Good Day
I was wondering if anybody can help me as I am new to fortigate
I have two fortigates, one at hq and one at branch
HQ public ip 41.138.x.x
Local Lan : 192.168.1.0/24
Remote site public ip 86.179.x.x
Local Lan : 192.168.1.0/24
VLAN20 : 192.168.20.0/24
I have setup an IPSEC vpn between the two site with phase 2 selectors of 0.0.0.0/0 Now I need to route all internet traffic from vlan 20 over the VPN tunnel so that it looks like vlan20 is coming from my HQ's public IP.
Can someone perhaps guide me how to setup static routes and which policies i should create to route all traffic from vlan20 over the tunnel. The local lan on the remote gate does not need to go through tunnel
Many thanks in advance
Solved! Go to Solution.
hi,
there is only 1 default route per system/FGT/VDOM. In your case, I assume you will still want to use a local breakout at the remote site, so pointing the default route to the tunnel is no option.
And it doesn't need to be. You need a route which is followed if the source address comes from VLAN20. This is done by a Policy Route. You might have to enable the GUI feature for this.
When VLAN20 traffic reaches HQ FGT, you have to make VLAN20 known there, otherwise this traffic from an 'unknown' source will be discarded. For the reply traffic you need a route anyway. So create a static route on HQ FGT pointing VLAN20-destined traffic to the tunnel interface (no gateway).
Remember that if the destination is used to select a route, you use regular routes; if other fields like source address, ports etc. are needed, use Policy routes.
As easy as this one is I'd rather not be around when one day you want to connect both regular LANs, with identical address space. Doable but a nightmare.
1) what routing protocol you have (static, dynamic)?
2) if static, you can add a default gateway pointing to the VPN interface (I assume you have route based IPsec VPN)
3) make sure firewall policies are in place and you don't do NAT
Do you have any plan what to do with the traffic when VPN is down?
hi,
there is only 1 default route per system/FGT/VDOM. In your case, I assume you will still want to use a local breakout at the remote site, so pointing the default route to the tunnel is no option.
And it doesn't need to be. You need a route which is followed if the source address comes from VLAN20. This is done by a Policy Route. You might have to enable the GUI feature for this.
When VLAN20 traffic reaches HQ FGT, you have to make VLAN20 known there, otherwise this traffic from an 'unknown' source will be discarded. For the reply traffic you need a route anyway. So create a static route on HQ FGT pointing VLAN20-destined traffic to the tunnel interface (no gateway).
Remember that if the destination is used to select a route, you use regular routes; if other fields like source address, ports etc. are needed, use Policy routes.
As easy as this one is I'd rather not be around when one day you want to connect both regular LANs, with identical address space. Doable but a nightmare.
Apologies my local lan is 192.168.0.0/24 and not 192.168.1.0/24 on the hq side, that was a typo.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.