Fortigate Site to Site VPN for Web Traffic Only

DNCS5 · ‎06-21-2022

I have a pair of Fortigate 60F's, one is in the USA and one is in the UK. I have a Site to Site VPN currently setup but it is a Split Tunnel so all of the web traffic goes through the respective ISP's.

What I want to do is force all of the UK Web traffic to go through the VPN to the US but allow all other traffic to go through the UK isp so I don't have the added latency.

Is there a way to dictate via policy that the traffic of a specific domain/website go over the VPN or even all http/https traffic go over the vpn while everything else is left alone?

imathew · ‎06-23-2022

I believe your requirement is to send only HTTP and HTTPS traffic over the IPsec tunnel.

Under phase2 selectors, you can use Remote Port and Protocol options. Maybe this will help with your requirement.

Regards,
Inigo Mathew

Toshi_Esumi · ‎06-23-2022

It still wouldn't solve routing issue that there needs to be two default routes, one to the tunnel another to the wan interface. You need either policy routes or SD-WAN setup.

Toshi

DNCS5 · ‎06-29-2022

I'm being told by TAC that the Phase 2 Selectors have to be changed to show 0.0.0.0 rather than the defined subnet...so that everything goes through the tunnel and not just traffic that matches the remote subnet destinations. Then some policy based entries. Not sure if it'll work but i'm going to give it a try.

Fortigate Site to Site VPN for Web Traffic Only

Nominate a Forum Post for Knowledge Article Creation