Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RalfBe
New Contributor

Redirect SSH outside a IPsec tunnel

Hi, i am using a Fortinet 60F for managing IPsec-Connections between machines outsiede the company and the central.
If the tunnel is established, all traffic goes through the tunnel. The drawback is, that SSH and ping to the components goes through this tunnel, too. Components without an IPsec tunnel (e.g. a central machine) cannot access these components via ping ans SSH.

 

How can I configure the 60F, so that alle the traffic goes through the VPN tunnel, except SSH und ICMP packets?

1 Solution
RalfBe
New Contributor

Thank you ede_pfau, you gave the right hint.
At first I had to find out, that the needed Menu wasn´t activated in the WebGUI. After then, the needed Policy Routes for ICMP and SSH could be configured.

 

RalfBe_0-1671019656255.png

RalfBe_1-1671019696608.png

 

At the other end of the IPsec-endpoint this client configured a similar "pass"-Rule for ICMP and SSH. Here the snippets for swanctl.config

        pass-icmp-in {

            local_ts = 0.0.0.0/0[icmp]

            remote_ts = 0.0.0.0/0[icmp]

            mode = pass

            start_action = trap

         }

         pass-ssh-in {

            local_ts = 0.0.0.0/0[tcp/ssh]

            remote_ts = 0.0.0.0/0[tcp]

            mode = pass

            start_action = trap

         }

View solution in original post

2 REPLIES 2
ede_pfau
Esteemed Contributor III

You can't.

What you can configure is routing, that is, destinations. If you can restrict the destination addresses for SSH and ping, you could exclude their subnet from going through the tunnel.

 

And then of course, there is always policy routing. A route depending on the type of service. But, IMHO, this is clumsy and not very transparent in the GUI. YMMV.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
RalfBe
New Contributor

Thank you ede_pfau, you gave the right hint.
At first I had to find out, that the needed Menu wasn´t activated in the WebGUI. After then, the needed Policy Routes for ICMP and SSH could be configured.

 

RalfBe_0-1671019656255.png

RalfBe_1-1671019696608.png

 

At the other end of the IPsec-endpoint this client configured a similar "pass"-Rule for ICMP and SSH. Here the snippets for swanctl.config

        pass-icmp-in {

            local_ts = 0.0.0.0/0[icmp]

            remote_ts = 0.0.0.0/0[icmp]

            mode = pass

            start_action = trap

         }

         pass-ssh-in {

            local_ts = 0.0.0.0/0[tcp/ssh]

            remote_ts = 0.0.0.0/0[tcp]

            mode = pass

            start_action = trap

         }

Labels
Top Kudoed Authors