Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jimmy_Intertouch
New Contributor II

Created on ‎05-13-2022 12:32 AM

40F ipsec VPN internet access through VPN tunnel, issue.

Hi:

I have a Fortigate 40F setup in office  with its WAN conencted to the interent on a public IP  , LAN connect to office LAN network 10.61.x.x network

 

I and followed this guide,

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-establish-VPN-connection-between-Wi...

 

I created a VPN: dialup - Windows (Native L2TP/IPsec) using VPN wizard, which the connection is working on my laptop from home.
 
I am able to ping LAN devices in office, however, there is no internet .
 
I would like access internet thru office LAN network via the ipsec tunnel, is that possible ?
 
Thanks
Labels:
3139
0 Kudos
2 Solutions
seshuganesh
Staff
Staff
In response to Jimmy_Intertouch

Created on ‎05-13-2022 02:33 AM

Hi Team,

 

In that case you need to point your default route towards interface which is connected to juniper firewall.

So the traffic will be forwarded towards juniper firewall and that firewall can provide access.
Does juniper firewall connected to LAN interface of FG firewall?

 

View solution in original post

3114
sw2090
Honored Contributor

Created on ‎05-13-2022 04:13 AM

on vpn client the vpn sets your defaul route if you have no split tunneling on the vpn.

on Fgt it is the first one on your screnshot.

if you set that to the Juniper fw as gateway ip all internet trafic cominig fro your FGT will go to the Juniper. That'd probably be the easiest way but I am not sure if you really want that.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

3105
9 REPLIES 9
sw2090
Honored Contributor

Created on ‎05-13-2022 12:43 AM

Yes it is possible. You already achieved one part I gues as you have established the vpn and you now have no internet. That tells me you do not use split tunneling so your client's default route was rewritten and the traffic goes thru office lan already. 

You now have to have a policy at the remote end FGT that allows you to access the internet coming from your vpn.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

3102
aionescu
Staff
Staff

Created on ‎05-13-2022 01:19 AM

Hi Jimmy_Intertouch,

 

If I understood correctly, the topology would be the following:

PC---Tunnel(L2TP)---FortiGate40F----Tunnel----HQ---Internet.

Now, you are able to successfully connect to the 40F and access resources from the HQ but there is no Internet access. If my understanding is correct, on the HQ firewall, assuming is also a FortiGate, you would need to create a firewall policy that has as source interface the IPsec tunnel interface with 40F and destination interface the Internet facing one.  You have to enable NAT on this policy.

3096
seshuganesh
Staff
Staff

Created on ‎05-13-2022 01:46 AM

Hi Team,

 

 

Please look into the screenshot:

seshuganesh_0-1652431450538.png

Under local interface can you select both wan and lan interfaces and local address to "all" object

Then create firewall policy for IPSEC VPN to LAN and IPSEC VPN to WAN (NAT should be enabled in this policy)

Then test the traffic

Please check and keep us posted

3094
Jimmy_Intertouch
New Contributor II
In response to seshuganesh

Created on ‎05-13-2022 02:30 AM

hi Thanks all

 

This one got the interent working ,Amazing! , but from tracert i can see my pc is getting the internet from the FG40F's WAN

 

Ideally, I want the all routes to go via FG40F's LAN interface, which connects to Juniper firewall in the office I have no control of , i guess I would need to configure that Juniper to achieve this  ?

 

Thanks again

3085
0 Kudos
seshuganesh
Staff
Staff
In response to Jimmy_Intertouch

Created on ‎05-13-2022 02:33 AM

Hi Team,

 

In that case you need to point your default route towards interface which is connected to juniper firewall.

So the traffic will be forwarded towards juniper firewall and that firewall can provide access.
Does juniper firewall connected to LAN interface of FG firewall?

 

3115
Jimmy_Intertouch
New Contributor II
In response to seshuganesh

Created on ‎05-13-2022 03:33 AM

hi,

 

"point your default route towards interface which is connected to juniper firewall."

 

Sorry , default route , where do I set it up , here or in policy ? Thank you : )11111111111.png

 

Yes , FG LAN connects to office network that connects to Juniper FW LAN

 

Thanks

3078
0 Kudos
sw2090
Honored Contributor

Created on ‎05-13-2022 04:13 AM

on vpn client the vpn sets your defaul route if you have no split tunneling on the vpn.

on Fgt it is the first one on your screnshot.

if you set that to the Juniper fw as gateway ip all internet trafic cominig fro your FGT will go to the Juniper. That'd probably be the easiest way but I am not sure if you really want that.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

3106
Jimmy_Intertouch
New Contributor II
In response to sw2090

Created on ‎05-13-2022 04:26 AM

Thanks , I will try fiddle with it : )

3072
0 Kudos
Jimmy_Intertouch
New Contributor II

Created on ‎05-13-2022 08:47 AM

hi All, thanks all for making this work

 

It's all working now after adding the static route for the LAN interface with higher priority than WAN route.

 

It feels wonderful !  :D

3050
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.