Of course, the FortiGate has another tunnel configuration for the Site to Site tunnel to the “Some other Firewall”, but that’ll be just another VPN tunnel configuration, just like this one, nothing special. So our FortiGate has this tunnel configuration to our MikroTik router, which is a bog-standard IPSEC tunnel with virtual tunnel interface (VTI): config vpn ipsec phase1-interface We now want our LAN network 192.168.1.0/24, which is behind our MikroTik router, to be able to access 192.168.2.0/24, 192.168.3.0/24 and 192.168.4.0/24, all through that single Site to Site VPN connection between our MikroTik and FortiGate (red in the diagram), without creating a Site to Site connection between the MikroTik and the “Some other Firewall”. That third site has a local IP subnet of 192.168.4.0/24. So in this scenario, our MikroTik router has an IPSEC Site to Site connection to a FortiGate, which in turn has two local (routed) LANs 192.168.2.0/24 and 192.168.3.0/24 and which also has a Site to Site connection to a third Site, with some other Firewall (doesn’t matter which one, because the FortiGate is doing the VPN tunnel stuff, our MikroTik knows nothing about it). Locally and via another Site to Site VPN, our MikroTik isn’t aware of at all Imagine the following scenario: MikroTik router connected to a FortiGate which has connections to multiple LANs. That means, you don’t get a virtual interface per VPN tunnel which in turn means you can’t create static routes and interoperate with, let’s say a FortiGate, which has a VTI tunnel configured on its side, and push traffic from your MikroTik router through the FortiGate, to some third, not directly to your MikroTik router connected site. In one of my earlier posts ( MikroTik IPSEC VPN vendor interoperability), I mentioned the lack of VTI (Virtual Tunnel Interface) support of RouterOS, which is the OS powering our beloved MikroTik routers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |