Skip to main content
CustomX
CustomX
Explorer
June 7, 2022
Solved

Fortigate routes IPSEC traffic through DMZ interface

  • June 7, 2022
  • 4 replies
  • 6032 views

Hello,

 

We have a Fortigate 100D in our office and created an IPSEC VPN to our PfSense firewall in the datacenter. The IPSEC is online and the configured local/remote networks can both access each other. The remote network is 172.16.0.0/24 (PfSense) and the local networks are 192.168.10.0/24 and 192.168.100.0/24 (both on Fortigate).

 

When the Fortigate, which has an interface in both local networks (192.168.10.1 and 192.168.100.1), tries to access the remote network 172.16.0.0/24 it fails. The Fortigate uses its disabled DMZ interface (10.10.1.2) to access the network.

 

Is there a way I can force the Fortigate to use the 192.168.10.1 or 192.168.100.1 interface to access the 172.16.0.0/24 network? I have a static route configured, as it won't route otherwise.

 

We are running firmware 6.0.11.

 

Kind regards,

Tom

Best answer by sagha

Hi Tom, 

 

You have the option of configuring source-ip on FGT for locally originated traffic. You can configure this for LDAP as well.

 

config user ldap

edit <server_name>

set source-ip x.x.x.x

end

 

Details here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-with-remote-LDAP-via-site-to-site/ta-p/195199

 

If this clarifies your queries, please mark this as resolved. 

 

Thank you. 
Shahan Agha

4 replies

sagha
Staff
sagha
Staff
June 7, 2022

Hi Tom, 

 

Thank you for reaching out to us. 

 

Please clarify the sort of traffic you are generating on FGT that is failing. 

 

You can share the following debugs to see what FGT is doing with traffic: 

 

diag de flow filter addr <remote-IP>

diag de flow trace start 1000

diag de en

 

Generate the traffic and see what FGT does with it. 

 

If you are testing with a ping, you can use ping-option to configure source-ip

 

Explained here: 

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-PING-options-from-the-FortiGate-s-CLI/ta-p/190774

 

Thank you. 

Shahan Agha

CustomX
CustomXAuthor
Explorer
June 7, 2022

Hi Shahan,

Setting the ping-options to source 192.168.10.1 has made the remote network reachable. I did not know that was a setting...

I am trying to add a new LDAP server for authentication. The current LDAP server is local, but the new one is in the DC - which is why we have the IPSEC VPN. I keep getting an Invalid LDAP Server error and checked the connectivity between the Fortigate and the remote network. That's where I noticed the traffic was flowing from the disabled DMZ towards the remote network. So I'm not sure if it was just ping failing or it just can't connect to the remote network. I will dig further, but I think the ping-option solved the ping issue.

Kind regards,

Tom

sagha
Staff
saghaAnswer
Staff
June 7, 2022

Hi Tom, 

 

You have the option of configuring source-ip on FGT for locally originated traffic. You can configure this for LDAP as well.

 

config user ldap

edit <server_name>

set source-ip x.x.x.x

end

 

Details here: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Authentication-with-remote-LDAP-via-site-to-site/ta-p/195199

 

If this clarifies your queries, please mark this as resolved. 

 

Thank you. 
Shahan Agha

CustomX
CustomXAuthor
Explorer
January 9, 2023

Hi Shahan,

Just a quick follow-up to the issue - LDAP now can succesfully reach our AD in the DC. However, when the AD in the DC tries to reach our local network, it sends the requests through the DMZ instead of the 192.168.10.1 or 192.168.100.1 networks.

Is there a way to make sure a request from the 172.16.0.0/24 network goes through 192.168.10.0/24 or 192.168.100.0/24, instead of 10.10.1.2?

sagha
Staff
sagha
Staff
January 9, 2023

Hi @CustomX


For this, you will have to check how the traffic is getting routed and might need Firewall policies with NAT between two interfaces. This way you can perform source NAT and change the source as you like by either using the IP address of the interface or IP pools in the Firewall Policy. 

 

Thanks, 

Shahan

    CustomX
    CustomXAuthor
    Explorer
    June 7, 2022

    Thanks Shahan, that resolved the issue!

      Terms & ConditionsAccessibility statement