Re: IPSEC VPN Routing
☄ Helpfulby Cornelis 2019/06/18 09:53:04
there is only 1 default route per system/FGT/VDOM. In your case, I assume you will still want to use a local breakout at the remote site, so pointing the default route to the tunnel is no option.
And it doesn't need to be. You need a route which is followed if the source address comes from VLAN20. This is done by a Policy Route. You might have to enable the GUI feature for this.
When VLAN20 traffic reaches HQ FGT, you have to make VLAN20 known there, otherwise this traffic from an 'unknown' source will be discarded. For the reply traffic you need a route anyway. So create a static route on HQ FGT pointing VLAN20-destined traffic to the tunnel interface (no gateway).
Remember that if the destination is used to select a route, you use regular routes; if other fields like source address, ports etc. are needed, use Policy routes.
As easy as this one is I'd rather not be around when one day you want to connect both regular LANs, with identical address space. Doable but a nightmare.
Ede " Kernel panic: Aiee, killing interrupt handler!"