Multi-Subnet IPSEC VPN with Fortigate OS 4 and Sonicwall

Fortigate and SonicWall, creating a multi-subnet VPN?

You’re Not Crazy!

Sometimes things just do not work they you *think* they should! But, as soon as you see how linking the fortigate to the sonicwall does work you’ll see that it really is easy.

I was first going to write an entire post telling you all the settings that you need in order to get the IPSEC tunnel running with all subnets, but then you just don’t need it. In fact if you are reading this you have already tried everything you could think of and still can’t figure out why only 1 tunnel will activate while the others drop.

Create Multiple Phase 2 Entries!

Yes, that is all there is to it. You can still create 1 policy forcing the traffic over the VPN for all your subnets, but you will need to create separate Phase 2 entries for each subnet you want access to.

Still need help?

Just comment below or create a help ticket and I will be glad to help you configure your IPSEC tunnels properly.

Comments

  1. Skip says

    You freaking ROCK!!!!  I spent days… not hours, but DAYS in my datacenter trying to figure this out!  Of course Fortinet tech support was no help at all, but your post solved it in 5 minutes :)  If you were here I’d give you a hug and buy you a beer!

  2. spy178 says

    Hey Jim, I’m about to run into this same scenario. Just curious, did you try to use a “Policy” based VPN? For the Multiple Phase 2 “workaround” as I like to call it, I will have to use over 300 Phase 2 policies for a singe VPN…no good. I’m going to try it with a policy based vpn, but unfortunately I do not have access to the far end, so have to wait until we have a change window determined with the far end to try it out…More info, we’re migrating on our side from an ASA to Fortigate.

  3. says

    Hey Spy,

    I think you stumbled onto the issue between the SW and Fortigates. Sonicwalls are route based VPN’s and I don’t believe they allow for policy based. However the Fortigates are policy based, which is why we need to create so many extra phases when connecting to the sonicwalls.

    I am not sure about the Cisco ASA’s as I haven’t configured one in a long time, however I feel that you may have a lot more luck with Cisco over Sonicwall when configuring this.

    If you do get a solution I would really appreciate if you could let me know how you did it.

    Thanks,

  4. Charles Mendoza says

    OMG, you are so AWESOME, I yelled and cursed at everyone at Fortinet and Sonicwall for not providing the right information. Where were you 2 days ago. For now on I am googling before relying on vendor support. THANK YOU!!!

  5. Chris says

    This got me significantly further than I had before. I now show two active VPN tunnels between my sonicwall and fortigate, however traffic is only routing for one of the two. Network path diagnostic on the sonicwall shows that IPs on the inoperable remote subnet are on the “U0″ interface, while the working subnet is on the VPN: subnet. Adding a static route does not give me this interface as an option, so it appears there is no way to properly route traffic for the second subnet even though the tunnel is active. I’m stuck… Any advice?

  6. says

    Hello Chris,

    Normally I need to setup the network objects on the Sonicwall and Fortinet first. When you set them up you can select the interface that they belong to.

    If you are having issues, I would be more than willing to assist you. Just email me directly with your config(s) and I will look them over for you.

    I have 3 sonicwalls connecting to my fortinet with 3 subnets so I think I can help you get it functioning.

  7. Bob says

    I have the same issue as Chris…. Tunnels are up between the SW and Fortigate 300c using two phase 2s, but you can’t properly figure out a Fortigate policy to route second subnet traffic to another interface on the Fortigate.

    Jim if you have any insight I’d appreciate it.

    Thanks,
    Bob

  8. says

    Hello Bob,

    Contact me directly at jim@thejimgaudet.com and we can chat. This way we don’t have to talk IP’s and things on the site. I will be around tomorrow (03.13.2014) all day. I’d be more than happy to help walk you through the settings necessary to route the traffic.

  9. says

    Wow, thank you so much. Was on the phone with Sonicwall support for over 2 hours before he found this. Great info. You are right, definitely not intuitive.

  10. Michael Morgan says

    I spent so much time staring at this from the LibreSwan side thinking that’s where the problem was. Turns out it was our FortiGate and this was exactly the page I needed to find. Thanks very much.

    Why exactly does the FortiGate let you use an address group for the mode selector then? Sigh…

Leave a Reply

Your email address will not be published.