[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Fortigate to Fortigate VPN with ISA on one side. =\

Posted on 2008-11-19
7
Medium Priority
?
1,556 Views
Last Modified: 2012-06-27
Situation:

Need to design a persistent VPN between two Fortigate units (easy part)  

Main site has an ISA 2004 firewall installed on SBS 2003 connected to a Fortigate 60.
SBS Box is the gateway for the site and utilizes ISA for rules to govern clients that is not possible on the fortigate with its AD integration thus cant be removed. (192.168.100.0/255.255.255.0 for Fortigate/SBS side of network and 192.168.50.0/255.255.255.0 for internal)

Secondary site is just a network of PCs no server with a Fortigate 50. (192.168.8.0/255.255.255.0)

We have setup a IPSEC vpn between the two fortigates which seems to be connecting fine, from the remote site, we can ping the DMZ (reason for this) interface of the foritgate on the remote site.

We spoke to our Fortigate Distro tech support and they advised that pushing a vpn through isa can be tricky so to "sidestep" it by pushing the VPN out of the DMZ on the Foritgate 60 which would be connected to the internal LAN. Done this and connected up DMZ to internal lan with IP address 192.168.50.67.

Pings and tracert's to 192.168.50.67 from the remote site is successful, anything else on the 192.168.50.0 network fails, i think because the gateway for these devices is isa?

So i went to work on setting up a route in ISA to push traffic aiming at the remote site (192.168.8.0/255.255.255.0) to use 192.168.50.67 (dmz) as the gateway.

ISA Route Table:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.100.2    192.168.100.1     20
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
      192.168.8.0    255.255.255.0    192.168.50.67     192.168.50.1      1   <- ADDED ROUTE
     192.168.50.0    255.255.255.0     192.168.50.1     192.168.50.1     10
     192.168.50.1  255.255.255.255        127.0.0.1        127.0.0.1     10
    192.168.50.28  255.255.255.255        127.0.0.1        127.0.0.1     50
   192.168.50.255  255.255.255.255     192.168.50.1     192.168.50.1     10
    192.168.100.0    255.255.255.0    192.168.100.1    192.168.100.1     20
    192.168.100.1  255.255.255.255        127.0.0.1        127.0.0.1     20
  192.168.100.255  255.255.255.255    192.168.100.1    192.168.100.1     20
        224.0.0.0        240.0.0.0     192.168.50.1     192.168.50.1     10
        224.0.0.0        240.0.0.0    192.168.100.1    192.168.100.1     20
  255.255.255.255  255.255.255.255     192.168.50.1     192.168.50.1      1
  255.255.255.255  255.255.255.255    192.168.100.1    192.168.100.1      1
Default Gateway:     192.168.100.2
===========================================================================
Persistent Routes:
  None

This i would have imagined would have fixed the issue but alas no.

Tracert to 192.168.8.anything gives Dest Host Unreachable instantly.

I would have expected a tracert to say 192.168.50.67 - reported dest host unreachable if the routing in the fortigate was stuffed up.

I dont know ISA too well so any assistance would be great.
0
Comment
Question by:Superdata
  • 4
  • 3
7 Comments
 
LVL 7

Expert Comment

by:Dusan_Bajic
ID: 23019489
Everything seems fine. Try adding this same route in one of your internal clients and try tracing to remote site (so it wouldn't go through ISA) and see what happens.
0
 
LVL 1

Author Comment

by:Superdata
ID: 23047839
Sorry for the delay in this one, waiting for another fortigate 60 to turn up, other one had to put out into production so cant test with it. Should have an answer on Monday with how that bit went.

IF that does work, then what will be required to fix my problem on ISA

Or does someone have another solution on how to better bypass ISA?
0
 
LVL 1

Author Comment

by:Superdata
ID: 23053637
ok, tested,

If i added a route to my PC it worked fine, however this is not really a solution, i need to get the server to recognise the route for all clients and itself obviously.

Anyone have any idea why the route on the server isnt working? (i have a feeling ISA needs to be adjusted in some way?)
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 7

Accepted Solution

by:
Dusan_Bajic earned 1500 total points
ID: 23054408
OK, problem is somewhere within ISA. Try this: Configuration, networks, internal, properties, addresses, you should have all your internal subnets listed there (including remote). Check this first.
0
 
LVL 1

Author Comment

by:Superdata
ID: 23074453
ok added that in and now have some connectivity.

I can RDP from the server to PCs on the remote side of the VPN, i can access folders and ping from local PCs to the remote PCs but not RDP, strange?

Also from the remote site can access the server via RDP, access folders, but having some issues with Outlook syncing with Exchange. most of it is only capable by IP Address.

Do i need to add group policy to add the windows route to all PCs or should the gateway (the ISA Server) be enough?

Exchange issue: can find the exchange server but doesnt proceed "cannot open you default email folders. you must connect to Microsoft Exchange with the current profile before you can synchronize your folders with your offline folder file." (i am trying to open my mailbox on a laptop on the remote side)

Do i need to configure DNS forwarding on the vpn to have hostnames resolve correctly across the VPN or whats the story here?
0
 
LVL 7

Assisted Solution

by:Dusan_Bajic
Dusan_Bajic earned 1500 total points
ID: 23084069
DNS doesn't care about VPN. If your DNS servers are at the central office, you should simply point your remote clients to use them, nothing special to do about it (but from your symtomps, I would say that you have something misconfigured).
About RDP problems: create ISA rule that would allow all From internal networks to Internal networks.

0
 
LVL 1

Author Comment

by:Superdata
ID: 23091781
Once i added Domain suffix and dns settings into the DHCP of the Fortigate most of it sprang to life.

Will try the Internal to Internal in ISA, makes sense.

Thanks Dusan :)
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question