Skip to main content
CrashtimeV
CrashtimeV
New Member
October 1, 2024
Question

How to route a specific domain over IPSec

  • October 1, 2024
  • 3 replies
  • 1832 views

My Setup:

I have a IPSec tunnel setup with the right side (Strongswan) sharing the internet 0.0.0.0/0.0.0.0 and left side (Fortigate) sharing a specific subnet.

 

What I want to do:d

I want to route a specific set of domains from the subnet over this tunnel and out to the internet. How exactly do I do this?

 

What I have tried: 

I have the tunnel up and am allowing all traffic to and from the tunnel to subnet and subnet to tunnel.

Created an address group with static routing selected. The route is setup as destination being my address group, interface being tunnel interface and distance is 10 there is also a blackhole route for the tunnel interface with distance 250. 

Trying this out, it didn't work. As a test I redid this for amazon and tried accessing it from incognito to see if I get redirected to the correct region and that doesnt work either. 

 

Am I missing something? What can I do to diagnose this?

3 replies

AEK
SuperUser
AEK
SuperUser
October 1, 2024

What do you see in the routing table?

get router info routing-table all

 

AEK
CrashtimeV
CrashtimeVAuthor
New Member
October 3, 2024

This is what I see, IPs are sanitized

S* 0.0.0.0/0 [2/0] via XXX.XXX.XXX.XXX, wan1, [1/0]
S XXX.XXX.XXX.XXX/32 [10/0] via PHN Tun tunnel XXX.XXX.XXX.XXX, [1/0]
S XXX.XXX.XXX.XXX/32 [10/0] via PHN Tun tunnel XXX.XXX.XXX.XXX, [1/0]
S XXX.XXX.XXX.XXX/32 [10/0] via PHN Tun tunnel XXX.XXX.XXX.XXX, [1/0]
C 10.18.4.0/24 is directly connected, Management
C 10.17.6.0/24 is directly connected, Server
C 10.48.0.0/24 is directly connected, PHN
C 10.99.99.0/24 is directly connected, Guest
C 162.156.184.0/22 is directly connected, wan1
C 169.254.1.1/32 is directly connected, RA-VPN
C 192.168.10.0/24 is directly connected, IOT
C 192.168.112.0/24 is directly connected, internal

 

PHN is the subnet and PHN Tun is the site to site

arahman
Staff
arahman
Staff
October 1, 2024

Hi, are you speaking about site to site or remote access? if you are speaking about the remote access and you want the specific subnet to go over the tunnel then you can follow the article below  

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192266

and site to site by default work in a way that it will allow specific domain unless specified all in phase2

CrashtimeV
CrashtimeVAuthor
New Member
October 3, 2024

This is for Site to Site, not sure how the domain bit works for this. For my local address in phase 2 its the address of the subnet and for remote is 0.0.0.0/0.0.0.0 since the other side is sharing the internet and the local address on that side is 0.0.0.0/0.0.0.0

AEK
SuperUser
AEK
SuperUser
October 3, 2024

Please run the below commands then redo the test:

diag debug flow filter addr x.x.x.x
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable

 

AEK
Terms & ConditionsAccessibility statement