Force Local Firewall Traffic Through IPSec VPN

Question

This seems like I've missed something real basic here. I've got two Fortigates connected to each other over an IPSec VPN through the internet. One at my remote office and one at the main office. Clients on both sides can communicate with each other without any problems however I cannot get the remote firewall itself to send data (or ping) a FortiAnalyzer on the side of my main office network. Based on flow/packet traces and the remote firewall logs, the packets don't seem to be traversing the VPN tunnel and seem to be just going out the Internet/WAN interface which of course are blocked by the Internet interface on the main branch firewall.

I'm at a loss considering the clients on the remote side can hit addresses on the main office side. Any ideas? L

neonbit · Answer

I believe it's to do with the SRC address.

On the remote FGT side you can try change the FGT's source address to it's internal network IP address.

config log fortianalyzer setting

set source-ip <FGTs internal IP address>

end

Same thing happens with the ping. You can change the source IP address when you try to ping from the FGT.

execute ping-options source <FGTs internal IP address>

execute ping <remote FAZ>

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded