Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
navellano
Staff
Staff

Created on ‎09-19-2023 10:13 PM Edited on ‎09-20-2023 10:06 PM By Community Manager

Article Id 274375

Technical Tip: Establish connection between two different branches through IPsec VPN tunnel

Description

This article describes how to configure an IPsec VPN tunnel to connect branch offices 1 and 2 via a connection between them.
Scope FortiGate v6.0 and later.
Solution

Diagram: 

image1.JPG

 

  • The following is the IP address information of all FortiGates:
0.JPG

 

Note:

In real setup the WAN IP address would be a public IP address, but for the purposes of this setup, we'll use a private IP address.

 

Prerequisite:

The tunnel between the HO and Branch_1 offices, as well as the HO and Branch_2 offices, should be completed and operational:

  • HO local address 10.10.10.0/24 can establish a connection to Branch_1 local 20.20.20.0/24 and vice versa.
  • HO local address 10.10.10.0/24 can establish a connection to Branch_2 local 30.30.30.0/24 and vice versa.
  • However, connections between Branch_1 local address 20.20.20.0/24 and Branch_2 local address 30.30.30.0/24 are not possible.

 

Pre-test:

  • According to the ping test results below, a connection between Branch1 and Branch2 cannot be established:

 

image2.JPG

 

Routing table:

 

For HO:

image3.JPG

 

For Branch_1:

image4.JPG

 

For Branch_2:

 

image5.JPG

 

Head Office Configuration:

 

  1. Go to VPN -> IPsec Tunnel and select:

 HO-Branch_1 Tunnel

  • Modify the tunnel and add an additional Phase2 selector

As shown below, the tunnel named Branch2_Branch1 tunnel:

 

The local address is the Branch_2 LAN address:

  • Local Address: 30.30.30.0/24.

The remote address is the Branch_1 LAN address:

  • Remote Address: 20.20.20.0/24.

 

image6.JPG

 

HO-Branch_2 Tunnel:

  • Modify the tunnel and add an additional Phase2 selector.

As shown below, the tunnel named Branch2_Branch1 tunnel:

 

The local address is the Branch_1 LAN address:

  • Local Address: 20.20.20.0/24.

The remote address is the Branch_1 LAN address.

  •  Remote Address: 30.30.30.0/24.

 

image7.JPG

 

  1.  Create a firewall policy for Branch1 to Branch2 and Branch2 to Branch1.
  • Branch1 to Branch2 policy:

 

image8.JPG

 

config firewall policy

    edit 5

        set name "Branch1_Branch2_Policy"

        set uuid c15a296c-5699-51ee-d95d-208a9c58d8e3

        set srcintf "HO-Branch1"

        set dstintf "HO-Branch_2"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

 

  • Branch2 to Branch1 policy:

 

9.JPG

 

config firewall policy   

    edit 6

        set name "Branch2_Branch1_policy"

        set uuid f9a920e8-5699-51ee-2a7a-e2d9337d8b23

        set srcintf "HO-Branch_2"

        set dstintf "HO-Branch1"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set logtraffic all

 

 

Branch_1 Configuration:

 

  • Create Address for Branch_2 LAN under Policy & Objects -> Addresses.
  • Modify and add Phase2 selector under IPsec VPN tunnel.

 

10.JPG

 

  • Modify the firewall policy and add branch2 addresses as the destination for outbound firewall policy and as a source for inbound firewall policy.

 

Outbound policy:

 

11.JPG

 

config firewall policy

    edit 1

        set name "vpn_Branch_1-HO_local_0"

        set uuid 1e1c3fd2-5695-51ee-f2b5-683fa4c37c06

        set srcintf "port2"

        set dstintf "Branch_1-HO"

        set action accept

        set srcaddr "Branch2_address"

        set dstaddr "Branch_1-HO_remote" "Branch2_address"

        set schedule "always"

        set service "ALL"

 

 Inbound policy:

 

12.JPG

 

config firewall policy   

 edit 2

        set name "vpn_Branch_1-HO_remote_0"

        set uuid 1e6c6476-5695-51ee-4604-caa0a91184ce

        set srcintf "Branch_1-HO"

        set dstintf "port2"

        set action accept

        set srcaddr "Branch_1-HO_remote" "Branch2_address"

        set dstaddr "Branch_1-HO_local"

        set schedule "always"

        set service "ALL"

 

  • Create a static route with a Branch2 address as the destination toward to tunnel interface:

 

13.JPG

 

Branch_2 Configuration:

 

  • Create Address for Branch_1 LAN under Policy & Objects -> Addresses.

 

14.JPG

 

  • Modify and add Phase2 selector under IPsec VPN tunnel:

 

15.JPG

 

  • Modify the firewall policy and add branch1 addresses as the destination for outbound firewall policy and as a source for inbound firewall policy.

Outbound policy:

 

16.JPG

 

config firewall policy

    edit 1

        set name "vpn_Branch_2-HO_local_0"

        set uuid 8cce06e0-5695-51ee-3f67-a61d55a88f28

        set srcintf "port2"

        set dstintf "Branch_2-HO"

        set action accept

        set srcaddr "Branch_2-HO_local"

        set dstaddr "Branch_2-HO_remote" "Branch1_address"

        set schedule "always"

        set service "ALL"

 

Inbound policy:

 

17.JPG

 

 config firewall policy

edit 2

        set name "vpn_Branch_2-HO_remote_0"

        set uuid 8cd587c6-5695-51ee-96a5-949bdb59aa17

        set srcintf "Branch_2-HO"

        set dstintf "port2"

        set action accept

        set srcaddr "Branch_2-HO_remote" "Branch1_address"

        set dstaddr "Branch_2-HO_local"

        set schedule "always"

        set service "ALL"

 

  • Create a static route with a Branch2 address as the destination toward to tunnel interface:

 18.JPG

 

 

After the changes, test the connectivity between Branch1 <> Branch2.

 

  • Network 30.30.30.0/24 is now in the routing table of FGT Branch_1:

 

19.JPG

 

  • Able to establish the connection from Branch_1 to Branch_2:

 

20.JPG

 

  • In FortiGate Branch_2, network 20.20.20.0/24 (branch1) is now able to see in the routing table:

 

21.JPG

 

  • Able to establish the connection from Branch_2 to Branch_1:

 

22.JPG

 

Related article:

Technical Tip: How to configure VPN Site to Site between FortiGates (Using VPN Setup Wizard)

 

826
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.