Use Internet over VPN connection.

dave254 · ‎06-28-2017

I have been contacted by a client regarding their network. I am fairly new to Fortinet so I am not sure how to approach their request.

The client has two offices one with a Fortigate 60E (HQ) and the other with a Fortigate 30E (regional branch). Both branches have an internet connection from two different ISPs. However there is a Point to Point VPN connection to the sub-branch. The client wants HQ to use internet from the regional branch via the VPN connection.

The attached images show the setup for the HQ and for the regional branch.

HQ Branch:

Regional Branch:

There is an IPSec VPN using the Fortigate Site to Site Template on both sides. The regional branch only has one wan link while HQ has two WAN links one for their internet and the point to point link to the other branch. The regional branch uses a default gateway of 10.11.0.1. I can ping the gateway from both Fortigates. However when I try to change the policy used for internet on HQ to use wan1 I can't access the internet. The regional branch has internet access. I need a way to connect to the internet via wan1 on HQ. Any help would be appreciated. Excuse my poor grammar as i am not a native English speaker.

ede_pfau · ‎07-02-2017

hi,

and welcome to the forums.

The point is that HQ traffic heading the internet will indeed pass through the VPN if you point the HQ default route to the VPN interface. BUT - you need a new policy on the branch FGT to allow traffic from VPN interface to it's WAN, with source addresses from the HQ LAN. And of course, with NAT enabled (default, i.e. branch WAN address as source NAT address).

Second, think about this: if ALL HQ traffic is to be routed to the VPN, how does the HQ FGT initially reach the branch's public WAN address?

For this, you need an additional route on the HQ FGT with destination "public IP of branch FGT" as /32, pointing to WAN instead.

Ede

"Kernel panic: Aiee, killing interrupt handler!"