Skip to main content
bbergquist
bbergquist
New Member
March 16, 2016
Question

Need help forwarding over a VPN

  • March 16, 2016
  • 1 reply
  • 5293 views

I have a Fortigate 60D at my remote office.  I have a IPSec VPN from my remote office to corporate:

 

Remote network 192.169.1.x 

Corporate network 172.16.x.x

 

This is all working ok.

 

I have enabled dns-server on my internal interface:

 

config system dns-server

    edit "internal"

        set mode recursive

        set webfilter-profile ''

    next

end

 

I have a dns zone for the corporate network:

# get

name                : corporate 

status              : enable 

domain              : corporate.com 

type                : master 

view                : shadow 

ttl                 : 10

authoritative       : disable 

forwarder           : "172.16.1.46" 

source-ip           : 0.0.0.0

allow-transfer      : 

primary-name        : cp-dc01 

contact             : bbergquist@canoga.com

 

If I try resolving an entry such as "somehost.corporate.com" using nslookup, it fails.

 

Nothing seems to be forwarding to the DNS server @ 172.16.1.46.   

 

Just on a whim now, I try pinging 172.16.1.46 from the unit:

 

FGT60D4615029118 # execute ping 172.16.1.46

PING 172.16.1.46 (172.16.1.46): 56 data bytes

 

--- 172.16.1.46 ping statistics ---

5 packets transmitted, 0 packets received, 100% packet loss

 

FGT60D4615029118 # 

 

I can ping this from any workstation on the internal network however. 

 

So I guess how do I setup to do forwarding over the VPN to the corporate network's DNS server?  I don't really understand why I cannot ping from the Fortigate unit either.

 

 

 

 

    1 reply

    bbergquist
    bbergquistAuthor
    New Member
    March 16, 2016

    Actually, I believe I have solved the issue.  I needed to set the source-ip to be the internal IP of the firewall which I believe is allowing the request to be properly picked up by the Phase 2 Selectors of the IPSec VPN tunnel to direct the forwarding across the VPN.

     

    I also figured out the ping issue with the 

     

    execute ping-options source 192.169.1.1 

     

    which again I believe is allowing the request to be mapped by the Phase 2 Selectors of the IPSec VPN tunnel to direct the ping across the VPN.

    MrSinners
    MrSinners
    New Member
    March 16, 2016

    You are correct. The important factor here is traffic initiated by the FortiGate itself or traffic passing through the FortiGate. When traffic is initiated by the FortiGate it will use it's own routing table to look up the destination and then use the IP address of the most nearby interface as it's source. When doing "execute ping 172.16.1.46" it will select the outside IP address as its source, but it cannot send the packet out on the WAN link nor the VPN tunnel as the source does not match. For many things this is worked around on the FortiGate by using the source-ip command, such as DNS, syslog, radius, tacacs. In problematic situations for these kinds of management traffic, it is better to use multiple VDOM's and use root as management VDOM. This is also more secure as management traffic is split off from production. But yea not so useful for these smaller 60D units :)

    Terms & ConditionsAccessibility statement