Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MontanaMike
Contributor

Force Local Firewall Traffic Through IPSec VPN

This seems like I've missed something real basic here.  I've got two Fortigates connected to each other over an IPSec VPN through the internet.  One at my remote office and one at the main office.  Clients on both sides can communicate with each other without any problems however I cannot get the remote firewall itself to send data (or ping) a FortiAnalyzer on the side of my main office network.  Based on flow/packet traces and the remote firewall logs, the packets don't seem to be traversing the VPN tunnel and seem to be just going out the Internet/WAN interface which of course are blocked by the Internet interface on the main branch firewall.

 

I'm at a loss considering the clients on the remote side can hit addresses on the main office side.  Any ideas?  L

-Mike

-Mike
2 REPLIES 2
neonbit
Valued Contributor

I believe it's to do with the SRC address.

 

On the remote FGT side you can try change the FGT's source address to it's internal network IP address.

 

config log fortianalyzer setting 

set source-ip <FGTs internal IP address>

end

 

Same thing happens with the ping. You can change the source IP address when you try to ping from the FGT.

 

execute ping-options source <FGTs internal IP address>

execute ping <remote FAZ>

MontanaMike

neonbit wrote:

I believe it's to do with the SRC address.

 

On the remote FGT side you can try change the FGT's source address to it's internal network IP address.

 

config log fortianalyzer setting 

set source-ip <FGTs internal IP address>

end

 

Same thing happens with the ping. You can change the source IP address when you try to ping from the FGT.

 

execute ping-options source <FGTs internal IP address>

execute ping <remote FAZ>

That worked perfectly!  Thanks!

-Mike

-Mike
Labels
Top Kudoed Authors