[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Routing traffic between two networks interconnected via two VPN tunnels in row.

Posted on 2012-09-20
9
Medium Priority
?
1,314 Views
Last Modified: 2012-09-28
We have two networks connected with IPSEC. (172.29.46.0/24 with GW 172.29.46.1(FG 60c) & 10.0.0.0/24 with GW 10.0.0.95(FG 80c)). Traffic is routed properly between these networks over the IPSEC tunnel.

We have a separate GW in 172.29.46.0/24 network with IP 172.29.46.20 which is connected via SSH VPN to 172.29.83.0/24 network. This remote network’s GW is the 172.29.83.33. Traffic is routed properly from 172.29.83.32/27 network to 172.29.46.0/24 network.

We have set one Route on the GW 172.29.46.1 that routes all traffic towards 172.29.83.0/24 network through the GW 172.29.46.20. Thus traffic initiated from 172.29.46.0/24 network is routed properly to 172.29.83.0/24 over the SSH VPN tunnel through the GW 172.29.46.20.
We also have a Route on the GW 172.29.46.20 that routes all traffic towards 10.0.0.0/24 network through the GW 172.29.46.1. Traffic initiated from the 172.29.83.32/27 network is not routed properly to 10.0.0.0/24 over the SSH VPN tunnel through the GW 172.29.46.1 though. I can trace traffic leaving e.g. 172.29.83.40 - > reaching 172.29.46.20 -> reaching 172.29.46.1 and after that it times out. It seems that the traffic from the 172.29.83.32/27 network is routed properly till the GW 172.29.46.1 but cannot be pushed over the IPSEC tunnel. I can trace this traffic on the GW 172.29.46.1 but not on the GW 10.0.0.95.

On the contrary when I set I SNAT on GW 172.29.46.20 for source 172.29.83.32/27 to be NAT to 172.29.46.20 IP, traffic is routed properly to 10.0.0.0/24 network.(one way)
This makes me understand that the GW 172.29.46.1 doesn’t understand how to deal with traffic initiated from the 172.29.83.3.2/27 network comes without being NAT to its internal interface.

Supposing that all the Policies are in place what should we do in order to make 172.29.46.1 understand & deal with traffic coming from an “unknown” network. In my case the 172.29.83.0/24 network?
Schematic
0
Comment
Question by:djStraTTos
  • 4
  • 3
7 Comments
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38417495
Dear,

please corrrect me if i am wrong?

Site B=== Router A=====172.29.83.33/27
Site A=== Router A=====172.29.46.20/24

Site A=== Router B=====172.29.46.1/24
Site C=== Router A=====10.0.0.95/24

can you confirm above ??? if yes i would like to know what routers (brand and modle) you are using....

if i understand right i would use HUB and SPOKE network, and instead of using two router i would place one good router @ location A(HUB) and route all traffic.
0
 
LVL 7

Author Comment

by:djStraTTos
ID: 38417534
Dear,

You are correct.

Site A /Router B & Site B Router A are custom made maritime Linux routers. (Site B is a vessel)
Site A/Router B & Site C/Router A are Fortigate 60c & 80c respectively.

Actually no changes in the H/W used can be done.
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38417625
Dear,

i am not maritime Linux router Expert but just want to telll you that,

if you want to comunicate flawless between routers you need to use HUB & Spoke if NOT then you need to connect Site Router A with Router B and add static Routes..... once Both routers @ site A can talk each other (Using Serial, FE, Giga,, any interface) start adding VPN Tunnels site wise + additional routes site wise... The idea is like below

let both router on Site A Communicate with Each other
Add VPN between Site A Router(1) to Site B Router (1), once done add one more route in Site A Router (1)statiing if source  172.29.83.33/27 & destination 10.0.0.95/24 then GW is
172.29.46.1/24 and so on...

by the way i will try to test in my lab,,, but on Cisco and Sonicwall and let you know.
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
LVL 7

Author Comment

by:djStraTTos
ID: 38417871
All the above are in place. What seems to happen is that when traffic from the 172.29.83.32/27 network is routed unNATted to 172.29.46.1 doesn't seem to pass over the IPSEC tunnel to reach the 10.0.0.0/24 network. All static routes are in place. How would I add source to a static route though? I can only set that traffic towards 10.0.0.0/24 should be routed to 172.29.46.1 - cannot specify the initiation subnet of traffic to a static route
0
 
LVL 16

Expert Comment

by:Syed_M_Usman
ID: 38425817
Dear,

i have tried but in my case i was using NAT with HUB/Spoke it works fine...
i have made attention request so other Experts can also give attention to your thread.
0
 
LVL 7

Accepted Solution

by:
djStraTTos earned 0 total points
ID: 38426504
I found the solution. The 172.29.83.0/23 network had to be included in the configuration of the IPSEC tunnel for the Fortigate to accept it. I rebuild the tunnel including this subnet in the destination and now it works fine. Thanks a lot for your efforts.
0
 
LVL 7

Author Closing Comment

by:djStraTTos
ID: 38444067
I opened a case to Fortinet support and provided all this info to them. They proposed to do the above which worked fine.
Thanks for your efforts.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question