Description

This article describes how to configure FortiGate to allow remote browsing over IPSec VPN tunnel.

Scope

FortiGate.

Solution

Remote browsing over IPSec VPN tunnel:

In this example, 2 FortiGates (FortiGate A and FortiGate C) have established a VPN tunnel and local subnet in FortiGate C (10.221.0.0/16) will require to access Internet via VPN_TO_FGTA tunnel.

Configuration in FortiGate C:

1. Create a default route in FortiGate C to make sure all other traffic besides VPN will go through VPN tunnel:

2. On VPN phase 2 selectors, create a new selector with a local address pointing to 10.221.0.0/16 and a remote address set to 0.0.0.0/0.0.0.0
   

3. Create a firewall policy for the local subnet to access the internet over a VPN tunnel:

4. Set an IP address and remote address on the VPN tunnel, go to Network -> Interfaces.

1. Configure phase 2 selectors in the VPN tunnel:
   

2. Create a firewall policy for VPN users to access to Internet:

3. Set an IP address and remote address on VPN tunnel, go to Network -> Interfaces.

 

 

Test results in FortiGate C:

 

 

Related articles:
Troubleshooting Tip: IPsec VPNs tunnels
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Technical Tip: Dialup VPN Configuration Between Two FortiGates
Technical Tip: IPSec dial-up full tunnel with FortiClient
Technical Tip: How to configure IPSEC dialup VPN using ikev2 with DHCP proxy