Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jimmy_Intertouch
New Contributor II

40F ipsec VPN internet access through VPN tunnel, issue.

Hi:

I have a Fortigate 40F setup in office  with its WAN conencted to the interent on a public IP  , LAN connect to office LAN network 10.61.x.x network

 

I and followed this guide,

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-establish-VPN-connection-between-Wi...

 

I created a VPN: dialup - Windows (Native L2TP/IPsec) using VPN wizard, which the connection is working on my laptop from home.
 
I am able to ping LAN devices in office, however, there is no internet .
 
I would like access internet thru office LAN network via the ipsec tunnel, is that possible ?
 
Thanks
2 Solutions
seshuganesh

Hi Team,

 

In that case you need to point your default route towards interface which is connected to juniper firewall.

So the traffic will be forwarded towards juniper firewall and that firewall can provide access.
Does juniper firewall connected to LAN interface of FG firewall?

 

View solution in original post

sw2090
Honored Contributor

on vpn client the vpn sets your defaul route if you have no split tunneling on the vpn.

on Fgt it is the first one on your screnshot.

if you set that to the Juniper fw as gateway ip all internet trafic cominig fro your FGT will go to the Juniper. That'd probably be the easiest way but I am not sure if you really want that.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

9 REPLIES 9
sw2090
Honored Contributor

Yes it is possible. You already achieved one part I gues as you have established the vpn and you now have no internet. That tells me you do not use split tunneling so your client's default route was rewritten and the traffic goes thru office lan already. 

You now have to have a policy at the remote end FGT that allows you to access the internet coming from your vpn.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

aionescu
Staff
Staff

Hi Jimmy_Intertouch,

 

If I understood correctly, the topology would be the following:

PC---Tunnel(L2TP)---FortiGate40F----Tunnel----HQ---Internet.

Now, you are able to successfully connect to the 40F and access resources from the HQ but there is no Internet access. If my understanding is correct, on the HQ firewall, assuming is also a FortiGate, you would need to create a firewall policy that has as source interface the IPsec tunnel interface with 40F and destination interface the Internet facing one.  You have to enable NAT on this policy.

seshuganesh
Staff
Staff

Hi Team,

 

 

Please look into the screenshot:

seshuganesh_0-1652431450538.png

Under local interface can you select both wan and lan interfaces and local address to "all" object

Then create firewall policy for IPSEC VPN to LAN and IPSEC VPN to WAN (NAT should be enabled in this policy)

Then test the traffic

Please check and keep us posted

Jimmy_Intertouch

hi Thanks all

 

This one got the interent working ,Amazing! , but from tracert i can see my pc is getting the internet from the FG40F's WAN

 

Ideally, I want the all routes to go via FG40F's LAN interface, which connects to Juniper firewall in the office I have no control of , i guess I would need to configure that Juniper to achieve this  ?

 

Thanks again

seshuganesh

Hi Team,

 

In that case you need to point your default route towards interface which is connected to juniper firewall.

So the traffic will be forwarded towards juniper firewall and that firewall can provide access.
Does juniper firewall connected to LAN interface of FG firewall?

 

Jimmy_Intertouch

hi,

 

"point your default route towards interface which is connected to juniper firewall."

 

Sorry , default route , where do I set it up , here or in policy ? Thank you : )11111111111.png

 

Yes , FG LAN connects to office network that connects to Juniper FW LAN

 

Thanks

sw2090
Honored Contributor

on vpn client the vpn sets your defaul route if you have no split tunneling on the vpn.

on Fgt it is the first one on your screnshot.

if you set that to the Juniper fw as gateway ip all internet trafic cominig fro your FGT will go to the Juniper. That'd probably be the easiest way but I am not sure if you really want that.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Jimmy_Intertouch

Thanks , I will try fiddle with it : )

Jimmy_Intertouch
New Contributor II

hi All, thanks all for making this work

 

It's all working now after adding the static route for the LAN interface with higher priority than WAN route.

 

It feels wonderful !  :D