- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPSEC Site-to-Site force vlan for Internet
I have a site-to-site link between two offices and I need to force one VLAN from site A to use site B as it's gateway for internet access. Currently the site-to-site link allows for devices from either network (including other VLANs) to communicate with each other, but they use their home firewall for internet access. I need this one site A VLAN to go out site B's firewall for internet access.
Solved! Go to Solution.
- Labels:
-
FortiGate
-
FortiGate v5.2
-
IPsec
-
VLAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I think that policy route may work in your scenario:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Similar scenario is described in the KB below:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like they are using a newer firmware than my FW has. I see they are adding a second Phase 2 selector. How can I do that in v. 5.2?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
In case it is not available in GUI you can try to add it in CLI:
config vpn ipsec phase2-interface
edit <name>
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What would be the other commands to complete those steps? I apologize for the additional questions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dholton912,
You can refer to this CLI reference of 5.2 for more information https://docs.fortinet.com/document/fortigate/5.2.0/cli-reference
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I apologize for the multiple questions, but I have the additional selectors in on both sides. I have the policies in place. I put the 0.0.0.0 static route in but I still cannot browse on this VLAN to the internet. I'm just really lost as to my issue. I don't need my entire network passing for remote browsing, just this one VLAN.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also noticed in the default route section they are making a 0.0.0.0. Will my situation be different since I only want one VLAN to pass through the VPN for internet access. For example, the main subnet would be 192.168.1.0/24 and the VLAN subnet would be 192.168.10.0/24. I would only want the 192.168.10.0/24 network to pass through for internet access, the main subnet would use internet locally. Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I think that policy route may work in your scenario:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also the setting of IPs in the tunnel interface is confusing to me. It shows them being set as 2.2.2.2 and 2.2.2.3. Are these just fillers, where should this IP come from?