Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RalfBe
New Contributor

Created on ‎12-14-2022 01:31 AM

Redirect SSH outside a IPsec tunnel

Hi, i am using a Fortinet 60F for managing IPsec-Connections between machines outsiede the company and the central.
If the tunnel is established, all traffic goes through the tunnel. The drawback is, that SSH and ping to the components goes through this tunnel, too. Components without an IPsec tunnel (e.g. a central machine) cannot access these components via ping ans SSH.

 

How can I configure the 60F, so that alle the traffic goes through the VPN tunnel, except SSH und ICMP packets?

Labels:
1011
0 Kudos
1 Solution
RalfBe
New Contributor

Created on ‎12-14-2022 04:13 AM

Thank you ede_pfau, you gave the right hint.
At first I had to find out, that the needed Menu wasn´t activated in the WebGUI. After then, the needed Policy Routes for ICMP and SSH could be configured.

 

RalfBe_0-1671019656255.png

RalfBe_1-1671019696608.png

 

At the other end of the IPsec-endpoint this client configured a similar "pass"-Rule for ICMP and SSH. Here the snippets for swanctl.config

        pass-icmp-in {

            local_ts = 0.0.0.0/0[icmp]

            remote_ts = 0.0.0.0/0[icmp]

            mode = pass

            start_action = trap

         }

         pass-ssh-in {

            local_ts = 0.0.0.0/0[tcp/ssh]

            remote_ts = 0.0.0.0/0[tcp]

            mode = pass

            start_action = trap

         }

View solution in original post

995
2 REPLIES 2
ede_pfau
SuperUser
SuperUser

Created on ‎12-14-2022 01:39 AM

You can't.

What you can configure is routing, that is, destinations. If you can restrict the destination addresses for SSH and ping, you could exclude their subnet from going through the tunnel.

 

And then of course, there is always policy routing. A route depending on the type of service. But, IMHO, this is clumsy and not very transparent in the GUI. YMMV.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
1002
0 Kudos
RalfBe
New Contributor

Created on ‎12-14-2022 04:13 AM

Thank you ede_pfau, you gave the right hint.
At first I had to find out, that the needed Menu wasn´t activated in the WebGUI. After then, the needed Policy Routes for ICMP and SSH could be configured.

 

RalfBe_0-1671019656255.png

RalfBe_1-1671019696608.png

 

At the other end of the IPsec-endpoint this client configured a similar "pass"-Rule for ICMP and SSH. Here the snippets for swanctl.config

        pass-icmp-in {

            local_ts = 0.0.0.0/0[icmp]

            remote_ts = 0.0.0.0/0[icmp]

            mode = pass

            start_action = trap

         }

         pass-ssh-in {

            local_ts = 0.0.0.0/0[tcp/ssh]

            remote_ts = 0.0.0.0/0[tcp]

            mode = pass

            start_action = trap

         }

996
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.