- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Route two subnets to internet over IPsec tunnel
Hello,
So i have a problem and cant solve without some help.
We have two Fortigates, Main office (Site A) and the new one (Site B). I connected them by IPsec tunnel, with ph2 address 0.0.0.0/0 to both sides.
Tunnel is up and working fine, but now i want to route two local subnets of SiteB to go to internet over SiteA. and other subnets go to internet from local WAN.
Topology:
10.20.1.0/24 -> SiteB FTG ->IPsec Tunnel->SiteA FTG->Internet
10.20.2.0/24 -> SiteB FTG ->IPsec Tunnel->SiteA FTG->Internet
10.99.99.0/24 -> SiteB FTG ->Internet
I am trying to use policy routes but its not working or i am doing something wrong. Any help would be nice.
Solved! Go to Solution.
- Labels:
-
FortiGate
-
FortiGate v5.4
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Firstly, on the Site B, you need policy route to route the traffic for Internet via IPSEC Tunnel for subnet 10.20.1.x and 10.20.2.x. Remaining all the source will match the Kernel Routes (FIB) for forwarding the traffic and hence they will exit via Local WAN for internet access. In the Policy route Gateway can be defined as Site A Tunnel Interface IP address.
Also, it is important you have a Default route in the Routing Table with IPSec tunnel as Gateway. You can create a default static route with same distance as existing default route but with a Higher Priority value (Higher the priority, the route is least preferred). This will make sure you have two default routes exist in the routing table but the preferred one will be over the local WAN.
Secondly on SiteB, you need the right policy for allowing access from this source subnet 10.20.1.x and 10.20.2.x to IPSec tunnel with Destination Address as "ALL".
On the Site A, you need policy to allow traffic from IPSec tunnel interface to its WAN (Internet) with NAT enabled.
Site A should also have the route back to 10.20.1.x and 10.20.2.x via the Tunnel.
If still you face issues with connectivity, please troubleshoot the problem starting from the Origin which is SiteB, see if the routes and Policies are correct, Packets are entering the tunnel or not and then come to Site A and take diagnose sniffer to confirm it receives the ESP traffic and more over its able to see the decrypted traffic going towards internet.
Best Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Firstly, on the Site B, you need policy route to route the traffic for Internet via IPSEC Tunnel for subnet 10.20.1.x and 10.20.2.x. Remaining all the source will match the Kernel Routes (FIB) for forwarding the traffic and hence they will exit via Local WAN for internet access. In the Policy route Gateway can be defined as Site A Tunnel Interface IP address.
Also, it is important you have a Default route in the Routing Table with IPSec tunnel as Gateway. You can create a default static route with same distance as existing default route but with a Higher Priority value (Higher the priority, the route is least preferred). This will make sure you have two default routes exist in the routing table but the preferred one will be over the local WAN.
Secondly on SiteB, you need the right policy for allowing access from this source subnet 10.20.1.x and 10.20.2.x to IPSec tunnel with Destination Address as "ALL".
On the Site A, you need policy to allow traffic from IPSec tunnel interface to its WAN (Internet) with NAT enabled.
Site A should also have the route back to 10.20.1.x and 10.20.2.x via the Tunnel.
If still you face issues with connectivity, please troubleshoot the problem starting from the Origin which is SiteB, see if the routes and Policies are correct, Packets are entering the tunnel or not and then come to Site A and take diagnose sniffer to confirm it receives the ESP traffic and more over its able to see the decrypted traffic going towards internet.
Best Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
You can use the policy route to achieve your requirement. You could refer to the below document for your understanding
Best Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, i found what was the problem. Thank you
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you mind sharing the solution? Having the same issue here. I want to route one subnet from site B to site A for internet access.