Hot!Routing all internet traffic through the tunnel VPN - VPN IPSec Site-to-Site

Author
Cleyton
New Member
  • Total Posts : 16
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/02/08 08:46:36
  • Status: offline
2019/07/04 07:35:38 (permalink) 6.0
0

Routing all internet traffic through the tunnel VPN - VPN IPSec Site-to-Site

Dear
 
I have a Site-to-Site IPSec VPN connection between two fortigate.

Fortigate 80E -> HQ
Fortigate 50E -> Branch

I need all navigation traffic generated by the network of the fortiger 50E branch to pass through the VPN tunnel and exit through the WAN of the Fortinet 80E.
My scenario is defined as follows:
 
Windows Server - HQ - DHCP Scoping 
LAN 192.168.254.101/24
GWT 192.168.254.109/24
DHCP
Scopo HQ -> 192.168.254.100 -> 192.168.254.254
Scopo Branch -> 192.168.100.100 -> 192.168.100.254
 
Fortigate 80E -> HQ
 
LAN -> 192.168.254.109/24 - dhcp windows server
WAN -> 189.17.00.00/28
 
Static Routes
 
status: enable
dst: 192.168.100.0 255.255.255.0
distance: 10
weight: 0
priority: 0
device: hq-branch
comment
blackhole: disable
dynamic-gateway: disable
virtual-wan-link: disable
link-monitor-exempt: disable
bfd: disable
 
status: enable
dst: 192.168.100.0 255.255.255.0
distance: 10
weight: 0
priority: 0
comment
blackhole: enable
link-monitor-exempt: disable
vrf: 0
 
IPv4 Policy
 
policyid: 3
name: vpn_hq-branch_remote
uuid: d69a2606-91ea-51e9-662c-5456990963a1
srcintf: "hq-branch"
dstintf: "lan"
srcaddr: "all"
dstaddr: "all"
internet-service: disable
internet-service-src: disable
rtp-nat: disable
learning-mode: disable
action: accept
status: enable
schedule: always
schedule-timeout: disable
service: "ALL"
dscp-match: disable
utm-status: disable
logtraffic: all
logtraffic-start: disable
auto-asic-offload: enable
np-acceleration: enable
session-ttl: 0
vlan-cos-fwd: 255
vlan-cos-rev: 255
wccp: disable
fsso: disable
groups:
users:
devices:
disclaimer: disable
natip: 0.0.0.0 0.0.0.0
diffserv-forward: disable
diffserv-reverse: disable
tcp-mss-sender: 0
tcp-mss-receiver: 0
comments: ""
block-notification: disable
custom-log-fields:
replacemsg-override-group:
srcaddr-negate: disable
dstaddr-negate: disable
service-negate: disable
timeout-send-rst: disable
captive-portal-exempt: disable
ssl-mirror: disable
ssl-mirror-intf:
scan-botnet-connections: disable
dsri: disable
radius-mac-auth-bypass: disable
delay-tcp-npu-session: disable
vlan-filter:
profile-protocol-options: default
traffic-shaper:
traffic-shaper-reverse:
per-ip-shaper:
nat: disable
match-vip: disable

policyid: 2
name: vpn_hq-branch_local
uuid: d6909a6e-91ea-51e9-c876-86e181d57320
srcintf: "lan"
dstintf: "hq-branch"
srcaddr: "all"
dstaddr: "all"
internet-service: disable
internet-service-src: disable
rtp-nat: disable
learning-mode: disable
action: accept
status: enable
schedule: always
schedule-timeout: disable
service: "ALL"
dscp-match: disable
utm-status: disable
logtraffic: utm
logtraffic-start: disable
auto-asic-offload: enable
np-acceleration: enable
session-ttl: 0
vlan-cos-fwd: 255
vlan-cos-rev: 255
wccp: disable
fsso: disable
groups:
users:
devices:
disclaimer: disable
natip: 0.0.0.0 0.0.0.0
diffserv-forward: disable
diffserv-reverse: disable
tcp-mss-sender: 0
tcp-mss-receiver: 0
comments: '' ''
block-notification: disable
custom-log-fields:
replacemsg-override-group:
srcaddr-negate: disable
dstaddr-negate: disable
service-negate: disable
timeout-send-rst: disable
captive-portal-exempt: disable
ssl-mirror: disable
ssl-mirror-intf:
scan-botnet-connections: disable
dsri: disable
radius-mac-auth-bypass: disable
delay-tcp-npu-session: disable
vlan-filter:
profile-protocol-options: default
traffic-shaper:
traffic-shaper-reverse:
per-ip-shaper:
nat: disable
match-vip: disable
 
Fortigate 50E -> Branch
 
LAN -> 192.168.100.109/24 DHCP Relay agent: 192.168.254.101/24
WAN -> 177.126.00.00/28
 
Static Routes
 
status: enable
dst: 192.168.254.0 255.255.255.0
distance: 10
weight: 0
priority: 0
device: rj-bh
comment
blackhole: disable
dynamic-gateway: disable
virtual-wan-link: disable
link-monitor-exempt: disable
bfd: disable
 
status: enable
dst: 192.168.254.0 255.255.255.0
distance: 10
weight: 0
priority: 0
comment
blackhole: enable
link-monitor-exempt: disable
vrf: 0
 
IPv4 Policy
 
policyid: 2
name: vpn_branch-hq_local
uuid: f6daae54-91ea-51e9-8ff1-8f4af858edbe
srcintf: "lan"
dstintf: "branch-hq"
srcaddr: "all"
dstaddr: "all"
internet-service: disable
internet-service-src: disable
rtp-nat: disable
learning-mode: disable
action: accept
status: enable
schedule: always
schedule-timeout: disable
service: "ALL"
dscp-match: disable
utm-status: disable
logtraffic: utm
logtraffic-start: disable
session-ttl: 0
vlan-cos-fwd: 255
vlan-cos-rev: 255
wccp: disable
fsso: disable
groups:
users:
devices:
disclaimer: disable
natip: 0.0.0.0 0.0.0.0
diffserv-forward: disable
diffserv-reverse: disable
tcp-mss-sender: 0
tcp-mss-receiver: 0
comments: ""
block-notification: disable
custom-log-fields:
replacemsg-override-group:
srcaddr-negate: disable
dstaddr-negate: disable
service-negate: disable
timeout-send-rst: disable
captive-portal-exempt: disable
ssl-mirror: disable
ssl-mirror-intf:
scan-botnet-connections: disable
dsri: disable
radius-mac-auth-bypass: disable
delay-tcp-npu-session: disable
vlan-filter:
profile-protocol-options: default
traffic-shaper:
traffic-shaper-reverse:
per-ip-shaper:
nat: disable
match-vip: disable
 
policyid: 3
name: vpn_branch-hq_remote
uuid: f6e30aae-91ea-51e9-bf9a-87b1de772b2c
srcintf: "branch-hq"
dstintf: "lan"
srcaddr: "all"
dstaddr: "all"
internet-service: disable
internet-service-src: disable
rtp-nat: disable
learning-mode: disable
action: accept
status: enable
schedule: always
schedule-timeout: disable
service: "ALL"
dscp-match: disable
utm-status: disable
logtraffic: utm
logtraffic-start: disable
allow-any-host: disable
enable-stun-host: disable
fixedport: disable
ippool: disable
session-ttl: 0
vlan-cos-fwd: 255
vlan-cos-rev: 255
wccp: disable
fsso: disable
groups:
users:
devices:
disclaimer: disable
natip: 0.0.0.0 0.0.0.0
diffserv-forward: disable
diffserv-reverse: disable
tcp-mss-sender: 0
tcp-mss-receiver: 0
comments: ""
block-notification: disable
custom-log-fields:
replacemsg-override-group:
srcaddr-negate: disable
dstaddr-negate: disable
service-negate: disable
timeout-send-rst: disable
captive-portal-exempt: disable
ssl-mirror: disable
ssl-mirror-intf:
scan-botnet-connections: disable
dsri: disable
radius-mac-auth-bypass: disable
delay-tcp-npu-session: disable
vlan-filter:
profile-protocol-options: default
traffic-shaper:
traffic-shaper-reverse:
per-ip-shaper:
nat: enable
match-vip: disable
 
I tried several route settings between the fortigate, but persistent problem.
I'm not sure if the routes should be based on static route or policy-based routes.
 
 
#1

2 Replies Related Threads

    Toshi Esumi
    Expert Member
    • Total Posts : 1650
    • Scores: 139
    • Reward points: 0
    • Joined: 2014/11/06 09:56:42
    • Status: offline
    Re: Routing all internet traffic through the tunnel VPN - VPN IPSec Site-to-Site 2019/07/04 10:04:35 (permalink)
    0
    There were the same discussion in this forum you can search. But the concept is if the hq has a static IP on the internet circuit you can set a /32 static route at 50E for the hq ip while the default route is toward the tunnel without GW.
    #2
    Cleyton
    New Member
    • Total Posts : 16
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/02/08 08:46:36
    • Status: offline
    Re: Routing all internet traffic through the tunnel VPN - VPN IPSec Site-to-Site 2019/07/09 05:57:45 (permalink)
    0
    Caro Toshi Esumi
    Pesquisei no forum por esta solução e não encontrei, por causa você tem link da discusão no forum?
    Você poderia me ajuda nesta solução?
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5