Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dholton912
New Contributor

IPSEC Site-to-Site force vlan for Internet

I have a site-to-site link between two offices and I need to force one VLAN from site A to use site B as it's gateway for internet access. Currently the site-to-site link allows for devices from either network (including other VLANs) to communicate with each other, but they use their home firewall for internet access. I need this one site A VLAN to go out site B's firewall for internet access. 

1 Solution
abarushka
9 REPLIES 9
abarushka
Staff
Staff

Hello,

 

Similar scenario is described in the KB below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...

 

FortiGate
dholton912

It looks like they are using a newer firmware than my FW has. I see they are adding a second Phase 2 selector. How can I do that in v. 5.2?

abarushka

Hello,

 

In case it is not available in GUI you can try to add it in CLI:

 

config vpn ipsec phase2-interface
edit <name>

FortiGate
dholton912

What would be the other commands to complete those steps? I apologize for the additional questions. 

mle2802

Hi @dholton912,
You can refer to this CLI reference of 5.2 for more information https://docs.fortinet.com/document/fortigate/5.2.0/cli-reference

dholton912

I apologize for the multiple questions, but I have the additional selectors in on both sides. I have the policies in place. I put the 0.0.0.0 static route in but I still cannot browse on this VLAN to the internet. I'm just really lost as to my issue. I don't need my entire network passing for remote browsing, just this one VLAN.

dholton912

I also noticed in the default route section they are making a 0.0.0.0. Will my situation be different since I only want one VLAN to pass through the VPN for internet access. For example, the main subnet would be 192.168.1.0/24 and the VLAN subnet would be 192.168.10.0/24. I would only want the 192.168.10.0/24 network to pass through for internet access, the main subnet would use internet locally. Thanks!

abarushka

Hello,

 

I think that policy route may work in your scenario:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

 

FortiGate
dholton912
New Contributor

Also the setting of IPs in the tunnel interface is confusing to me. It shows them being set as 2.2.2.2 and 2.2.2.3. Are these just fillers, where should this IP come from?

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors