Firewall Policy Problem: VIP & IPSec

Forum|Forum|8 years ago
August 9, 2017
2 replies
8544 views

Hi!

I am new to Forum an I hope someone can help me.

I have two Fortigates connected via IPSec.

On site A, I have a Server with internal IP 192.168.1.254 and external ip 8.8.8.254 on wan1.

I created a VIP:

config firewall VIP

edit "myVIP" set extip 8.8.8.254 set extintf "wan1" set mappedip "192.168.1.254" next

end

I created a Policy that allows Port 443 from the Internet. works fine.

My Problem is: I want, that VPN Site B is able to connect to RDP (TCP 3389) over the PUBLIC IP 8.8.8.254 using the IPSec Tunnel instead of using 192.168.1.254

All I can see in Debug is: msg="pre_route_auth check fail(id=0), drop"

Whats wrong?

Can someone help me?

Greetings,

za

5.2

ede_pfau

SuperUser

hi,

8.8.8.254 is simply not behind the VPN tunnel - see phase2, Quick Mode selectors. Even if you work with wildcards, the routing will point to the 'wan' interface instead of the tunnel IF.

You cannot just create a static route, pointing 8.8.8.254 to the tunnel IF - now the tunnel won't find it's remote gateway anymore.

The flaw is in the design. Rethink your intentions.

Just my .02$

za99Author

New Member

Thank you for the quick reply!

OK I understand what you mean.

The backgroud is, It would be comfortable for the remote users to use server.mycompany.com as target for RDP, because the should not bother which private IP they have to use.

I don´t want to open RDP over the Internet so I could solve IT with DNS on Site B: server.mycompany.com --> 192.168.1.254.

Thanks!

MikePruett

New Member

DNS is best, will keep things seemless for users and will be better than how you are originally going about it.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded