Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MsComX
New Contributor

Link two PCs over two Fortigates

Hi guys,

I want to link two PCs over two Fortigates through a VPN tunnel (cf. attachement)

Ws1 has to communicate with Ws3.

Ws1 is behind Fortigate1(60D) and Ws3 is connected to Fortigate2(60D) from another site by SSL VPN.

With the IPsec wizard, I have linked Ws1 and Ws2.

And with the SSL-VP Portal, I have linked Ws3 to Ws2.

Now I want an idea to link Ws1 to Ws3.

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor III

I answered to an almost exact same question about a month ago, which I can't find it's just...

SSL VPN client <--(SSL VPN)-->FGT<--(IPSecVPN)-->FGT<->host

You need to take care of three things:

1. routing from/to source to/from destination

2. policies on the FGTs

3. phase2 selectors for IPSec

 

Depending on your SSL VPN setup the routing would vary. Let me ask you below:

a. Is SSL VPN split-tunnel or non-split?

b. Is the SSL VPN policies to allow destinations NATed or no NAT?

 

MsComX

Thank You Toshi for reacting.

a) The SSL VPN is split-tunnel

b) SSL VPN is gonna use a NAT translation

Toshi_Esumi
Esteemed Contributor III

Then, for the client routing, you have to set the destination subnet as a part of routing address at the portal. You should check the routing table on the client machine once it's done.

If you use NAT for SSL VPN policy, the source IP for the packets go across the IPsec VPN use the tunnel interface IP. Make sure you configured the tunnel IP on both ends. Two /32 IPs work on both ends but generally recommended to pick ones in a /30 range, like 10.0.0.1/32 and 10.0.0.2/32. Then the other side of FGT knows where to route the returning packets.

 

Probably you took care of sets of policies on both ends. Since you're NATing, it's one way access. So you need only one policy on each FGT.

 

Then lastly make sure the phase2 selectors includes the access from the source tunnel IP, like 10.0.0.1/32, to the destination subnet.

 

 

live89

Thanks
sw2090
Honored Contributor

I think the most easiest way yould be to change the private subnet of ws3 in order to not have overlapping subnets as ws3 is not directly connected to the second FGT.

Than the split tunnel to ws1 only needed to push a route to ws3 subnet to ws1 and the FGt too need routes and policies.

Overlapping subnets always create a load of fuss as you would have to translate them somehow to be able to route trafic.

 

there is some kb and cookbook articles on vpn with overlapping subnets:

https://cookbook.fortinet.com/vpn-overlapping-subnets/index.html

https://kb.fortinet.com/k....do?externalID=FD47283

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Labels
Top Kudoed Authors