Technical Tip: Remote browsing over IPSec VPN tunnel

Description

This article describes how to configure FortiGate to allow remote browsing over IPSec VPN tunnel.

Scope

FortiGate.

Solution

Remote browsing over IPSec VPN tunnel:

In this example, 2 FortiGates (FortiGate A and FortiGate C) have established a VPN tunnel and local subnet in FortiGate C (10.221.0.0/16) will require to access Internet via VPN_TO_FGTA tunnel.

Configuration in FortiGate C:

1. Create a default route in FortiGate C to make sure all other traffic besides VPN will go through VPN tunnel:

2. On VPN phase 2 selectors, create a new selector with a local address pointing to 10.221.0.0/16 and a remote address set to 0.0.0.0/0.0.0.0
   

3. Create a firewall policy for the local subnet to access the internet over a VPN tunnel:

4. Set an IP address and remote address on the VPN tunnel, go to Network -> Interfaces.

1. Configure phase 2 selectors in the VPN tunnel:
   

2. Create a firewall policy for VPN users to access to Internet:

3. Set an IP address and remote address on VPN tunnel, go to Network -> Interfaces.

 

 

Test results in FortiGate C:

 

 

Related articles:
Troubleshooting Tip: IPsec VPNs tunnels
Troubleshooting Tip: Troubleshooting IPsec Site-to-Site Tunnel Connectivity
Technical Tip: Dialup VPN Configuration Between Two FortiGates
Technical Tip: IPSec dial-up full tunnel with FortiClient
Technical Tip: How to configure IPSEC dialup VPN using ikev2 with DHCP proxy