Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
za99
New Contributor

Firewall Policy Problem: VIP & IPSec

Hi!

I am new to Forum an I hope someone can help me.

 

I have two Fortigates connected via IPSec.

On site A, I have a Server with internal IP 192.168.1.254 and external ip 8.8.8.254 on wan1.

I created a VIP:

config firewall VIP

edit "myVIP" set extip 8.8.8.254 set extintf "wan1" set mappedip "192.168.1.254" next

end

I created a Policy that allows Port 443 from the Internet. works fine.

 

My Problem is: I want, that VPN Site B is able to connect to RDP (TCP 3389) over the PUBLIC IP 8.8.8.254 using the IPSec Tunnel instead of using 192.168.1.254

All I can see in Debug is: msg="pre_route_auth check fail(id=0), drop"

 

Whats wrong? 

 

Can someone help me?

 

Greetings,

za

3 REPLIES 3
ede_pfau
SuperUser
SuperUser

hi,

 

8.8.8.254 is simply not behind the VPN tunnel - see phase2, Quick Mode selectors. Even if you work with wildcards, the routing will point to the 'wan' interface instead of the tunnel IF.

You cannot just create a static route, pointing 8.8.8.254 to the tunnel IF - now the tunnel won't find it's remote gateway anymore.

The flaw is in the design. Rethink your intentions.

Just my .02$

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
za99
New Contributor

Thank you for the quick reply!

OK I understand what you mean.

 

The backgroud is, It would be comfortable for the remote users to use server.mycompany.com as target for RDP, because the should not bother which private IP they have to use.

 

I don´t want to open RDP over the Internet so I could solve IT with DNS on Site B: server.mycompany.com --> 192.168.1.254.

 

Thanks!

 

MikePruett
Valued Contributor

DNS is best, will keep things seemless for users and will be better than how you are originally going about it.

Mike Pruett Fortinet GURU | Fortinet Training Videos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors