FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npaiva
Staff
Staff
Article Id 241094
Description

 

This article describes how to allow access to a website through an IPSEC tunnel.

 

Scope

 

To explain this in more detail, imagine that the Website 'example.pt' is only allowing requests from Portugal, and it is necessary to access it from the USA.

There is an IPSEC tunnel between a FortiGate appliance in the USA and another one in Portugal:

 

topo.png

 

Solution

 

The tunnel is already up as checked from the output below, and there is the phase 2 selectors negotiated for the subnets participating in the tunnel:

 

Fortigate-EUA # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=To-Portugal ver=1 serial=1 1.32.239.2:0->88.157.1.2:0 tun_id=88.157.1.2 tun_id6=::88.157.1.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=4 lgwy=static/1 tun=intf/0 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=1 child_num=0 refcnt=4 ilast=17 olast=2201 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=To-Portugal proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:192.168.2.0/255.255.255.0:0
dst: 0:192.168.1.0/255.255.255.0:0
SA: ref=3 options=38003 type=00 soft=0 mtu=1446 expire=40725/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=bf7bc209 esp=des key=8 e14c5960113c2336
ah=md5 key=16 8f32556839dadf6b14d849a54cb34161
enc: spi=ac4118bf esp=des key=8 7d71eeb97825128e
ah=md5 key=16 67ff5d325316d88c800cd52b4d30e116
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
run_tally=0

 

In order to access the website over the IPSEC tunnel, it is necessary to include the IP of the Website on the phase 2 selectors.

The first thing to do is to check what is the IP address of the Website.

It is easily possible to get this information by opening a terminal on Windows or Linux and trying to ping the hostname.

Once the name resolution is checked, the Website’s IP will be included on the phase 2 selectors.

In this case, it will be the destination on the EUA Firewall, and as a source on Portugal Firewall.

 

EUA FortiGate:

 

add-usa.png

 

website-ip-eua.png

 

PT FortiGate:

 

website-pt.png

 

It is also possible to enable auto-negotiate on the advanced settings of the newly created phase 2.

 

It is necessary to create a static Route, on the EUA FortiaGte to send the traffic destined for the Website, over the Tunnel with Portugal:

 

Route-eua-fgt.png

 

On Portugal Firewall, it is also necessaryto create a policy, to allow traffic sourced from the IPSEC tunnel, to be sent to the Internet, with NAT enabled, so that it can reach the Website with a Portuguese IP address:

 

policy-portugal.png

 

Now, it is necessary to generate some traffic, and try to access the website from EUA local subnet, if there is enabled auto-negotiate, the new phase 2 will already be up:

 

 

 

Fortigate-EUA # diag vpn tunnel list
list all ipsec tunnel in vd 0
------------------------------------------------------
name=To-Portugal ver=1 serial=1 1.32.239.2:0->88.157.1.2:0 tun_id=88.157.1.2 tun_id6=::88.157.1.2 dst_mtu=1500 dpd-link=on weight=1
bound_if=4 lgwy=static/1 tun=tunnel/255 mode=auto/1 encap=none/512 options[0200]=frag-rfc run_state=0 accept_traffic=1 overlay_id=0
proxyid_num=2 child_num=0 refcnt=5 ilast=2 olast=3569 ad=/0
stat: rxp=0 txp=0 rxb=0 txb=0
dpd: mode=on-demand on=1 idle=20000ms retry=3 count=0 seqno=0
natt: mode=none draft=0 interval=0 remote_port=0
proxyid=To-Portugal proto=0 sa=1 ref=2 serial=1 auto-negotiate
src: 0:192.168.2.0/255.255.255.0:0
dst: 0:192.168.1.0/255.255.255.0:0
SA: ref=3 options=38003 type=00 soft=0 mtu=1446 expire=39357/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42927/43200
dec: spi=bf7bc209 esp=des key=8 e14c5960113c2336
ah=md5 key=16 8f32556839dadf6b14d849a54cb34161
enc: spi=ac4118bf esp=des key=8 7d71eeb97825128e
ah=md5 key=16 67ff5d325316d88c800cd52b4d30e116
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
proxyid=example.pt proto=0 sa=1 ref=2 serial=4 auto-negotiate
src: 0:192.168.2.0/255.255.255.0:0
dst: 0:95.136.48.120/255.255.255.255:0
SA: ref=3 options=38203 type=00 soft=0 mtu=1446 expire=42366/0B replaywin=2048
seqno=1 esn=0 replaywin_lastseq=00000000 itn=0 qat=0 hash_search_len=1
life: type=01 bytes=0/0 timeout=42931/43200
dec: spi=bf7bc20b esp=des key=8 67a65e863bc0d313
ah=md5 key=16 4fd7cfd3c43012da5e1acf7389375d13
enc: spi=ac4118c1 esp=des key=8 4e35c3164b0a39d1
ah=md5 key=16 908ee769d10d5f3f0d4ba949f8a100f0
dec:pkts/bytes=0/0, enc:pkts/bytes=0/0
run_tally=0

 

It will now, be possible to access the Website through the tunnel.

In case it is still not possible to open it, or the connection is slow, it might be due to broken PMTUD and it will be necessary to tune TCP-MSS settings on the policy allowing this traffic.

 

Related document:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Setting-TCP-MSS-value/ta-p/194518

Contributors