Routing all traffic over VPN ( Site to Site )

kiennt049 · ‎12-12-2018

Dear all,

I has 2 60D firewall, 1 in HQ and 1 in Branch.

My boss request all traffic from Branch need go through HQ.

I create VPN IPsec Tunnel between 2 offices but can not Routing all traffic from Brand go through HQ.

Can you help me?

PS: I tried with another Devices like Draytek 2925 in Branch and it can routing all traffic to FG 60D but can not go out internet.

kiennt049 · ‎12-12-2018

Show Traffic on FG 60D HQ. ( 172.16.0.1 is Draytek)

Policy enabled NAT

But Draytek still not go out internet

Toshi_Esumi · ‎12-13-2018

just set a /32 static route for the other side of the tunnel public IP toward wan1 then a static default route into the tunnel (tunnel interface name) to solve the routing issue.

Then you need to have a set of policies from inside interface to the tunnel and the tunnel to include interface without NAT. This part is always needed regardless internet needs to going through the tunnel.

I'm assuming the tunnel itself is up with a proper set of phase2 selectors, or default 0/0<->0/0.

kiennt049 · ‎12-13-2018

I tried, but it not work, monday i will take back 1 fortigate in office and test again.

Toshi_Esumi · ‎12-14-2018

Are you sure that 222.255.x.x/32 is the other end of IP while the GW seems to be the same subnet 222.255.x.x. If both sides are served by the same ISP, it's possible though.

Check the routing "monitor" to make sure the routing table is as you expect. Then you start needing to use CLI to sniff traffic (diag sniffer packet), IKE debugging (diag debug app ike), and flow debug (diag debug flow). You can find syntax for those debuggings on the internet or in this forum.