Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
login as: admin FortiGate-VM64 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] is directly connected, To_FGT1_P1, [3/0] [10/0] via 10.0.0.1, port2, [5/0] C 10.0.0.0/24 is directly connected, port2 S 172.16.1.0/24 [10/0] is directly connected, To_FGT1_P1 C 172.16.2.0/24 is directly connected, port4 C 192.168.17.0/24 is directly connected, port1---tunnel goes down remotely---
FortiGate-VM64 # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 10.0.0.1, port2, [5/0] C 10.0.0.0/24 is directly connected, port2 C 172.16.2.0/24 is directly connected, port4 C 192.168.17.0/24 is directly connected, port1
I am dealing with a very similar scenario to the original poster. It seems, from reading this thread, that there is a solution, but I was not able to grasp exactly what that solution was.
My scenario:
FG60D with a low bandwidth Metro-E link to a data center, and a high bandwidth DIA circuit, over which there is a VPN tunnel to the same data center.
At the data center is a FG300D
The branch office (FG60D) has voice and data traffic, on separate VLAN's and (obviously) subnets. The desire is to have all internet (from the data subnet) and data traffic route over the VPN tunnel, while the voice (which only needs to reach the data center, no internet) continues to route over the Metro-E link.
I am able to get everything working, except for the Internet portion. The need is similar to the original post. Routing Internet traffic through the data center keeps us HIPA and PCI compliant due to our proxy and expanded licensing on the FG300D.
The tricky part is that you need a default route to WAN to set up the VPN in the first place. If the remote FGT's default route points to the tunnel then traffic for the HQ FGT (via internet) would be directed to the tunnel which will result in "flapping".
So, set up one dedicated static route to the HQ IP address, via WAN. Secondly, set up a default route pointing to the tunnel (interface). As the first route is more specific it should be in the Routing table together with the default route. Tunnel "control" traffic (ESP or UDP/500) will not be routed through the tunnel.
This will only work if the other FGT has got a static public IP address.
Hi I had the same problem.
I solved it by this way:
1. on bouth sides in VPN - IPsec Tunnels i have to add in Phase 2 Selectors new address maping
- on HQ: Local Address: 0.0.0.0/0.0.0.0 , Remote Address: address range of branch office
- on Branche Local Address: address range of branch office , Remote Address: 0.0.0.0/0.0.0.0
2. on HQ add new IPv4 Policy as incoming interface select IPsec tunnel, outgoing interface select your Wan port, source adress pool for branch office, destination all and turn on NAT and all security profiles and logging options.
3. on branch FortiGate in Network, static routes
- add static route for wan ip adress of HQ FortiGate(VPN) trough your Wan IP
- add static route to 0.0.0.0/0 trough your VPN tunnel with priority 0(default)
- in first static route to 0.0.0.0/0 in Advanced Options change priority to 1 or higher number
So when I tried tracert to internet address on branch PC i saw that trafic flow trough HQ addresses
Tony
It take almost a day to solve it :)
No one will tell you this easy steps.
No one will tell you this easy steps.
That is exactly what I wrote in December 2015...hope OP has picked it up in the meantime
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.