Hello,
So i have a problem and cant solve without some help.
We have two Fortigates, Main office (Site A) and the new one (Site B). I connected them by IPsec tunnel, with ph2 address 0.0.0.0/0 to both sides.
Tunnel is up and working fine, but now i want to route two local subnets of SiteB to go to internet over SiteA. and other subnets go to internet from local WAN.
Topology:
10.20.1.0/24 -> SiteB FTG ->IPsec Tunnel->SiteA FTG->Internet
10.20.2.0/24 -> SiteB FTG ->IPsec Tunnel->SiteA FTG->Internet
10.99.99.0/24 -> SiteB FTG ->Internet
I am trying to use policy routes but its not working or i am doing something wrong. Any help would be nice.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Firstly, on the Site B, you need policy route to route the traffic for Internet via IPSEC Tunnel for subnet 10.20.1.x and 10.20.2.x. Remaining all the source will match the Kernel Routes (FIB) for forwarding the traffic and hence they will exit via Local WAN for internet access. In the Policy route Gateway can be defined as Site A Tunnel Interface IP address.
Also, it is important you have a Default route in the Routing Table with IPSec tunnel as Gateway. You can create a default static route with same distance as existing default route but with a Higher Priority value (Higher the priority, the route is least preferred). This will make sure you have two default routes exist in the routing table but the preferred one will be over the local WAN.
Secondly on SiteB, you need the right policy for allowing access from this source subnet 10.20.1.x and 10.20.2.x to IPSec tunnel with Destination Address as "ALL".
On the Site A, you need policy to allow traffic from IPSec tunnel interface to its WAN (Internet) with NAT enabled.
Site A should also have the route back to 10.20.1.x and 10.20.2.x via the Tunnel.
If still you face issues with connectivity, please troubleshoot the problem starting from the Origin which is SiteB, see if the routes and Policies are correct, Packets are entering the tunnel or not and then come to Site A and take diagnose sniffer to confirm it receives the ESP traffic and more over its able to see the decrypted traffic going towards internet.
Best Regards,
Hi,
Firstly, on the Site B, you need policy route to route the traffic for Internet via IPSEC Tunnel for subnet 10.20.1.x and 10.20.2.x. Remaining all the source will match the Kernel Routes (FIB) for forwarding the traffic and hence they will exit via Local WAN for internet access. In the Policy route Gateway can be defined as Site A Tunnel Interface IP address.
Also, it is important you have a Default route in the Routing Table with IPSec tunnel as Gateway. You can create a default static route with same distance as existing default route but with a Higher Priority value (Higher the priority, the route is least preferred). This will make sure you have two default routes exist in the routing table but the preferred one will be over the local WAN.
Secondly on SiteB, you need the right policy for allowing access from this source subnet 10.20.1.x and 10.20.2.x to IPSec tunnel with Destination Address as "ALL".
On the Site A, you need policy to allow traffic from IPSec tunnel interface to its WAN (Internet) with NAT enabled.
Site A should also have the route back to 10.20.1.x and 10.20.2.x via the Tunnel.
If still you face issues with connectivity, please troubleshoot the problem starting from the Origin which is SiteB, see if the routes and Policies are correct, Packets are entering the tunnel or not and then come to Site A and take diagnose sniffer to confirm it receives the ESP traffic and more over its able to see the decrypted traffic going towards internet.
Best Regards,
Hello,
You can use the policy route to achieve your requirement. You could refer to the below document for your understanding
Best Regards,
Thank you, i found what was the problem. Thank you
Do you mind sharing the solution? Having the same issue here. I want to route one subnet from site B to site A for internet access.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1660 | |
1077 | |
752 | |
443 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.