- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Internet traffic goes through remote firewall using IPsec VPN tunnel
I have two firewalls A and B my requirement is that internet traffic of firewall A users goes through firewall B through an IPsec tunnel
in simple terms, I want that users on firewall A their public ip should be of site B
so should I have to edit some default route or what is the way to acheive this
following is some links
1:
2:
which link is required for my query or the following option is required (use remote)Use Remote
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Secsupport,
Let's suppose you have configured the VPN parameters and firewall policies as per the article mentioned. Regarding static routing, I will briefly explain you based upon the below diagram.
Let Fortigate A is connected to the internet via PORT1( IP address: 2.2.2.2)
Fortigate B is connected to the internet via PORT1 ( IP address: 1.1.1.1).
Here in Fortigate A, you have to configure two routes:
1. 1.1.1.1/32 via port1 (to make the tunnel up)
2. 0.0.0.0/0 via IPsec tunnel (to route rest of the traffic via IPSec tunnel)
Created on ‎02-21-2023 03:49 AM Edited on ‎02-22-2023 03:40 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what about policies on both firewalls ?
FG-A:
incomming interface : lan
outgoing interface : ipsecvpn tunnel
nat (enable/disable)?
FG-B:
incomming interface : ipsecvpn tunnel
outgoing interface : wan
nat (enable/disable)?
kindly confirm what these rules or anyother required step
Secondly if one of the firewalls is behind the NAT then same steps will be required or different?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Secsupport,
Regarding firewall policies:
On FortiGate A:
IPSEC tunnel to Port1 (enable NAT here) -- to allow internet access to VPN users coming from Fortiagate B
On Fortigate B:
Lan to IPSEC (without NAT)
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Beware secsupport, I think you mix up FGT A and B. FGT A is the one with internet access.
As a FGT is not only a router, you need a couple of things in order to make this work:
routes - phase 2 selectors - policies - NAT
in detail:
1- a default route on FGT B pointing to the tunnel
1b- a route on FGT B pointing to FGT A's public address (the VPN gateway address)
1c- a route on FGT A with FGT B's LAN address, pointing to the tunnel
2a- on FGT B, phase 2 selector for "destination" is "0.0.0.0/0" (source is FGT_B_LAN)
2b- on FGT A, phase 2 selector for "source" is "0.0.0.0/0" (dest is FGT_B_LAN)
3a- a policy on FGT B to allow traffic to the internet (from LAN to tunnel, dest=ALL)
3b- a policy on FGT A to allow tunnel traffic to the internet (from tunnel to WAN, dest=ALL) - NAT enabled
As a rule of thumb, enable NAT only in the last policy facing the internet.
So, never on FGT B.
