Hot!Site-to-Site VPN Routing Internet Traffic

Author
robertwb2
Bronze Member
  • Total Posts : 21
  • Scores: 0
  • Reward points: 0
  • Joined: 2013/08/01 20:32:05
  • Status: offline
2017/04/27 17:43:50 (permalink)
0

Site-to-Site VPN Routing Internet Traffic

So I have something I thought would be quite simple, but I just cannot wrap my head around. 
 
Right now, I have a Site to Site IPSEC VPN setup between my two 100D Fortigates. 
 
What I'm looking to do is route all the traffic from Site B thru Site A so we can use some of the public IPs available at Site A over at Site B. My best thought was to route all the traffic from Site B to Site A and exit out to the internet at Site A, but I cannot get the internet traffic to go thru the tunnel and I was hoping someone could step me thru it and see what I'm doing wrong.
 
Thanks so much

Robert
#1

15 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 5140
    • Scores: 320
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 07:42:03 (permalink)
    0
    So, what have you done so far? Do you have a default route in place? Policies?

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    MikePruett
    Platinum Member
    • Total Posts : 581
    • Scores: 6
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 09:03:46 (permalink)
    0
    Yeah, give us an example of how things are on the Gates and we can point you in a general direction.

    Mike Pruett
    Fortinet GURU
    #3
    rwpatterson
    Expert Member
    • Total Posts : 8004
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 10:06:30 (permalink)
    0
    For starters, if you want the Internet traffic to flow through the tunnel, you should set that distance shorter than that of your default gateway (at site B). The tunnel should be your preferred gateway, in other words. You may still wish to go out directly for things like DNS, but that's your call.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #4
    robertwb2
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/08/01 20:32:05
    • Status: offline
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 10:26:52 (permalink)
    0
    So I think I got it going, but I'm not sure what I did is correct.
     
    I was changing the static route on Site B to go thru the Tunnel Interface. On my Site A fortigate I had setup a VPN_interface to WAN firewall rule to allow that traffic to go out. When I would change the static route on Site B to go thru the Tunnel and change the distances, I would lose all connection at Site B. No traffic was going thru.
     
    So I created a new Phase 2 line in my Tunnel at each end.
    Site A: Local Address: 0.0.0.0/0 - Remote Address: Site B/24
    Site B: Local Address: Site B/24 - Remote Address: 0.0.0.0/0
     
    And it started working perfectly.
     
    So like I said, Im not sure thats the correct way to do it, and I hope i didn't miss a step describing it here, but if there is a better way to do it, I'm 100% open to hearing that I'm wrong! ha!
     
    Thanks
     
    Robert
    #5
    rwpatterson
    Expert Member
    • Total Posts : 8004
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 10:44:53 (permalink)
    0
    In your own best interest, you should narrow down tunnel phase 2 selectors to the smallest possible subnets as possible. This will eliminate stray routing issues like you just saw. If your are using a routing protocol (such as OSPF), that may not be possible.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #6
    robertwb2
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/08/01 20:32:05
    • Status: offline
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 11:42:39 (permalink)
    0
    I agree, I'm not too keen on what I did in Phase 2, but its the only thing I could figure out to make all internet traffic to go over the tunnel. What else can I do to force all the internet traffic over the VPN tunnel? 
     
    Like I said, I'm pretty sure I'm wrong here so let me have it! ha!
     
    Robert
    #7
    rwpatterson
    Expert Member
    • Total Posts : 8004
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 11:52:47 (permalink)
    0
    robertwb2
    I agree, I'm not too keen on what I did in Phase 2, but its the only thing I could figure out to make all internet traffic to go over the tunnel. What else can I do to force all the internet traffic over the VPN tunnel? 
     
    Like I said, I'm pretty sure I'm wrong here so let me have it! ha!
     
    Robert


    LOL! The traffic going through the tunnel is dependent on the source IP, not the destination, so you only need to specify the interesting traffic that's originating from site B headed towards site A in the phase 2 selectors. There will be no spankings here. It's better to learn from your mistakes than being burned at a stake. ;-)

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #8
    robertwb2
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/08/01 20:32:05
    • Status: offline
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 12:16:41 (permalink)
    0
    Ok, so this is where my knowledge breaks down, I'm not sure what to specify in that phase 2 to make it work.
     
    We already have the IPSEC VPN working between the two sites for internal traffic. Yet when I take out that all encompassing phase 2 line (0.0.0.0/0) the internet traffic does not flow (the internal site to site traffic is ok), even tho I have my static routes setup and the policies set too. So that is where I'm at a loss.
     
    Thanks so much for your help so far
     
    Robert
    post edited by robertwb2 - 2017/04/28 12:22:14
    #9
    rwpatterson
    Expert Member
    • Total Posts : 8004
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 12:23:40 (permalink)
    0
    OK, for this 'lesson', we'll focus on Site A. The selectors local should be 0.0.0.0/0 because you want all Internet traffic to flow down the tunnel. The remote was fine designated as the subnet over there. That was perfect, for your case.
     
    The other option would be to use the local subnet as the local selector, and in the 'Site B-> Internet' policy, NAT all inbound traffic to an address on the Site A local LAN. The selectors would then only need to be local: Site A subnet and remote: Site B subnet. All internet traffic would be NATted to a single IP address on the LAN, so the tunnel scope would be nice and small.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #10
    rwpatterson
    Expert Member
    • Total Posts : 8004
    • Scores: 154
    • Reward points: 0
    • Joined: 2006/08/08 10:08:18
    • Location: Long Island, New York, USA
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 12:29:27 (permalink)
    0
    On second thought, not sure if that would work. You would need to NAT on the way out too. I guess your are stuck with the wide scope on the local side. It is acceptable though since you have a small scope provisioned for Site B.

    -Bob - self proclaimed posting junkie!
    See my Fortigate related scripts at: http://fortigate.camerabob.com

    -4.3.18-b0689
    FGT60B
    FWF60B
    FWF80CM (2)
    FWF81CM
     
    #11
    robertwb2
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/08/01 20:32:05
    • Status: offline
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 12:31:29 (permalink)
    0
    I am thinking I want to use the other option you explained there. What I'm needing is traffic from Site B to have an IP address from Site A. I am going to mess with this here this afternoon, and hope I can get it going. I want that tunnel scope to be small like you mentioned, so thats the end goal! 
    #12
    robertwb2
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/08/01 20:32:05
    • Status: offline
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 12:54:18 (permalink)
    0
    I must be missing something simple. Without having my Phase 2 setup like:
    Site A: Local Address: 0.0.0.0/0 - Remote Address: Site B/24
    Site B: Local Address: Site B/24 - Remote Address: 0.0.0.0/0
     
    I cannot get anything to go. The static routes are in, the policies are created and when I have my Phase 2 with that setup, I am able to get out to the internet at Site B using Site A's connection. Anything other than that setup, and I lose it all. I'm still brainstorming. Thanks
     
    Robert
    #13
    MikePruett
    Platinum Member
    • Total Posts : 581
    • Scores: 6
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 13:48:40 (permalink)
    0
    Yeah, you need to have the phase 2's specific. (you could be lazy and just do 0.0.0.0 for local and remote subnets on the phase 2's and the tunnel will accept any traffic but it isn't best practice.
     
     

    Mike Pruett
    Fortinet GURU
    #14
    MikePruett
    Platinum Member
    • Total Posts : 581
    • Scores: 6
    • Reward points: 0
    • Joined: 2014/01/08 19:39:40
    • Location: Montgomery, Al
    • Status: online
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 13:51:44 (permalink)
    0
    actually, you may have to use quad zeros as the internet traffic will have IPs you don't know of. So 0.0.0.0 on both sides may be necessary.

    Mike Pruett
    Fortinet GURU
    #15
    robertwb2
    Bronze Member
    • Total Posts : 21
    • Scores: 0
    • Reward points: 0
    • Joined: 2013/08/01 20:32:05
    • Status: offline
    Re: Site-to-Site VPN Routing Internet Traffic 2017/04/28 14:03:16 (permalink)
    0
    Ok, so I'm not going crazy! ha!
     
    So what would you say is the best way to achieve what I'm trying to do? I need a group of Site B (local) IPs to have a public IP from Site A. How else could I achieve getting traffic thru to the other side, without opening up a whole can of 0.0.0.0s.
     
    Basically I'm trying to get a small group of IPs of a guest "network" to have the same public IP so that I can run it thru a cloud filtering system.
     
    Thanks so much
     
    Robert
    post edited by robertwb2 - 2017/04/28 14:04:46
    #16
    Jump to:
    © 2017 APG vNext Commercial Version 5.5