Hot!Theoretical problem about IPSEC (Can IPSEC have transitive property?)

Author
Storyteller
Bronze Member
  • Total Posts : 25
  • Scores: 2
  • Reward points: 0
  • Joined: 2014/11/24 05:15:42
  • Status: offline
2020/06/25 08:58:15 (permalink)
0

Theoretical problem about IPSEC (Can IPSEC have transitive property?)

This is the problem.
 
Site A (10.0.0.0/24) ------ VPN IP SEC -----> Site B (192.168.0.0/24) ----- VPN IP SEC -----> Site C (192.168.10.0/24)
 
Can Site A reach Site C via Site B without direct StS connection?
 
I was able to do it with the clients, my VPN Clients can reach the VPN IPSec setted on my fortigate (from home to our customer company networks). 
 
CtS -> StS OK!
StS -> StS ???
 
Regards,
Graziano.
#1

7 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6350
    • Scores: 537
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?) 2020/06/25 09:23:01 (permalink)
    0
    Yes, why not?
     
    If traffic traverses the first VPN tunnel, it's traffic on site A like any other. Further destinations are found via routing. As long as you supply routes to distant networks (that is, networks behind the next hop firewall) this will work.
    Of course, as firewalls are "security aware" routers, you need appropriate policies in addition.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    emnoc
    Expert Member
    • Total Posts : 5748
    • Scores: 373
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?) 2020/06/25 12:34:51 (permalink)
    0
    Also to add you need a phase2 SA for that destination if your not doing quad 0s ( 0.0.0.0/0:0 )
     
     
    Ken Felix

    PCNSE 
    NSE 
    StrongSwan  
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6350
    • Scores: 537
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?) 2020/06/28 04:36:51 (permalink)
    0
    Absolutely, I recommend to use the wildcard (quad 0) in this case. Much less effort then.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    Johan Witters
    Bronze Member
    • Total Posts : 45
    • Scores: 0
    • Reward points: 0
    • Joined: 2015/06/03 04:06:12
    • Location: Belgium
    • Status: offline
    Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?) 2020/06/29 03:20:42 (permalink)
    0
    Make sure to correctly define your remote networks so each Fortigate knows how to reach the other sites.
    Also to not forget to correctly define your access policies, especially on site B you need to make a policy allowing traffic between A and C.
     
    If everything is correctly configured it should work...
     
    Good luck.
    #5
    Andreas_H
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/12/16 09:44:53
    • Status: offline
    Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?) 2020/06/29 09:15:25 (permalink)
    0
    As long as you set a route on Site A that Site C (192.168.10.0/24) is behind the remote interface of Site B, it should work. Be sure to also set a Route for Site A on Site C.
     
    This is under the assumption, that the following routes are already set up:
    • Site A to Site B and vice-versa
    • Site B to Site C and vice-versa
    #6
    lunhas2k4
    New Member
    • Total Posts : 19
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/11/12 10:44:39
    • Status: offline
    Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?) 2020/06/29 11:41:12 (permalink)
    0
    Just to add to the list of great answers.
    It is 100% doable as already mentioned taking the precautions mentioned before.
    There are recent versions of FortiOS that allow you to do ADVPN (not sure if that is the right acronym) basically allowing VPN's to be formed automatically between sites, without having the need to backhaul the traffic on site B.
    Give that a try as well.
    #7
    Storyteller
    Bronze Member
    • Total Posts : 25
    • Scores: 2
    • Reward points: 0
    • Joined: 2014/11/24 05:15:42
    • Status: offline
    Re: Theoretical problem about IPSEC (Can IPSEC have transitive property?) 2020/07/01 23:53:10 (permalink)
    0
    On which tunnel do I need the quad 0s?
    From A to B or from B to C??
     
    My CtS -> StS rules works if I use Nat with static IP of the B network.
     
    Regards,
    Graziano. 
    #8
    Jump to:
    © 2020 APG vNext Commercial Version 5.5