Description |
This article describes scenarios if there is a requirement to forward internet traffic for a specific subnet over an IPsec remote tunnel. |
Scope | FortiGate. |
Solution |
Step 1:
Step 2:
Site B: Tunnel configuration. Tunnel name: remote.
Site A: Tunnel configuration. Tunnelname: internet. Tunnel IP: 172.16.10.2/32 and Remote IP 172.16.10.1/32.
In the below example, it is desired to forward the specific subnet traffic 192.168.20.0/24 from Site B to the Internet via Remote Site A FortiGate.
Note: Phase2 selectors for the tunnel in Site B can be set to specific subnet where Src-subnet is set to 192.168.20.0/24 and Dst-subnet can be set to 0.0.0.0/0 and vice versa in Site A or it can be kept 0.0.0.0/0 in both the Src-subnet/Dst-subnet in both site A and site B as shown in the below commands and control the access using Firewall policies to only allow specific subnet via the IPSec Tunnel or via specific static routes & Policy routes based on the use case.
Site B:
config vpn ipsec phase2-interface
OR
config vpn ipsec phase2-interface
Site A:
config vpn ipsec phase2-interface
OR
config vpn ipsec phase2-interface
Site B: Firstly, on Site B it is necessary to create a policy route to route the traffic for the internet via IPSEC Tunnel for source subnet on Site B 192.168.20.0/24. The remaining sources will match the Kernel Routes (FIB) [default wan routes] for forwarding the traffic and hence they will exit via Local WAN for internet access.
In the above example, it is possible to choose the LAN interface as port3 and source 192.168.20.0/24 forwarding via the Tunnel name: remote using gateway IP of the remote Site A Tunnel IP 172.16.10.2.
CLI configuration:
Note: it is possible to only choose a single IPsec interface as the policy route cannot choose the SD-WAN zone.
Also, it is necessary to have a Default route (static route) in the Routing Table with the IPSec tunnel as the Gateway. It is possible to create a default static route with the same distance as the existing default route but with a Higher Priority value (the higher the priority, the route is least preferred). This will make sure to have two default routes existing in the routing table, but the preferred one will be over the local WAN.
Verify the default route on the routing table:
Step 4: Verify, if the required policy is in place. From Site B, make sure to allow access from the source subnet 192.168.20.0/24 to the IPSec tunnel with the Destination Address as 'ALL'.
Site A:
Try to ping from a PC behind Site B to the internet.
Traceroute: it is possible to see the traffic is forwarded via the gateway 172.16.10.2 which is the gateway IP of the remote Site A tunnel.
On FortiGate run debug flow and sniffer to verify.
Site B:
Site A:
CTRL + C to stop sniffers.
di de disable --> To stop the debugs.
Site B: Debug logs : Challenger-kvm91 # 2024-07-27 09:43:55 id=65308 trace_id=62 func=print_pkt_detail line=5942 msg="vd-root:0 received a packet(proto=1, 192.168.20.2:1->8.8.8.8:2048) tun_id=0.0.0.0 from port3. type=8, code=0, id=1, seq=55." It is possible to see the requests and replies between site A and site B and the policy route that has been created is working as expected. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.