New Member

Question

Redirect specific traffic to VPN connection

Forum|Forum|11 years ago
September 30, 2014
6 replies
30662 views

We have some problems when connecting to a certain website, tabs are loading intermittently but is loading fine to one of our office overseas. We have Fortigate firewalls on both location and a VPN configured to link both offices. Now, from Office A (where I am now) we can' t access the website (WW.XX.YY.ZZ-WW.XX.YY.ZZ subnet range) completely and I want to redirect every connections made to that subnet range to our overseas office thru the existing VPN. Firewall objects and Policy were already in place but when I tried to tracert the site, I am still connected locally and traffic are not even passing thru the VPN link. What am I missing here?

TuncayBAS

Explorer

What type of VPN? If the interface mode, the router did you write?

ede_pfau

SuperUser

hi as well, you will need a static route pointing that subrange to the tunnel interface. All policies between your host and that website must allow traffic for that range. This will work without changes in the VPN setup if you are using wildcard Quick Mode selectors (' 0.0.0.0/0' ) otherwise just create a second phase2 for this subnet.

DoodleyAuthor

New Member

Hi, Both offices have static IP' s with a VPN tunnel already in place w/c enables both offices for AD/DFS syncing. Type of VPN: IPSec ----- you will need a static route pointing that subrange to the tunnel interface. All policies between your host and that website must allow traffic for that range. This will work without changes in the VPN setup if you are using wildcard Quick Mode selectors (' 0.0.0.0/0' ) otherwise just create a second phase2 for this subnet. ----- Kindly tell me how to do this as I' m not sure on how to do it myself. What will I put on the Firewall Objects (Addresses) and so as the Policy. For sample, lets say my location, office A has a static IP of: ZZZ.XXX.CCC.VVV and remote office has AAA.SSS.DDD.FFF. Do I need to configure both Fortigate firewall? Thanks again.

Christopher_McMullan

Staff

Not policies...the redirection will take place at the point where the FortiGate performs a routing lookup. Policies are basically Access Control Lists (on steroids, because of the UTM, NAT, shaping, etc.). Assuming the website' s IP is 66.171.121.34 (using fortinet.com as an example), a sample static route would be: config router static edit 0 set dst 66.171.121.34 255.255.255.255 set dev tunnel_name end

DoodleyAuthor

New Member

Thanks for the reply Chris. But wow, CLI? Is there a way I can do this with Fortinet' s web interface? Instead of a single IP, could I do with IP range?

Christopher_McMullan

Staff

Of course! Enable Advanced Routing as a feature under System > Config > Features, or else go to Routing under System > Network. Create a new static route. Make the destination the IP of the website you want to visit via the VPN. Make the interface the Phase 1 tunnel name. Distance and metric won' t matter in this case, so click OK, and you' re done. If you want a range, it' ll have to be on subnet mask boundaries. You have to remember I spend more time in the CLI these days than the GUI, so it comes more naturally to list the commands than describe a GUI walk-through in the forums.

DoodleyAuthor

New Member

Hi Chris, Thanks again for the reply. Under System-> Network, I can only see Interface, DNS, DNS Server, Explicit Proxy, and Capture Packet - nothing w/c says Routing. Advance routing is also enabled on Config->Features. Using Fortigate 100D. Regards.

ede_pfau

SuperUser

You just specify the device and nothing for ' gateway' . The device to route to is the VPN' s phase1 name.

DoodleyAuthor

New Member

Hi there... That' s the point in here, I can' t even see the Phase 1 name under device. I' ve checked the VPN->IPSec->Auto Key (IKE) and I see Phase 1 names for my VPN' s but it' s not listed under device.

Christopher_McMullan

Staff

It' s a policy-based VPN, or " tunnel-based" instead of interface-based or " route-based" . I don' t know why we use two names to describe each type, but we do... In this case, you' ll either have to play with the quick mode selectors to include that web address as a destination, or else delete the VPN, starting with all related policies, then the Phase 2, then the Phase 1, and re-create it to be interface-based. Under the advanced settings in Phase 1, you can accomplish this by selecting the Enabled IPsec Interface Mode option.

DoodleyAuthor

New Member

I created a second Phase 2 connection for both sites, followed every instructions stated above for both source and destination addresses. LOCAL LOCATION Phase 1: VPN HK -> There' s a phase 2 connection in here so I created a second phase 2 connection and named it as VPN-HK-P2-1 (VPN-HK-P2 already exist) Source: 192.168.50.0/24 Destination: IP range of website REMOTE LOCATION Phase 1: VPN SG - > There' s a phase 2 connection in here so I created a second phase 2 connection and named it as VPN-SG-P2-1 (VPN-SG-P2 already exist) Source: IP range of website Destination: 192.168.60.0/24 Settings for the second phase 2 connections were the same as the 1st phase 2 connections. (Encryption, auto keep alive, PFS, ...) Connection created, but when I tried to pathping/tracert the website - it gives me: Request timed out. What am I missing here? Thank you.

Christopher_McMullan

Staff

Request timed out would mean all the necessary intermediaries responded to ARP requests and either sent on the packet or dropped it. Can you run sniffs and flow traces? Run this in two separate windows, one from the local FGT and one from the remote: di sniff pack any " host w.x.y.z" 4 //--website address See if it flows through both devices. Then a flow trace: di de reset di de en di de fl s c en di de fl s f en di de fl filter addr w.x.y.z //--website IP di de fl tr start 5000 Try the ping/traceroute, then... di de fl tr stop di de fl filter clear di de reset di de di Perform the flow trace on both units. It will show you if a tunnel is not ready to take the traffic, or if a policy drops the packet...basically any blockage up to Layer-4, plus VPN.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded