Hello and good day.
We are having issue with our office in China that is their outgoing emails to our server (hosted by 3rd party) have been blocked by their ISP.
The office in china have Fortigate IPsec VPN tunnel to our HQ to enable them to use our ERP system.
I wonder if we can route the outlook connection to use our HQ internet gateway to send out emails.
Does it possible to configure this settings?
Thank you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hello,
and welcome to the forums.
Yes this is possible. You need an additional static route and one more policy.
Assuming: 3rd party server public IP address is 5.6.7.8, service is SMTP (might be SMTPS as well), tunnel phase1 on remote FGT is named 'to_HQ', on HQ FGT is called 'from_CN'.
Then
on the remote FGT:
create a static route with destination 5.6.7.8/32, no gateway, interface 'to_HQ'
create an address 'mailserver' with IP '5.6.7.8'
create a policy with
src interface: 'internal'
src address: 'all'
dest interface: 'to_HQ'
dest address: 'mailserver'
service: SMTP, SMTPS, PING
no NAT
on the HQ FGT:
create a policy with
src interface: 'from_CN'
src address: 'all'
dest interface: 'wan1'
dest address: 'mailserver'
service: SMTP, SMTPS, PING
enable NAT
There should already be a static route to the China private LAN on the HQ FGT.
Add UTM to your liking.
For testing, ping the mailserver from the China LAN. If the tunnel is down, ping will not succeed. With tunnel up you will see reply traffic.
Note that in this simple setup you don't change any tunnel parameters. If you want to make the tunnel come up from traffic to the mailserver then you would have to re-configure phase2 parameters.
ede_pfau wrote:hello,
and welcome to the forums.
Yes this is possible. You need an additional static route and one more policy.
Assuming: 3rd party server public IP address is 5.6.7.8, service is SMTP (might be SMTPS as well), tunnel phase1 on remote FGT is named 'to_HQ', on HQ FGT is called 'from_CN'.
#There is existing IPsec tunnel 'to_HQ' and 'from_CN'. I can reuse this connection right?
Then
on the remote FGT:
create a static route with destination 5.6.7.8/32, no gateway, interface 'to_HQ'
#I have to insert gateway IP or else cannot save. I set it to 0.0.0.0
#I cannot choose 'to_HQ' interface but the available option is "Wan1" or Internal".
create an address 'mailserver' with IP '5.6.7.8'
create a policy with
src interface: 'internal'
src address: 'all'
dest interface: 'to_HQ'
#Dest interface/zone available option are "Wan1" or "internal". I choose "Wan1"
dest address: 'mailserver'
service: SMTP, SMTPS, PING
no NAT
#There is another option need to set is the setting "Action". Here I choose "IPsec" and the "VPN tunnel" is "To_HQ".
on the HQ FGT:
create a policy with
src interface: 'from_CN'
#I cannot choose 'from_CN' interface but the available option is "Wan1" or Internal". I choose "Wan1"
src address: 'all'
dest interface: 'wan1'
dest address: 'mailserver'
service: SMTP, SMTPS, PING
enable NAT
#There is another option need to set is the setting "Action". Here I choose "IPsec" and the "VPN tunnel" is "from_CN".
There should already be a static route to the China private LAN on the HQ FGT.
Add UTM to your liking.
For testing, ping the mailserver from the China LAN. If the tunnel is down, ping will not succeed. With tunnel up you will see reply traffic.
Note that in this simple setup you don't change any tunnel parameters. If you want to make the tunnel come up from traffic to the mailserver then you would have to re-configure phase2 parameters.
I still fail to setup the tunnelling with the setup above.
My ping the remote FGT goes directly to 5.6.7.8, mail.abc.com instead go through the VPN to HQ FGT.
Any advise would be greatly appreciated.
Thank you.
Any could assist me?
China Office is using fortigate80C.
HQ office is using forifage200D.
In the static routing creation at fortigat80c, the "Destination IP/Mask" is email server IP or fortigate200D ip?
The "Device" should be wan1(connect to internet port) or internal(local LAN port).
The "Gateway" is fortigate80C local LAN ip gateway or fortigate80c public ip gateway or fortigate200 local LAN ipgateway or fortigate200D public ip gateway......
Sorry, you cannot just substitute one interface for another and expect this to work. From what I read in your post you are totally on the wrong path.
IMHO you should see to get professional help from a local Fortinet partner. A Fortigate can be configured easily if you understand the basics, i.e. routing and how IPsec tunnels work. If you are not trained in networks then get someone to do it for you.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1721 | |
1098 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.