Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
secsupport
New Contributor II

Internet traffic goes through remote firewall using IPsec VPN tunnel

I have two firewalls A and B my requirement is that internet traffic of firewall A users goes through firewall B through an IPsec tunnel

 

in simple terms, I want that users on firewall A their public ip should be of site B

 

so should I have to edit some default route or what is the way to acheive this 

 

following is some links

1:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...

2:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/301182/tunneled-internet-bro...

 

which link is required for my query or the following option is required (use remote)

Use RemoteUse Remote

 

 

4 REPLIES 4
npariyar
Staff
Staff

Hi Secsupport,

 

Let's suppose you have configured the VPN parameters and firewall policies as per the article mentioned. Regarding static routing, I will briefly explain you based upon the below diagram.

tunnel.png

Let Fortigate A is connected to the internet via PORT1( IP address: 2.2.2.2)

Fortigate B is connected to the internet via PORT1 ( IP address: 1.1.1.1).

Here in Fortigate A, you have to configure two routes:

1. 1.1.1.1/32 via port1 (to make the tunnel up)

2. 0.0.0.0/0 via IPsec tunnel (to route rest of the traffic via IPSec tunnel)

 

Niroj Pariyar
secsupport
New Contributor II

what about policies on both firewalls ?

 

FG-A:

incomming interface : lan

outgoing interface : ipsecvpn tunnel 

nat (enable/disable)?

 

 

FG-B:

incomming interface : ipsecvpn tunnel

outgoing interface :  wan

nat (enable/disable)?

 

kindly confirm what these rules or anyother required step

Secondly if one of the firewalls is behind the NAT then same steps will be required or different?

 

@jkoay 

npariyar

Hi Secsupport,

 

Regarding firewall policies:

On FortiGate A:

IPSEC tunnel to Port1 (enable NAT here) -- to allow internet access to VPN users coming from Fortiagate B

 

On Fortigate B:

Lan to IPSEC (without NAT)

 

Regards

 

Niroj Pariyar
ede_pfau
Esteemed Contributor III

Beware secsupport, I think you mix up FGT A and B. FGT A is the one with internet access.

 

As a FGT is not only a router, you need a couple of things in order to make this work:

routes - phase 2 selectors - policies - NAT

in detail:

1- a default route on FGT B pointing to the tunnel

1b- a route on FGT B pointing to FGT A's public address (the VPN gateway address)

1c- a route on FGT A with FGT B's LAN address, pointing to the tunnel

 

2a- on FGT B, phase 2 selector for "destination" is "0.0.0.0/0" (source is FGT_B_LAN)

2b- on FGT A, phase 2 selector for "source" is "0.0.0.0/0" (dest is FGT_B_LAN)

 

3a- a policy on FGT B to allow traffic to the internet (from LAN to tunnel, dest=ALL)

3b- a policy on FGT A to allow tunnel traffic to the internet (from tunnel to WAN, dest=ALL) - NAT enabled

 

As a rule of thumb, enable NAT only in the last policy facing the internet.

So, never on FGT B.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors