Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cornelis
New Contributor

IPSEC VPN Routing

Good Day

 

I was wondering if anybody can help me as I am new to fortigate

 

I have two fortigates, one at hq and one at branch

 

HQ public ip 41.138.x.x

Local Lan : 192.168.1.0/24

 

Remote site public ip 86.179.x.x

Local Lan : 192.168.1.0/24

VLAN20 : 192.168.20.0/24

 

I have setup an IPSEC vpn between the two site with phase 2 selectors of 0.0.0.0/0 Now I need to route all internet traffic from vlan 20 over the VPN tunnel so that it looks like vlan20 is coming from my HQ's public IP. 

 

Can someone perhaps guide me how to setup static routes and which policies i should create to route all traffic from vlan20 over the tunnel. The local lan on the remote gate does not need to go through tunnel

 

Many thanks in advance

1 Solution
ede_pfau
Esteemed Contributor III

hi,

 

there is only 1 default route per system/FGT/VDOM. In your case, I assume you will still want to use a local breakout at the remote site, so pointing the default route to the tunnel is no option.

 

And it doesn't need to be. You need a route which is followed if the source address comes from VLAN20. This is done by a Policy Route. You might have to enable the GUI feature for this.

 

When VLAN20 traffic reaches HQ FGT, you have to make VLAN20 known there, otherwise this traffic from an 'unknown' source will be discarded. For the reply traffic you need a route anyway. So create a static route on HQ FGT pointing VLAN20-destined traffic to the tunnel interface (no gateway).

 

Remember that if the destination is used to select a route, you use regular routes; if other fields like source address, ports etc. are needed, use Policy routes.

 

As easy as this one is I'd rather not be around when one day you want to connect both regular LANs, with identical address space. Doable but a nightmare.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
3 REPLIES 3
hubertzw
Contributor III

1) what routing protocol you have (static, dynamic)?

2) if static, you can add a default gateway pointing to the VPN interface (I assume you have route based IPsec VPN)

3) make sure firewall policies are in place and you don't do NAT

 

Do you have any plan what to do with the traffic when VPN is down?

ede_pfau
Esteemed Contributor III

hi,

 

there is only 1 default route per system/FGT/VDOM. In your case, I assume you will still want to use a local breakout at the remote site, so pointing the default route to the tunnel is no option.

 

And it doesn't need to be. You need a route which is followed if the source address comes from VLAN20. This is done by a Policy Route. You might have to enable the GUI feature for this.

 

When VLAN20 traffic reaches HQ FGT, you have to make VLAN20 known there, otherwise this traffic from an 'unknown' source will be discarded. For the reply traffic you need a route anyway. So create a static route on HQ FGT pointing VLAN20-destined traffic to the tunnel interface (no gateway).

 

Remember that if the destination is used to select a route, you use regular routes; if other fields like source address, ports etc. are needed, use Policy routes.

 

As easy as this one is I'd rather not be around when one day you want to connect both regular LANs, with identical address space. Doable but a nightmare.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Cornelis

Apologies my local lan is 192.168.0.0/24 and not 192.168.1.0/24 on the hq side, that was a typo. 

Top Kudoed Authors