Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RP
New Contributor

Routing Internet IP via IPSEC

fortigate 60E 6.4

as an example i'm trying to route whatismyip.com via ipsec tunnel  router1 to router2  

Router 1 192.168.1.0/24

Router 2 192.168.2.0/24

I can ping anything on router 2 so i can confirm the tunnel is up

but when i try to traceroute whatismyip.com it hangs at my router.

can you help me figure out what i'm doing incorrectly? 

Thanks

 

Details 

 

I have an FQDN that resolves whatismyip.com with its 2 addresses  named test

 

I have policy that routes

incoming interface inside 

outgoing router1 to router2 

source all

destination test

schedule always

service all

action accept

inspection mode flow based

 

firewall NAT enabled 

no security profile 

log enable 

policy enabled 

 

I have a static router set 

named test

interface router1 to router2 

admin distance 10 

 

I can run a policy lookup 

inside 

protocol ip

protocol number 1

source 192.168.1.100

destination test 

 

it will show that the above policy is the one selected 

 

 

 

 

 

4 REPLIES 4
Toshi_Esumi
Esteemed Contributor III

Not clear about the topology. Is the 60E = Router2? Or, it sits inbetween Router2 and Internet?

RP
New Contributor

both routers are 60E's   

LAN Traffic to whatismyip.com needs to go from router 1 to router 2 then to the cloud 

there is a tunnel already setup between the 2 gates 

 

 

 

 

note whatismyip.com is just an example and not the actual website i'm trying to route but used for the example only.  so if router 1 public ip  is  20.20.20.20 and router 2 30.30.30.30 then whatismyip.com would show 30.30.30.30 as the ip i'm coming from.  currently whatismyip.com is just stopping at router1  

Toshi_Esumi
Esteemed Contributor III

You must have a set of inbound and outbound policies on both ends without NAT to let 192.168.1.0/24 and 192.168.2.0/24 talk each other over the tunnel. Then your test route pushes traffic to the destination into the tunnel, if the phase2-selectors are including the destination: 192.168.1.0/24<->test. If you're using 0/0<->0/0 for the selector, it includes everything so that's not a problem.

RP
New Contributor

Thanks NAT was the issue  

Top Kudoed Authors