- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internet over IPsec tunnel - FGT to MTK
I have the following configuration now - Site A with FGT and Site B with MKT in the lab. I'm able to to up the IPsec tunnel between both sides and ping each other subnets but I want to route the internet traffic from site A to site B as well. I was looking for some solution but was no manage to make it work. I saw its possible to use GRE tunnel but I don't want to. Is it possible as configuration at all or not?
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I assume you are using route based VPN, if so, can you configure the default route on FGT with tunnel interface as next hope to route the Site A traffic to Site B .
We also need to add a specific route (/32) for the VPN gateway to bring the tunnel up first.
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @sidunderwoo,
Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you hbac, but i have MTK on the other side.
Here is my configuration:
FTG IP:192.168.50.20
MTK IP:192.168.50.7
FTG subnet: 172.10.12.0/24
MTK subnet: 10.12.10.0/24
config system interface
edit "port1"
set vdom "root"
set ip 192.168.50.20 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set alias "WAN"
set lldp-reception enable
set role wan
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 172.10.12.1 255.255.255.0
set allowaccess ping
set type physical
set alias "LAN"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 2
config vpn ipsec phase1-interface
edit "FT-to-MT"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal des-sha256
set dpd on-idle
set dhgrp 5
set nattraversal disable
set remote-gw 192.168.50.7
set psksecret ENC DKywti70WHMpV6H+T2KRhQjred4c1WaGyfnYITGTReZG8jOUyxS874Qs1I+VjndeRYOVcRoKEM8KOC3IwSIoq3DnDuWPzAGzEDIV9s90Mn+uKO23oRTJeDVY8EzIbn03szjn62WJi4UktJ52VZf5xVM0KExsFGFqXRL6E/5TmqlkWLcqcWRz8sBSn2PAkY/mErf+5A==
next
end
config vpn ipsec phase2
end
show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FT-to-MT"
set phase1name "FT-to-MT"
set proposal des-sha256
set dhgrp 5
set auto-negotiate enable
set src-subnet 172.10.12.0 255.255.255.0
set dst-subnet 10.12.10.0 255.255.255.0
next
edit "local to mtk internet"
set phase1name "FT-to-MT"
set proposal des-sha256
set dhgrp 5
set auto-negotiate enable
set src-subnet 172.10.12.0 255.255.255.0
next
end
config router static
edit 1
set gateway 192.168.50.1
set priority 2
set device "port1"
next
edit 2
set dst 10.12.10.0 255.255.255.0
set device "FT-to-MT"
next
end
config firewall policy
edit 1
set name "LAN_TO_WAN"
set uuid 8d682fee-2882-51ef-b51c-15f264a9910c
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "to-MKT-local"
set uuid fc01d658-2968-51ef-995f-e28b494ac9f7
set srcintf "port2"
set dstintf "FT-to-MT"
set action accept
set srcaddr "port2 address"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 3
set name "from-MKT-local"
set uuid 0dab34bc-2969-51ef-d035-8fc73c70a320
set srcintf "FT-to-MT"
set dstintf "port2"
set action accept
set srcaddr "MT-subnet"
set dstaddr "port2 address"
set schedule "always"
set service "ALL"
next
end
MIKROTIK
Firewall rule:
chain=srcnat action=accept src-address=10.12.10.0/24 dst-address=172.10.12.0/24 log=yes log-prefix=""
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix="" ipsec-policy=out,none
Proposal
name="fgt-proposal1" auth-algorithms=sha256 enc-algorithms=des lifetime=30m pfs-group=modp1536
Peer
name="fgt-peer1" address=192.168.50.20/32 profile=fgt-profile1 exchange-mode=ike2 send-initial-contact=yes
Profile
name="fgt-profile1" hash-algorithm=sha256 enc-algorithm=des dh-group=modp1536 lifetime=1d proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5
some debug here also:
diag sniffer packet any 'host 8.8.4.4' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.4.4]
7.749705 port2 in 172.10.12.110 -> 8.8.4.4: icmp: echo request
7.749762 port1 out 192.168.50.20 -> 8.8.4.4: icmp: echo request
7.751212 port1 in 8.8.4.4 -> 192.168.50.20: icmp: echo reply
7.751257 port2 out 8.8.4.4 -> 172.10.12.110: icmp: echo reply
diagnose debug reset
diagnose debug flow filter saddr 172.10.12.110
diagnose debug flow filter daddr 8.8.4.4
diagnose debug flow filter proto 1
diagnose debug console timestamp enable
diagnose debug flow trace start 10
diagnose debug enable
2024-06-13 23:27:54 id=65308 trace_id=134 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 172.10.12.110:1->8.8.4.4:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=152."
2024-06-13 23:27:54 id=65308 trace_id=134 func=init_ip_session_common line=6080 msg="allocate a new session-0000e8d9, tun_id=0.0.0.0"
2024-06-13 23:27:54 id=65308 trace_id=134 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-192.168.50.1 via port1"
2024-06-13 23:27:54 id=65308 trace_id=134 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=2"
2024-06-13 23:27:54 id=65308 trace_id=134 func=get_new_addr line=1213 msg="find SNAT: IP-192.168.50.20(from IPPOOL), port-60418"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It doesn't matter. It should work with MTK. If you check the article I shared, the default route is pointing to the IPsec tunnel and Remote Address under phase2 selectors should be 0.0.0.0.
Regards,
