Hi,
I would route internet access throug a vpn ipsec for one of my customer, but i'v figured out that if i'll do this like this:
All of internet will be route throught the VPN of this customer. I try with vrf but my version 6.0.9 only support vrf for blackhole. How can i do this ?
Thank for your reply
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi Virgule59,
I understand that you would like to route some traffic over the tunnel and not the entire traffic. As per the link you have provided, they have created a static route for all the traffic to go through the tunnel
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...
Instead of using 0.0.0.0 you can specify the exact subnet details that has to be reached over the tunnel so that only that traffic goes through the tunnel and the rest through your wan or other interfaces.
Regards,
Vimala
Hi @Virgule59 ,
Welcome to the community.
It is not clear what you want to achieve - you would like to send only some traffic via the tunnel?
If it is the case, you can use policy based routing ase explained here: Technical Tip: Configuring the firewall Policy Rou... - Fortinet Community
If it is not the case, can you provide more details, please?
Hi Virgule59,
I understand that you would like to route some traffic over the tunnel and not the entire traffic. As per the link you have provided, they have created a static route for all the traffic to go through the tunnel
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...
Instead of using 0.0.0.0 you can specify the exact subnet details that has to be reached over the tunnel so that only that traffic goes through the tunnel and the rest through your wan or other interfaces.
Regards,
Vimala
Created on 09-07-2022 01:46 AM Edited on 09-07-2022 01:47 AM
Hi,
Yes this is exactly what i want to do, i didn't even think do to that on the router..., but think to do that on the server. on the web link, the vpn interface is configure with an ip, this is mandatory or just a best practice. What the goal of this ip ?
Does in the new firmware, i can use VRF to manage mutliple routing table, today i can only route to a black hole ?
Best Regard.
Hi Virgule59,
"the vpn interface is configure with an ip, this is mandatory or just a best practice. "
May I know if you are referring to the Remote IP that is configured on the VPN configuration?
Regards,
Vimala
Hi @kvimaladevi , in the technical tip it is indiquate that you have to set an ip address on the VPN gateway interface
Regards
Virgule59
Basically this is solely a routing issue. To route all internet bound traffic into a tunnel, you have to have your remote side's default route into the tunnel. However, if you do that the tunnel peer IP would go with it and can't reach the peer IP (HUB side) outside the tunnel then it would result in that the tunnel keeps bouncing up and down. That's why you have to have the peer IP /32 static route to the interface/outside of the tunnel.
This means the HUB's peer IP has to be static, or you have to use DDNS then use the FQDN for the /32 static route.
It doesn't matter if it's under VRF environment or VDOM environment since it's a routing issue. You have to set up the routing environment in the particular routing table. This apply to or work with any routing devices not only FortiGate, but also like Cisco, Juniper, etc.
Toshi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.