Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ColtForti
New Contributor

Route two subnets to internet over IPsec tunnel

Hello,

 

So i have a problem and cant solve without some help. 

We have two Fortigates, Main office (Site A) and the new one (Site B). I connected them by IPsec tunnel, with ph2 address 0.0.0.0/0 to both sides. 

Tunnel is up and working fine, but now i want to route two local subnets  of SiteB to go to internet over SiteA. and other subnets go to internet from local WAN.

 

Topology: 

10.20.1.0/24 -> SiteB FTG ->IPsec Tunnel->SiteA FTG->Internet

10.20.2.0/24 -> SiteB FTG ->IPsec Tunnel->SiteA FTG->Internet

10.99.99.0/24 -> SiteB FTG ->Internet

 

I am trying to use policy routes but its not working or i am doing something wrong. Any help would be nice.

 

1 Solution
saneeshpv_FTNT

Hi,

 

Firstly, on the Site B, you need policy route to route the traffic for Internet via IPSEC Tunnel for subnet 10.20.1.x and 10.20.2.x. Remaining all the source will match the Kernel Routes (FIB) for forwarding the traffic and hence they will exit via Local WAN for internet access. In the Policy route Gateway can be defined as Site A Tunnel Interface IP address. 

 

Also, it is important you have a Default route in the Routing Table with IPSec tunnel as Gateway. You can create a default static route with same distance as existing default route but with a Higher Priority value (Higher the priority, the route is least preferred). This will make sure you have two default routes exist in the routing table but the preferred one will be over the local WAN.

 

Secondly on SiteB, you need the right policy for allowing access from this source subnet 10.20.1.x and 10.20.2.x to IPSec tunnel with Destination Address as "ALL".

 

On the Site A, you need policy to allow traffic from IPSec tunnel interface to its WAN (Internet) with NAT enabled. 

Site A should also have the route back to 10.20.1.x and 10.20.2.x via the Tunnel.

 

If still you face issues with connectivity, please troubleshoot the problem starting from the Origin which is SiteB, see if the routes and Policies are correct, Packets are entering the tunnel or not and then come to Site A and take diagnose sniffer to confirm it receives the ESP traffic and more over its able to see the decrypted traffic going towards internet. 

 

Best Regards,

 

View solution in original post

3 REPLIES 3
saneeshpv_FTNT

Hi,

 

Firstly, on the Site B, you need policy route to route the traffic for Internet via IPSEC Tunnel for subnet 10.20.1.x and 10.20.2.x. Remaining all the source will match the Kernel Routes (FIB) for forwarding the traffic and hence they will exit via Local WAN for internet access. In the Policy route Gateway can be defined as Site A Tunnel Interface IP address. 

 

Also, it is important you have a Default route in the Routing Table with IPSec tunnel as Gateway. You can create a default static route with same distance as existing default route but with a Higher Priority value (Higher the priority, the route is least preferred). This will make sure you have two default routes exist in the routing table but the preferred one will be over the local WAN.

 

Secondly on SiteB, you need the right policy for allowing access from this source subnet 10.20.1.x and 10.20.2.x to IPSec tunnel with Destination Address as "ALL".

 

On the Site A, you need policy to allow traffic from IPSec tunnel interface to its WAN (Internet) with NAT enabled. 

Site A should also have the route back to 10.20.1.x and 10.20.2.x via the Tunnel.

 

If still you face issues with connectivity, please troubleshoot the problem starting from the Origin which is SiteB, see if the routes and Policies are correct, Packets are entering the tunnel or not and then come to Site A and take diagnose sniffer to confirm it receives the ESP traffic and more over its able to see the decrypted traffic going towards internet. 

 

Best Regards,

 

Nchandan
Staff
Staff

Hello,

You can use the policy route to achieve your requirement. You could refer to the below document for your understanding 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

Best Regards,

 

ColtForti
New Contributor

Thank you, i found what was the problem. Thank you

Top Kudoed Authors