Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
musasaleh
New Contributor

Google service over FortiGate site to site

 

Greetings Community,

As the administrator of a FortiGate in CN, I've encountered challenges with blocked services such as gmail and drive for gov censorship. I'm exploring the possibility of rerouting this traffic through a site-to-site VPN tunnel. Currently the existing site-to-site VPNs across branches in other countries are functioning seamlessly for internal addresses, is it doable to reroute the public service through ipsec tunnel ? if yes where should i look ?

7 REPLIES 7
AEK
SuperUser
SuperUser

Hello

Never tried it before but it should work by adding a static route (Network > Static Routes), with "Internet Service" as destination, and you IPsec tunnel as interface.

AEK
AEK
mle2802
Staff
Staff

Hi @musasaleh,

You can try to use policy route and use Gmail as Internet service or FQDN as address object

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

Regards,
Minh

musasaleh

hi @mle2802 

Thanks for your reply. I tried to put a policy route to go from CN firewall to a non-cn firewall on another region,  it did not work. The policy route used lan as the incoming interface, i put a specific ip address as source ip for testing. The destination addresses are "drive.google.com" and "www.facebook.com" The protocol is ANY, outgoing interface is vpn tunnel, for gateway address i was a little confused i tried both the CN FortiGate private address and non-cn FortiGate private address. and status enable. do I need to add any firewall policy?

smaruvala

Hi,

 

- First of all can you check if the drive.google.com resolves to an IP address in CN. My understanding is that the DNS queries will not get the answer. If we are getting the correct IP address then we can try to forward the traffic through the VPN. However it needs to have the correct route as mentioned before in the thread and security policy to allow the communication over the tunnel.

 

Regards,

Shiva

musasaleh

hi @smaruvala thanks for your reply yes it resolved the IP but keep in mind that google or Facebook IP is not static, it will change frequently.  when you try to ping from pc it shows the ip it just can not ping. 

smaruvala

Hi, 

- If the DNS resolution is correct then you need the correct route, Policy in the firewall to allow the communication. You will also have to make sure you don't have specific traffic selectors as well. 

- If you have the correct configuration then you can check in the traffic logs if you are seeing any records for the communication over the VPN. You can also rely on the packet sniffer and debugs as well to confirm if the traffic is going out.

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards,

Shiva

hbac

Hi @musasaleh,

 

- First of all, what do you have in the phase2 selectors?  "drive.google.com" and "www.facebook.com" resolved IP addresses must be included in the phase2 selectors. 

- Yes, you need firewall policies on both firewalls to allow the traffic. 

- You need to run debug flow to see if the traffic is flowing through the tunnel or not. https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...

 

Regards, 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors