Hot!Force Local Firewall Traffic Through IPSec VPN

Author
MontanaMike
Silver Member
  • Total Posts : 67
  • Scores: 2
  • Reward points: 0
  • Joined: 2007/09/07 08:22:06
  • Status: offline
2017/12/19 09:57:59 (permalink)
0

Force Local Firewall Traffic Through IPSec VPN

This seems like I've missed something real basic here.  I've got two Fortigates connected to each other over an IPSec VPN through the internet.  One at my remote office and one at the main office.  Clients on both sides can communicate with each other without any problems however I cannot get the remote firewall itself to send data (or ping) a FortiAnalyzer on the side of my main office network.  Based on flow/packet traces and the remote firewall logs, the packets don't seem to be traversing the VPN tunnel and seem to be just going out the Internet/WAN interface which of course are blocked by the Internet interface on the main branch firewall.
 
I'm at a loss considering the clients on the remote side can hit addresses on the main office side.  Any ideas?  L

-Mike


#1

2 Replies Related Threads

    neonbit
    Gold Member
    • Total Posts : 409
    • Scores: 31
    • Reward points: 0
    • Joined: 2013/07/02 21:39:52
    • Location: Dark side of the moon
    • Status: offline
    Re: Force Local Firewall Traffic Through IPSec VPN 2017/12/20 03:34:41 (permalink)
    5 (2)
    I believe it's to do with the SRC address.
     
    On the remote FGT side you can try change the FGT's source address to it's internal network IP address.
     
    config log fortianalyzer setting 
    set source-ip <FGTs internal IP address>
    end
     
    Same thing happens with the ping. You can change the source IP address when you try to ping from the FGT.
     
    execute ping-options source <FGTs internal IP address>
    execute ping <remote FAZ>
    #2
    MontanaMike
    Silver Member
    • Total Posts : 67
    • Scores: 2
    • Reward points: 0
    • Joined: 2007/09/07 08:22:06
    • Status: offline
    Re: Force Local Firewall Traffic Through IPSec VPN 2017/12/20 06:49:39 (permalink)
    0
    neonbit
    I believe it's to do with the SRC address.
     
    On the remote FGT side you can try change the FGT's source address to it's internal network IP address.
     
    config log fortianalyzer setting 
    set source-ip <FGTs internal IP address>
    end
     
    Same thing happens with the ping. You can change the source IP address when you try to ping from the FGT.
     
    execute ping-options source <FGTs internal IP address>
    execute ping <remote FAZ>




    That worked perfectly!  Thanks!

    -Mike


    #3
    Jump to:
    © 2018 APG vNext Commercial Version 5.5