Hi, i am using a Fortinet 60F for managing IPsec-Connections between machines outsiede the company and the central.
If the tunnel is established, all traffic goes through the tunnel. The drawback is, that SSH and ping to the components goes through this tunnel, too. Components without an IPsec tunnel (e.g. a central machine) cannot access these components via ping ans SSH.
How can I configure the 60F, so that alle the traffic goes through the VPN tunnel, except SSH und ICMP packets?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Thank you ede_pfau, you gave the right hint.
At first I had to find out, that the needed Menu wasn´t activated in the WebGUI. After then, the needed Policy Routes for ICMP and SSH could be configured.
At the other end of the IPsec-endpoint this client configured a similar "pass"-Rule for ICMP and SSH. Here the snippets for swanctl.config
pass-icmp-in {
local_ts = 0.0.0.0/0[icmp]
remote_ts = 0.0.0.0/0[icmp]
mode = pass
start_action = trap
}
pass-ssh-in {
local_ts = 0.0.0.0/0[tcp/ssh]
remote_ts = 0.0.0.0/0[tcp]
mode = pass
start_action = trap
}
You can't.
What you can configure is routing, that is, destinations. If you can restrict the destination addresses for SSH and ping, you could exclude their subnet from going through the tunnel.
And then of course, there is always policy routing. A route depending on the type of service. But, IMHO, this is clumsy and not very transparent in the GUI. YMMV.
Thank you ede_pfau, you gave the right hint.
At first I had to find out, that the needed Menu wasn´t activated in the WebGUI. After then, the needed Policy Routes for ICMP and SSH could be configured.
At the other end of the IPsec-endpoint this client configured a similar "pass"-Rule for ICMP and SSH. Here the snippets for swanctl.config
pass-icmp-in {
local_ts = 0.0.0.0/0[icmp]
remote_ts = 0.0.0.0/0[icmp]
mode = pass
start_action = trap
}
pass-ssh-in {
local_ts = 0.0.0.0/0[tcp/ssh]
remote_ts = 0.0.0.0/0[tcp]
mode = pass
start_action = trap
}
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1667 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.