My Setup:
I have a IPSec tunnel setup with the right side (Strongswan) sharing the internet 0.0.0.0/0.0.0.0 and left side (Fortigate) sharing a specific subnet.
What I want to do:d
I want to route a specific set of domains from the subnet over this tunnel and out to the internet. How exactly do I do this?
What I have tried:
I have the tunnel up and am allowing all traffic to and from the tunnel to subnet and subnet to tunnel.
Created an address group with static routing selected. The route is setup as destination being my address group, interface being tunnel interface and distance is 10 there is also a blackhole route for the tunnel interface with distance 250.
Trying this out, it didn't work. As a test I redid this for amazon and tried accessing it from incognito to see if I get redirected to the correct region and that doesnt work either.
Am I missing something? What can I do to diagnose this?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
What do you see in the routing table?
get router info routing-table all
Created on 10-02-2024 05:15 PM Edited on 10-02-2024 05:17 PM
This is what I see, IPs are sanitized
S* 0.0.0.0/0 [2/0] via XXX.XXX.XXX.XXX, wan1, [1/0]
S XXX.XXX.XXX.XXX/32 [10/0] via PHN Tun tunnel XXX.XXX.XXX.XXX, [1/0]
S XXX.XXX.XXX.XXX/32 [10/0] via PHN Tun tunnel XXX.XXX.XXX.XXX, [1/0]
S XXX.XXX.XXX.XXX/32 [10/0] via PHN Tun tunnel XXX.XXX.XXX.XXX, [1/0]
C 10.18.4.0/24 is directly connected, Management
C 10.17.6.0/24 is directly connected, Server
C 10.48.0.0/24 is directly connected, PHN
C 10.99.99.0/24 is directly connected, Guest
C 162.156.184.0/22 is directly connected, wan1
C 169.254.1.1/32 is directly connected, RA-VPN
C 192.168.10.0/24 is directly connected, IOT
C 192.168.112.0/24 is directly connected, internal
PHN is the subnet and PHN Tun is the site to site
Hi, are you speaking about site to site or remote access? if you are speaking about the remote access and you want the specific subnet to go over the tunnel then you can follow the article below
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Enable-split-tunnel-For-IPsec-VPN/ta-p/192...
and site to site by default work in a way that it will allow specific domain unless specified all in phase2
This is for Site to Site, not sure how the domain bit works for this. For my local address in phase 2 its the address of the subnet and for remote is 0.0.0.0/0.0.0.0 since the other side is sharing the internet and the local address on that side is 0.0.0.0/0.0.0.0
Please run the below commands then redo the test:
diag debug flow filter addr x.x.x.x
diag debug console timestamp enable
diag debug flow show iprope enable
diag debug flow show function-name enable
diag debug flow trace start 100
diag debug enable
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.