Cisco – Routing from IPSec VPN1 to IPSec VPN2 through HQ

ciscofortigateipsecroutingvpn

I have a few remote offices running Cisco 800 Routers and a HQ that is running a Fortigate 80D and an Azure Cloud enviroment that has a VPN Tunnel to the Fortigate.

Now, I have setup IPSec VPN's between all the remote offices and the Fortigate at HQ but I'm having difficulty routing the traffic from the remote sites throught to the Azure enviroment.

Remote site 1 Cisco – 192.168.66.x

HQ Fortigate – 192.168.89.x

Azure – 10.0.0.x

I'm new to newotking so have been strugling with this for a few days now.

Thanks in advance.

Best Answer

Considering you have the IPSec tunnels up and running, that's half the battle, the other half is getting your Fortinet HQ to act as an Internet transport "between" hubs.

With the Forinet you can use either the Policy-Based or Route-Based VPN to enable communication between the spokes.

For a Policy-Based hub-and-spoke VPN, you define a concentrator to enable communication between the spokes.

To define the VPN concentrator 1. At the hub, go to VPN > IPsec > Concentrator and select Create New. 2. In the Concentrator Name field, type a name to identify the concentrator. 3. From the Available Tunnels list, select a VPN tunnel and then select the right-pointing arrow. 4. Repeat Step 3 until all of the tunnels associated with the spokes are included in the concentrator. 5. Select OK.

For a Route-Based hub-and-spoke VPN allowing communication between ONLY two spokes.

• Create a security policy for each pair of spokes that are allowed to communicate with each other. The number of policies required increases rapidly as the number of spokes increases.

To enable communication between two spokes, you need to define an ACCEPT security policy for them. To allow either spoke to initiate communication, you must create a policy for each direction. This procedure describes a security policy for communication from Spoke 1 to Spoke 2. 1. Define names for the addresses or address ranges of the private networks behind each spoke. For more information, see “Defining policy addresses” on page 59. 2. Go to Policy & Objects > Policy > IPv4 and select Create New. 3. Leave the Policy Type as Firewall and leave the Policy Subtype as Address. 4. Enter the settings and select OK.

"Incoming Interface" Select the IPsec interface that connects to Spoke 1. "Source Address" Select the address of the private network behind Spoke 1. "Outgoing Interface" Select the IPsec interface that connects to Spoke 2. "Destination Address" Select the address of the private network behind Spoke 2. "action" Select ACCEPT. "Enable NAT" Enable.

Related Solutions

Cisco IPSEC VPN fail Stage 2

Access lists aren't a problem here.

The output from show cypro isakmp sa tells you that the key negotiation is failing (MM_NO_STATE).

The log entry says that the hub wants to use a transform set (esp-aes, esp-sha-hmac) that you don't support. None of the transform sets on your router include esp-aes, esp-sha-hmac.

I suggest you add that to your list of transforms. While you're at it, unless you really need the others (myset1-5), you might as well take them out.

Your new set will be:

crypto ipsec transform-set mynewset esp-aes esp-sha-hmac

GRE over IPsec between Juniper SRX100 and Fortigate 100D

Respectfully, No. Stand the IPSec connection up. Then, if you need to create a GRE tunnel between other endpoints behind the IPSec peers, say from a pair of computers or something, simply configure the GRE tunnels on those devices.

You do not want or need to create an additional GRE tunnel on the IPSec devices themselves (since you already have a tunnel stood up - the IPSec tunnel).

Best Answer

Related Solutions

Cisco IPSEC VPN fail Stage 2

GRE over IPsec between Juniper SRX100 and Fortigate 100D

Related Topic