Reply to post

Helpful ReplyHot!IPSEC VPN Routing

Author
Cornelis
New Member
  • Total Posts : 4
  • Reward points: 0
  • Joined: 2019/05/19 02:54:56
  • Status: offline
2019/06/16 01:46:37 (permalink)

IPSEC VPN Routing

Good Day
 
I was wondering if anybody can help me as I am new to fortigate
 
I have two fortigates, one at hq and one at branch
 
HQ public ip 41.138.x.x
Local Lan : 192.168.1.0/24
 
Remote site public ip 86.179.x.x
Local Lan : 192.168.1.0/24
VLAN20 : 192.168.20.0/24
 
I have setup an IPSEC vpn between the two site with phase 2 selectors of 0.0.0.0/0 Now I need to route all internet traffic from vlan 20 over the VPN tunnel so that it looks like vlan20 is coming from my HQ's public IP. 
 
Can someone perhaps guide me how to setup static routes and which policies i should create to route all traffic from vlan20 over the tunnel. The local lan on the remote gate does not need to go through tunnel
 
Many thanks in advance
hubertzw
Gold Member
  • Total Posts : 192
  • Reward points: 0
  • Joined: 2018/04/16 13:29:04
  • Status: offline
Re: IPSEC VPN Routing 2019/06/16 05:45:22 (permalink)
1) what routing protocol you have (static, dynamic)?
2) if static, you can add a default gateway pointing to the VPN interface (I assume you have route based IPsec VPN)
3) make sure firewall policies are in place and you don't do NAT
 
Do you have any plan what to do with the traffic when VPN is down?
ede_pfau
Expert Member
  • Total Posts : 6019
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: IPSEC VPN Routing 2019/06/16 10:17:58 (permalink) ☄ Helpfulby Cornelis 2019/06/18 09:53:04
hi,
 
there is only 1 default route per system/FGT/VDOM. In your case, I assume you will still want to use a local breakout at the remote site, so pointing the default route to the tunnel is no option.
 
And it doesn't need to be. You need a route which is followed if the source address comes from VLAN20. This is done by a Policy Route. You might have to enable the GUI feature for this.
 
When VLAN20 traffic reaches HQ FGT, you have to make VLAN20 known there, otherwise this traffic from an 'unknown' source will be discarded. For the reply traffic you need a route anyway. So create a static route on HQ FGT pointing VLAN20-destined traffic to the tunnel interface (no gateway).
 
Remember that if the destination is used to select a route, you use regular routes; if other fields like source address, ports etc. are needed, use Policy routes.
 
As easy as this one is I'd rather not be around when one day you want to connect both regular LANs, with identical address space. Doable but a nightmare.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
Cornelis
New Member
  • Total Posts : 4
  • Reward points: 0
  • Joined: 2019/05/19 02:54:56
  • Status: offline
Re: IPSEC VPN Routing 2019/06/18 05:03:43 (permalink)
Apologies my local lan is 192.168.0.0/24 and not 192.168.1.0/24 on the hq side, that was a typo. 
Guest
Quick Reply: (Open Full Version)
  Enter the random characters shown
Submit Post
Jump to:
© 2019 APG vNext Commercial Version 5.5