Internet routing over IPsec

crsr3791 · ‎05-25-2022

I have a branch site with an internet based IPsec tunnel going to their main site. I'm trying to route the branch internet traffic through the main site (because the branch site does not have FortiGuard services on the box at the moment) but what I realize is that I can't do that because if I change the static default route on the branch side to point to the IPsec tunnel instead of the internet gateway, the tunnel will go down and the site will basically disconnect from the internet, rendering it unreachable.

Is here a workaround for this or is even possible?

Chris

Toshi_Esumi · ‎05-25-2022

If the main side has a static IP on wan, you can simply set a static route for the /32 toward the wan on the branch side then 0/0 into the tunnel.

If dynamic instead, you need to use DDNS and use the FQDN for the routing. Not sure how long the down time is when the IP changes. But it shouldn't happen in the middle of the day.

Toshi

Toshi_Esumi · ‎05-25-2022

Apparently static route doesn't take FQDN. So the second one is not an option.

pminarik · ‎05-25-2022

Static route can be configured with a named-address destination set to an FQDN-type adress object, but the address object must have `set allow-routing enable` to be available for selection.

Also keep in mind that this creates a dependency on DNS. If the system DNS server is reachable through the tunnel and the tunnel happens to be accidentally down, how will the FortiGate be able to resolve the FDQN to create the dynamic /32 route? (this will probably force you to use a DNS server that does not need to be accessed through the tunnel, and also to set up an additional "special" static route to reach it directly via WAN interface)

[ corrections always welcome ]

Toshi_Esumi · ‎05-25-2022

Thank you for the clarification, pminarik. Those are very good points.

Toshi