Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
secsupport
New Contributor II

Created on ‎02-20-2023 06:53 AM

Internet traffic goes through remote firewall using IPsec VPN tunnel

I have two firewalls A and B my requirement is that internet traffic of firewall A users goes through firewall B through an IPsec tunnel

 

in simple terms, I want that users on firewall A their public ip should be of site B

 

so should I have to edit some default route or what is the way to acheive this 

 

following is some links

1:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...

2:

https://docs.fortinet.com/document/fortigate/7.2.4/administration-guide/301182/tunneled-internet-bro...

 

which link is required for my query or the following option is required (use remote)

Use RemoteUse Remote

 

 

Labels:
623
4 REPLIES 4
npariyar
Staff
Staff

Created on ‎02-21-2023 12:04 AM Edited on ‎02-21-2023 12:04 AM

Hi Secsupport,

 

Let's suppose you have configured the VPN parameters and firewall policies as per the article mentioned. Regarding static routing, I will briefly explain you based upon the below diagram.

tunnel.png

Let Fortigate A is connected to the internet via PORT1( IP address: 2.2.2.2)

Fortigate B is connected to the internet via PORT1 ( IP address: 1.1.1.1).

Here in Fortigate A, you have to configure two routes:

1. 1.1.1.1/32 via port1 (to make the tunnel up)

2. 0.0.0.0/0 via IPsec tunnel (to route rest of the traffic via IPSec tunnel)

 

Niroj Pariyar
605
0 Kudos
secsupport
New Contributor II
In response to npariyar

Created on ‎02-21-2023 03:49 AM Edited on ‎02-22-2023 03:40 AM

what about policies on both firewalls ?

 

FG-A:

incomming interface : lan

outgoing interface : ipsecvpn tunnel 

nat (enable/disable)?

 

 

FG-B:

incomming interface : ipsecvpn tunnel

outgoing interface :  wan

nat (enable/disable)?

 

kindly confirm what these rules or anyother required step

Secondly if one of the firewalls is behind the NAT then same steps will be required or different?

 

@jkoay 

597
0 Kudos
npariyar
Staff
Staff
In response to secsupport

Created on ‎03-15-2023 03:17 AM

Hi Secsupport,

 

Regarding firewall policies:

On FortiGate A:

IPSEC tunnel to Port1 (enable NAT here) -- to allow internet access to VPN users coming from Fortiagate B

 

On Fortigate B:

Lan to IPSEC (without NAT)

 

Regards

 

Niroj Pariyar
493
0 Kudos
ede_pfau
Esteemed Contributor III

Created on ‎03-15-2023 04:19 AM

Beware secsupport, I think you mix up FGT A and B. FGT A is the one with internet access.

 

As a FGT is not only a router, you need a couple of things in order to make this work:

routes - phase 2 selectors - policies - NAT

in detail:

1- a default route on FGT B pointing to the tunnel

1b- a route on FGT B pointing to FGT A's public address (the VPN gateway address)

1c- a route on FGT A with FGT B's LAN address, pointing to the tunnel

 

2a- on FGT B, phase 2 selector for "destination" is "0.0.0.0/0" (source is FGT_B_LAN)

2b- on FGT A, phase 2 selector for "source" is "0.0.0.0/0" (dest is FGT_B_LAN)

 

3a- a policy on FGT B to allow traffic to the internet (from LAN to tunnel, dest=ALL)

3b- a policy on FGT A to allow tunnel traffic to the internet (from tunnel to WAN, dest=ALL) - NAT enabled

 

As a rule of thumb, enable NAT only in the last policy facing the internet.

So, never on FGT B.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
488
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.​

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2023 Fortinet, Inc. All Rights Reserved.