I have two firewalls A and B my requirement is that internet traffic of firewall A users goes through firewall B through an IPsec tunnel
in simple terms, I want that users on firewall A their public ip should be of site B
so should I have to edit some default route or what is the way to acheive this
following is some links
which link is required for my query or the following option is required (use remote)Use Remote
Let's suppose you have configured the VPN parameters and firewall policies as per the article mentioned. Regarding static routing, I will briefly explain you based upon the below diagram.
Let Fortigate A is connected to the internet via PORT1( IP address: 220.127.116.11)
Fortigate B is connected to the internet via PORT1 ( IP address: 18.104.22.168).
Here in Fortigate A, you have to configure two routes:
1. 22.214.171.124/32 via port1 (to make the tunnel up)
2. 0.0.0.0/0 via IPsec tunnel (to route rest of the traffic via IPSec tunnel)
what about policies on both firewalls ?
incomming interface : lan
outgoing interface : ipsecvpn tunnel
incomming interface : ipsecvpn tunnel
outgoing interface : wan
kindly confirm what these rules or anyother required step
Secondly if one of the firewalls is behind the NAT then same steps will be required or different?
Regarding firewall policies:
On FortiGate A:
IPSEC tunnel to Port1 (enable NAT here) -- to allow internet access to VPN users coming from Fortiagate B
On Fortigate B:
Lan to IPSEC (without NAT)
Beware secsupport, I think you mix up FGT A and B. FGT A is the one with internet access.
As a FGT is not only a router, you need a couple of things in order to make this work:
routes - phase 2 selectors - policies - NAT
1- a default route on FGT B pointing to the tunnel
1b- a route on FGT B pointing to FGT A's public address (the VPN gateway address)
1c- a route on FGT A with FGT B's LAN address, pointing to the tunnel
2a- on FGT B, phase 2 selector for "destination" is "0.0.0.0/0" (source is FGT_B_LAN)
2b- on FGT A, phase 2 selector for "source" is "0.0.0.0/0" (dest is FGT_B_LAN)
3a- a policy on FGT B to allow traffic to the internet (from LAN to tunnel, dest=ALL)
3b- a policy on FGT A to allow tunnel traffic to the internet (from tunnel to WAN, dest=ALL) - NAT enabled
As a rule of thumb, enable NAT only in the last policy facing the internet.
So, never on FGT B.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.