG2 for Committee access traffic solve the issue? It wouldn't work if the server side needs to initiate traffic toward clients spontaneously though.
#2
Jump to:
© 2020 APG vNext Commercial Version 5.5