Rule for IPsec VPN Tunnel on DMZ not forcing traffic through tunnel

Question

I have a VPN tunnel defined which comes up OK.  Traffic on the far side is coming through the tunnel without a problem (CISCO RV042 device).  On the Fortigate 60D (5.0.310) I have a rule defined where the source is DMZ, 192.168.18.0/24, destination is WAN2, 192.168.54.0/24, all services and IPsec using the defined VPN tunnel.  When a do a TRACERT from a PC at 192.168.18.100 I see it hit the DMZ gateway address as 192.168.18.3 and the next hop is 10.15.224.1 which is not one of my IP's.  If the traffic were being sent down the tunnel the second hop should show 192.168.54.1 which is the gateway at the far side.  For some reason the traffic is not being sent down the tunnel, instead it is being sent over the internet.  Is there something different for the DMZ interface compared to the internal interface?  I have many VPN's on the internal interface which are working.  Why does it seem that it is ignoring the rule to force the traffic down the tunnel?

MarkB · Answer

following configurations cut from a backup showing the relevant parts (external ip's changed). policy 30 is the one that i assume would push the traffic down the tunnel but appears to be ignored. rule 31 if enabled catches the source and destination address and denies the traffic as expected.

#config-version=FGT60D-5.00-FW-build310-150123:opmode=0:vdom=0:user=admin

#buildno=0310 config router static edit 1 set device "wan2" set gateway 111.111.111.129 next end config system interface edit "all" next edit "dmz" set vdom "root" set ip 192.168.18.3 255.255.255.0 set allowaccess ping set type physical set alias "192-168-18-0" set snmp-index 1 next edit "wan2" set vdom "root" set ip 111.111.111.144 255.255.255.224 set allowaccess ping set type physical set alias "Cox" set snmp-index 3 next end config system dhcp server edit 1 set default-gateway 192.168.18.3 set interface "dmz" config ip-range edit 1 set end-ip 192.168.18.149 set start-ip 192.168.18.20 next end set netmask 255.255.255.0 set dns-server1 192.168.18.2 next end config firewall address edit "all" next edit "Plant-Internal" set subnet 192.168.54.0 255.255.255.0 next edit "Office-Internal" set subnet 192.168.18.0 255.255.255.0 next end config vpn ipsec phase1 edit "all" next edit "WAN2-Plant-Tunnel" set interface "wan2" set proposal 3des-sha1 3des-md5 set remote-gw 222.222.222.66 set psksecret ENC IHRvb9GJlNhwKx8e3fCcPaEdYQ= next end config vpn ipsec phase2 edit "all" next edit "WAN2-Plant-Phase2" set phase1name "WAN2-Plant-Tunnel" set proposal 3des-sha1 3des-md5 set keylifeseconds 28800 set src-subnet 192.168.18.0 255.255.255.0 set dst-subnet 192.168.54.0 255.255.255.0 next end config firewall policy edit "all" next edit 30 set srcintf "dmz" set dstintf "wan2" set srcaddr "Office-Internal" set dstaddr "Plant-Internal" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "WAN2-Plant-Tunnel" next edit 31 set srcintf "dmz" set dstintf "wan2" set srcaddr "Office-Internal" set dstaddr "Plant-Internal" set status disable set schedule "always" set service "ALL" set logtraffic all next edit 27 set srcintf "dmz" set dstintf "wan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded