- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- [Solved] Push internet trafic into an IPSEC tunnel...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Solved] Push internet trafic into an IPSEC tunnel (via interface mode) does not work
Hi All
Thanks for reading. I've mounted IPSec tunnel from SITE A (many subnets) to SITE B (remote office, one subnet)
All work as expected, but i' need to push internet trafic into the tunnel from site B to site A. Here some details:
Site B Configuration:
config vpn ipsec phase1-interfaceBecause i've put dst-name "all" i have to push static route (and a blackwole was added too)
edit "FortiChili"
set interface "wan1"
set keylife 96400
set mode aggressive
set peertype any
set comments "VPN: FortiChili"
set wizard-type static-fortigate
set remote-gw 195.221.X.Y(siteA_WANIP)
set psksecret ENC nzeoinelzknflkeznf
next
end
config vpn ipsec phase2-interface
edit "FortiChili"
set phase1name "FortiChili"
set comments "VPN: FortiChili"
set src-addr-type name
set dst-addr-type name
set src-name "FortiChili_local"
set dst-name "all"
next
end
S* 0.0.0.0/0 [10/0] via 88.162.243.254, wan1Where 195.221.X.Y/32 is the remote fortigate (the central one) 88.162.243.254 is the gateway of my provider 172.20.64.0/18 is one of the remote subnet192.168.10.0/24 is the local subnet. Actually this work, i can access to 172.20.64. from 192.168.10 in both way. Now i want to push all my internet trafic from 192.168.10 into the tunnel. To achieve that i've changed the routing table shown before:
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1
S* 0.0.0.0/0 [10/0] is directly connected, FortiChili
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1
So prefered route for 195.221.X.Y/32 use the provider gateway: OK my vpn is established Then i add default route 0.0.0.0/0 with higher priority to push all trafic in the tunel: FAILED Effect is my default drop rule match all internet trafic: the fortigate want to push my internet trafic via WAN1:
ActionDeny: policy violation
Threat 131072
Policy 0
Policy Typepolicy
Source Interface Role: lan
Destination Interface Role: wan
Protocol Number 1
roll 50413
Log event original
timestamp 1543876582
dstcountry_code US
Log ID 13
PS: On the fortinet-A (central) i've added the rule to allow ipsec interface to WAN with a NAT for 192.168.10 IPs, but my problem is before this,
What is wrong? Please help me!!!
Labels:
- Labels:
-
5.6
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found the solution myself!!! That was an internal routing error.
Adding 0.0.0.0/0 via IPSec interface as BlackHole (distance 254) in the static policy routes solved my issue!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know you solved with policy routes, but what we would regularly do in case the default route needs to go through the tunnel is:
1. set a /32 static route for the remote gateway IP (in your case 195.221.X.Y/32) to wan1 w/ its GW IP.
2. set 0/0 static route to "FortiChili" tunnel interface without GW.
Related Posts
Labels
-
FortiGate
6,459 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
High Availability
21 -
FortiConverter
21 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.