I have the following configuration now - Site A with FGT and Site B with MKT in the lab. I'm able to to up the IPsec tunnel between both sides and ping each other subnets but I want to route the internet traffic from site A to site B as well. I was looking for some solution but was no manage to make it work. I saw its possible to use GRE tunnel but I don't want to. Is it possible as configuration at all or not?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I assume you are using route based VPN, if so, can you configure the default route on FGT with tunnel interface as next hope to route the Site A traffic to Site B .
We also need to add a specific route (/32) for the VPN gateway to bring the tunnel up first.
Hi @sidunderwoo,
Please refer to this article: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...
Regards,
Thank you hbac, but i have MTK on the other side.
Here is my configuration:
FTG IP:192.168.50.20
MTK IP:192.168.50.7
FTG subnet: 172.10.12.0/24
MTK subnet: 10.12.10.0/24
config system interface
edit "port1"
set vdom "root"
set ip 192.168.50.20 255.255.255.0
set allowaccess ping https ssh http fgfm
set type physical
set alias "WAN"
set lldp-reception enable
set role wan
set snmp-index 1
next
edit "port2"
set vdom "root"
set ip 172.10.12.1 255.255.255.0
set allowaccess ping
set type physical
set alias "LAN"
set device-identification enable
set lldp-transmission enable
set role lan
set snmp-index 2
config vpn ipsec phase1-interface
edit "FT-to-MT"
set interface "port1"
set ike-version 2
set peertype any
set net-device disable
set proposal des-sha256
set dpd on-idle
set dhgrp 5
set nattraversal disable
set remote-gw 192.168.50.7
set psksecret ENC DKywti70WHMpV6H+T2KRhQjred4c1WaGyfnYITGTReZG8jOUyxS874Qs1I+VjndeRYOVcRoKEM8KOC3IwSIoq3DnDuWPzAGzEDIV9s90Mn+uKO23oRTJeDVY8EzIbn03szjn62WJi4UktJ52VZf5xVM0KExsFGFqXRL6E/5TmqlkWLcqcWRz8sBSn2PAkY/mErf+5A==
next
end
config vpn ipsec phase2
end
show vpn ipsec phase2-interface
config vpn ipsec phase2-interface
edit "FT-to-MT"
set phase1name "FT-to-MT"
set proposal des-sha256
set dhgrp 5
set auto-negotiate enable
set src-subnet 172.10.12.0 255.255.255.0
set dst-subnet 10.12.10.0 255.255.255.0
next
edit "local to mtk internet"
set phase1name "FT-to-MT"
set proposal des-sha256
set dhgrp 5
set auto-negotiate enable
set src-subnet 172.10.12.0 255.255.255.0
next
end
config router static
edit 1
set gateway 192.168.50.1
set priority 2
set device "port1"
next
edit 2
set dst 10.12.10.0 255.255.255.0
set device "FT-to-MT"
next
end
config firewall policy
edit 1
set name "LAN_TO_WAN"
set uuid 8d682fee-2882-51ef-b51c-15f264a9910c
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set nat enable
next
edit 2
set name "to-MKT-local"
set uuid fc01d658-2968-51ef-995f-e28b494ac9f7
set srcintf "port2"
set dstintf "FT-to-MT"
set action accept
set srcaddr "port2 address"
set dstaddr "all"
set schedule "always"
set service "ALL"
next
edit 3
set name "from-MKT-local"
set uuid 0dab34bc-2969-51ef-d035-8fc73c70a320
set srcintf "FT-to-MT"
set dstintf "port2"
set action accept
set srcaddr "MT-subnet"
set dstaddr "port2 address"
set schedule "always"
set service "ALL"
next
end
MIKROTIK
Firewall rule:
chain=srcnat action=accept src-address=10.12.10.0/24 dst-address=172.10.12.0/24 log=yes log-prefix=""
chain=srcnat action=masquerade out-interface=WAN log=no log-prefix="" ipsec-policy=out,none
Proposal
name="fgt-proposal1" auth-algorithms=sha256 enc-algorithms=des lifetime=30m pfs-group=modp1536
Peer
name="fgt-peer1" address=192.168.50.20/32 profile=fgt-profile1 exchange-mode=ike2 send-initial-contact=yes
Profile
name="fgt-profile1" hash-algorithm=sha256 enc-algorithm=des dh-group=modp1536 lifetime=1d proposal-check=obey nat-traversal=no dpd-interval=2m dpd-maximum-failures=5
some debug here also:
diag sniffer packet any 'host 8.8.4.4' 4
Using Original Sniffing Mode
interfaces=[any]
filters=[host 8.8.4.4]
7.749705 port2 in 172.10.12.110 -> 8.8.4.4: icmp: echo request
7.749762 port1 out 192.168.50.20 -> 8.8.4.4: icmp: echo request
7.751212 port1 in 8.8.4.4 -> 192.168.50.20: icmp: echo reply
7.751257 port2 out 8.8.4.4 -> 172.10.12.110: icmp: echo reply
diagnose debug reset
diagnose debug flow filter saddr 172.10.12.110
diagnose debug flow filter daddr 8.8.4.4
diagnose debug flow filter proto 1
diagnose debug console timestamp enable
diagnose debug flow trace start 10
diagnose debug enable
2024-06-13 23:27:54 id=65308 trace_id=134 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 172.10.12.110:1->8.8.4.4:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=152."
2024-06-13 23:27:54 id=65308 trace_id=134 func=init_ip_session_common line=6080 msg="allocate a new session-0000e8d9, tun_id=0.0.0.0"
2024-06-13 23:27:54 id=65308 trace_id=134 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-192.168.50.1 via port1"
2024-06-13 23:27:54 id=65308 trace_id=134 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=35, len=2"
2024-06-13 23:27:54 id=65308 trace_id=134 func=get_new_addr line=1213 msg="find SNAT: IP-192.168.50.20(from IPPOOL), port-60418"
It doesn't matter. It should work with MTK. If you check the article I shared, the default route is pointing to the IPsec tunnel and Remote Address under phase2 selectors should be 0.0.0.0.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1667 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.