Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
kiennt049
New Contributor

Routing all traffic over VPN ( Site to Site )

Dear all,

I has 2  60D firewall, 1 in HQ and 1 in Branch.

My boss request all traffic from Branch need go through HQ.

I create VPN IPsec Tunnel between 2 offices but can not Routing all traffic from Brand go through HQ.

Can you help me?

 

PS: I tried with another Devices like Draytek 2925 in Branch  and it can routing all traffic to FG 60D but can not go out internet.

 

4 REPLIES 4
kiennt049
New Contributor

Show Traffic on FG 60D HQ. ( 172.16.0.1 is Draytek)

 

Policy enabled NAT

 

But Draytek still not go out internet

 

Toshi_Esumi

just set a /32 static route for the other side of the tunnel public IP toward wan1 then a static default route into the tunnel (tunnel interface name) to solve the routing issue.

Then you need to have a set of policies from inside interface to the tunnel and the tunnel to include interface without NAT. This part is always needed regardless internet needs to going through the tunnel.

I'm assuming the tunnel itself is up with a proper set of phase2 selectors, or default 0/0<->0/0.

kiennt049

 

 

 

I tried, but it not work, monday i will take back 1 fortigate in office and test again.

Toshi_Esumi

Are you sure that 222.255.x.x/32 is the other end of IP while the GW seems to be the same subnet 222.255.x.x. If both sides are served by the same ISP, it's possible though.

Check the routing "monitor" to make sure the routing table is as you expect. Then you start needing to use CLI to sniff traffic (diag sniffer packet), IKE debugging (diag debug app ike), and flow debug (diag debug flow). You can find syntax for those debuggings on the internet or in this forum.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors