Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Virgule59
New Contributor

Internet routing throug vpn ipsec

Hi,

 

I would route internet access throug a vpn ipsec for one of my customer, but i'v figured out that if i'll do this like this: 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...

 

All of internet will be route throught the VPN of this customer. I try with vrf but my version 6.0.9 only support vrf for blackhole. How can i do this ?

 

Thank for your reply

1 Solution
kvimaladevi
Staff
Staff

Hi Virgule59,

 

I understand that you would like to route some traffic over the tunnel and not the entire traffic. As per the link you have provided, they have created a static route for all the traffic to go through the tunnel

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...

Instead of using 0.0.0.0 you can specify the exact subnet details that has to  be reached over the tunnel so that only that traffic goes through the tunnel and the rest through your wan or other interfaces.

 

Regards,
Vimala

View solution in original post

6 REPLIES 6
aionescu
Staff
Staff

Hi @Virgule59 , 

 

Welcome to the community. 

It is not clear what you want to achieve - you would like to send only some traffic via the tunnel?

If it is the case, you can use policy based routing ase explained here: Technical Tip: Configuring the firewall Policy Rou... - Fortinet Community

If it is not the case, can you provide more details, please?

kvimaladevi
Staff
Staff

Hi Virgule59,

 

I understand that you would like to route some traffic over the tunnel and not the entire traffic. As per the link you have provided, they have created a static route for all the traffic to go through the tunnel

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...

Instead of using 0.0.0.0 you can specify the exact subnet details that has to  be reached over the tunnel so that only that traffic goes through the tunnel and the rest through your wan or other interfaces.

 

Regards,
Vimala

Virgule59

Hi,

Yes this is exactly what i want to do, i didn't even think do to that on the router..., but think to do that on the server. on the web link, the vpn interface is configure with an ip, this is mandatory or just a best practice. What the goal of this ip ?

 

Does in the new firmware, i can use VRF to manage mutliple routing table, today i can only route to a black hole ?

 

Best Regard. 

kvimaladevi

Hi Virgule59,

"the vpn interface is configure with an ip, this is mandatory or just a best practice. "

May I know if you are referring to the Remote IP that is configured on the VPN configuration?

Regards,
Vimala

Virgule59

Hi @kvimaladevi , in the technical tip it is indiquate that you have to set an ip address on the VPN gateway interface

kb_15907_4.png

Regards

Virgule59 

Toshi_Esumi
Esteemed Contributor III

Basically this is solely a routing issue. To route all internet bound traffic into a tunnel, you have to have your remote side's default route into the tunnel. However, if you do that the tunnel peer IP would go with it and can't reach the peer IP (HUB side) outside the tunnel then it would result in that the tunnel keeps bouncing up and down. That's why you have to have the peer IP /32 static route to the interface/outside of the tunnel.

 

This means the HUB's peer IP has to be static, or you have to use DDNS then use the FQDN for the /32 static route.

 

It doesn't matter if it's under VRF environment or VDOM environment since it's a routing issue. You have to set up the routing environment in the particular routing table. This apply to or work with any routing devices not only FortiGate, but also like Cisco, Juniper, etc.

 

Toshi

Top Kudoed Authors