Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
scampos
Staff
Staff

Created on ‎11-28-2024 09:28 AM Edited on ‎11-28-2024 11:54 PM By Moderator

Article Id 360732

Technical Tip: Self-originated traffic through an IPsec tunnel without using Loopback

Description This article describes how to originate traffic from the local FortiGate and reach resources behind the remote FortiGate in an IPsec site-to-site configuration.
Scope FortiOS 6.X and 7.X.
Solution

Assume the following topology:

 

192.168.10.0 ------- FortiGate1--------- IPsec --------- FortiGate2 -------- 192.168.1.X.

 

The proposed configuration will make it possible to produce a ping from a local FortiGate1 to the resource 192.168.1.X behind the remote FortiGate2 without using ping-options to select an interface.

 

First, it is necessary to assign an IP to the IPsec tunnel interface, for this, refer to: Configure IP address on an IPSec tunnel i... - Fortinet Community.

 

In this example, the assigned IP address to the tunnel interface will be 192.168.168.1:

 Screenshot 2024-11-27 170214.png

 

After this, it will be necessary to create an Address Object with the IP assigned to the tunnel interface and add it to the phase2 selectors on both devices. From the FortiGate1 side, it would be added as a local phase2 selector, and in the FortiGate2, it will be added as a remote phase2 selector:

 

FortiGate1:

 

Screenshot 2024-11-27 170743.png                   Screenshot (3).png

 

FortiGate2:

 

Screenshot 2024-11-27 170803.png                      Screenshot (4).png   

To conclude, it will be necessary to configure this address in the Firewall Policy for the incoming traffic from the tunnel in the FortiGate2:

 

Untitled.png

 

This will make it possible to reach resources behind the remote FortiGate2 from the IPsec tunnel interface in the local FortiGate1:

 

Routing table for Test=0
S*      0.0.0.0/0 [5/0] via 104.157.124.1, wan, [1/0]
S       192.168.1.0/24 [10/0] via Test tunnel RemotePublicIP, [1/0]
C       192.168.168.1/32 is directly connected, Test

 

diagnose ip address list
IP=3.134.156.191->3.134.156.191/255.255.255.0 index=5 devname=wan
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=13 devname=root
IP=10.255.1.1->10.255.1.1/255.255.255.0 index=17 devname=fortilink
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=19 devname=vsys_ha
IP=127.0.0.1->127.0.0.1/255.0.0.0 index=21 devname=vsys_fgfm
IP=192.168.168.1->192.168.168.1/255.255.255.255 index=22 devname=Test
Labels:
244
Suggest New Article
Article Feedback
Comments
MaryBolano
Staff
Staff
‎11-28-2024 03:03 PM

Excellent Article @scampos ! Keep up the great job!

GILMENDO
Staff
Staff
‎11-28-2024 03:04 PM

Thank you for your contribution @scampos 

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.