Routing and vpn tunnels

Alimov · ‎08-27-2014

Hello colleagues. There are two FGT. 1-100d; 2-80c (OS - 5.2) Implemented such a scheme- http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/redundant-tunnel.121.08.html Everything works. The actual schema looks like this:

Routs on FGT1:

Routs on FGT2:

Now I have the task of: If the user of the site 1 has connected on the rdp for Terminal Server in site 2 and Terminal session launched ie-all Internet traffic goes directly to the wan1 FGT2. What do I need to do to traffic sent back in site 1 and already there was outward through the wan1 FGT1

Please tell me what I need to do.

Alimov · ‎08-27-2014

FG100D3G13824836 # conf rout static FG100D3G13824836 (static) # edit 4 FG100D3G13824836 (4) # set dynamic-gateway enable FG100D3G13824836 (4) # show config router static edit 4 set dst 192.168.50.0 255.255.255.0 set distance 2 set device " Site_1_C" set dynamic-gateway enable next end FG100D3G13824836 (4) # set gateway 192.0.2.2 command parse error before ' gateway' Command fail. Return code -61 FG100D3G13824836 (4) #

hklb · ‎08-27-2014

I didn' t tested for static route yesterday, but it looks like you don' t need to specify for static route (on juniper we need to specify, sorry for the mistake..). I just tested now.

ede_pfau · ‎08-27-2014

Yes, no static gateway possible. Is this a dial-in VPN?

Ede Kernel panic: Aiee, killing interrupt handler!

hklb · ‎08-27-2014

set dynamic-gateway enable

dynamic-gateway Enable use of dynamic gateway retrieved from a DHCP or PPP server. I don' t think is the right parameters... ? Don' t set the gateway and it shoudl works (I you don' t know which parameters you can set, you can do " set ?" , and a help will appear)

Alimov · ‎08-27-2014

I didn' t tested for static route yesterday, but it looks like you don' t need to specify for static route (on juniper we need to specify, sorry for the mistake..). I just tested now.

OK I' ll try again

hklb · ‎08-27-2014

Yes, no static gateway possible. Is this a dial-in VPN?

it' s for site to site vpn

Alimov · ‎08-28-2014

1. Changed the settings of vpn tunnels: 100 A:

100 C:

80 A:

80 B:

VPN is UP:

But ping between the local computer in site 1 and site 2 is down. I add policy route:

Total: tunnel works. ping between sites is not When accessing external resource from site 2-still goes through the wan1 FRT2 What have I done wrong?

hklb · ‎08-28-2014

In phase 2 selectors, set the local and remote to 0.0.0.0/0. If it didn' t work, do the debug command on both firewall dia deb reset dia deb en dia deb flow filter addr 208.91.112.199 dia deb flow show cons en dia deb flow trace start 20

Alimov · ‎08-28-2014

if i set 0.0.0.0 ping is up

hklb · ‎08-28-2014

and access to internet ? is it passed through FGT1?

Routing and vpn tunnels

Nominate a Forum Post for Knowledge Article Creation