Internet routing over IPsec

Forum|Forum|4 years ago
May 25, 2022
1 reply
2405 views

I have a branch site with an internet based IPsec tunnel going to their main site. I'm trying to route the branch internet traffic through the main site (because the branch site does not have FortiGuard services on the box at the moment) but what I realize is that I can't do that because if I change the static default route on the branch side to point to the IPsec tunnel instead of the internet gateway, the tunnel will go down and the site will basically disconnect from the internet, rendering it unreachable.

Is here a workaround for this or is even possible?

Chris

FortiGate

Toshi_Esumi

SuperUser

If the main side has a static IP on wan, you can simply set a static route for the /32 toward the wan on the branch side then 0/0 into the tunnel.

If dynamic instead, you need to use DDNS and use the FQDN for the routing. Not sure how long the down time is when the IP changes. But it shouldn't happen in the middle of the day.

Toshi

Toshi_Esumi

SuperUser

Apparently static route doesn't take FQDN. So the second one is not an option.

pminarik

Staff

Static route can be configured with a named-address destination set to an FQDN-type adress object, but the address object must have `set allow-routing enable` to be available for selection.

Also keep in mind that this creates a dependency on DNS. If the system DNS server is reachable through the tunnel and the tunnel happens to be accidentally down, how will the FortiGate be able to resolve the FDQN to create the dynamic /32 route? (this will probably force you to use a DNS server that does not need to be accessed through the tunnel, and also to set up an additional "special" static route to reach it directly via WAN interface)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded