Hot!Link two PCs over two Fortigates

Author
MsComX
New Member
  • Total Posts : 4
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/07/02 03:45:26
  • Status: offline
2020/07/04 13:38:04 (permalink)
0

Link two PCs over two Fortigates

Hi guys,
I want to link two PCs over two Fortigates through a VPN tunnel (cf. attachement)
Ws1 has to communicate with Ws3.
Ws1 is behind Fortigate1(60D) and Ws3 is connected to Fortigate2(60D) from another site by SSL VPN.
With the IPsec wizard, I have linked Ws1 and Ws2.
And with the SSL-VP Portal, I have linked Ws3 to Ws2.
Now I want an idea to link Ws1 to Ws3.

Attached Image(s)

#1

5 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 2177
    • Scores: 213
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Link two PCs over two Fortigates 2020/07/04 16:43:05 (permalink)
    0
    I answered to an almost exact same question about a month ago, which I can't find it's just...
    SSL VPN client <--(SSL VPN)-->FGT<--(IPSecVPN)-->FGT<->host
    You need to take care of three things:
    1. routing from/to source to/from destination
    2. policies on the FGTs
    3. phase2 selectors for IPSec
     
    Depending on your SSL VPN setup the routing would vary. Let me ask you below:
    a. Is SSL VPN split-tunnel or non-split?
    b. Is the SSL VPN policies to allow destinations NATed or no NAT?
     
    #2
    MsComX
    New Member
    • Total Posts : 4
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/07/02 03:45:26
    • Status: offline
    Re: Link two PCs over two Fortigates 2020/07/04 16:54:59 (permalink)
    0
    Thank You Toshi for reacting.
    a) The SSL VPN is split-tunnel
    b) SSL VPN is gonna use a NAT translation
    #3
    Toshi Esumi
    Expert Member
    • Total Posts : 2177
    • Scores: 213
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Link two PCs over two Fortigates 2020/07/04 20:23:56 (permalink)
    0
    Then, for the client routing, you have to set the destination subnet as a part of routing address at the portal. You should check the routing table on the client machine once it's done.
    If you use NAT for SSL VPN policy, the source IP for the packets go across the IPsec VPN use the tunnel interface IP. Make sure you configured the tunnel IP on both ends. Two /32 IPs work on both ends but generally recommended to pick ones in a /30 range, like 10.0.0.1/32 and 10.0.0.2/32. Then the other side of FGT knows where to route the returning packets.
     
    Probably you took care of sets of policies on both ends. Since you're NATing, it's one way access. So you need only one policy on each FGT.
     
    Then lastly make sure the phase2 selectors includes the access from the source tunnel IP, like 10.0.0.1/32, to the destination subnet.
     
     
    #4
    live89
    Silver Member
    • Total Posts : 84
    • Scores: 6
    • Reward points: 0
    • Joined: 2016/05/11 07:20:42
    • Status: offline
    sw2090
    Expert Member
    • Total Posts : 712
    • Scores: 50
    • Reward points: 0
    • Joined: 2017/06/14 01:27:25
    • Location: Regensburg
    • Status: offline
    Re: Link two PCs over two Fortigates 2020/07/07 01:41:47 (permalink)
    0
    I think the most easiest way yould be to change the private subnet of ws3 in order to not have overlapping subnets as ws3 is not directly connected to the second FGT.
    Than the split tunnel to ws1 only needed to push a route to ws3 subnet to ws1 and the FGt too need routes and policies.
    Overlapping subnets always create a load of fuss as you would have to translate them somehow to be able to route trafic.
     
    there is some kb and cookbook articles on vpn with overlapping subnets:
    https://cookbook.fortinet.com/vpn-overlapping-subnets/index.html
    https://kb.fortinet.com/k....do?externalID=FD47283
    post edited by sw2090 - 2020/07/07 01:55:18
    #6
    Jump to:
    © 2020 APG vNext Commercial Version 5.5