Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alimov
New Contributor II

Created on ‎08-27-2014 12:43 AM

Routing and vpn tunnels

Hello colleagues. There are two FGT. 1-100d; 2-80c (OS - 5.2) Implemented such a scheme- http://docs-legacy.fortinet.com/fos50hlp/50/index.html#page/FortiOS%205.0%20Help/redundant-tunnel.121.08.html Everything works. The actual schema looks like this: Routs on FGT1: Routs on FGT2: Now I have the task of: If the user of the site 1 has connected on the rdp for Terminal Server in site 2 and Terminal session launched ie-all Internet traffic goes directly to the wan1 FGT2. What do I need to do to traffic sent back in site 1 and already there was outward through the wan1 FGT1 Please tell me what I need to do.
16402
0 Kudos
38 REPLIES 38
hklb
Contributor II

Created on ‎08-27-2014 01:37 AM

Hello, I don' t know if I have correctly understood.. If a client on site 1 is connected to a terminal server on site 2, you want all the web (http/https) traffic route through site1 ? If yes, it' s not possible except if the terminal server is dedicated for client of site 1 (in this case you will use PBR). If you use a terminal server, all new session will be initiate from this terminal server. So it' s normal that the traffic is go out by FGT2 WAN1 and it will consume less internet bandwidth. PS : for route prioritization, uses the same distance and changes the priority. Uses distance is no a good way to implement route prioritization.
3135
0 Kudos
Alimov
New Contributor II
In response to hklb

Created on ‎08-27-2014 02:10 AM

I need to all traffic, absolutely all went back into FGT1. Port wan1 FGT2 only need to create a VPN tunnel. and remote administration (but this is stage 2) Maybe you will understand when I say that I need something like this: As in a conventional connection in windows - if the box is checked - all requests go to the gateway of my vpn. and not to the gateway my Network adapter. The FGT2-generally does not have anything to send and receive from external network, nothing but traffic from FGT1 Is it really impossible?
3135
0 Kudos
hklb
Contributor II

Created on ‎08-27-2014 03:04 AM

If all subnet of the FGT2 need to be routed through VPN, you can do a policy route (exemple in attached file) source : FGT2 subnet dest : 0.0.0.0/0 all services Interface : your VPN interface Like this, all traffic from your subnet will be routed through your VPN. You will need to add a firewall policy from VPNInterface to WAN to allow traffic. The printscreen is for dialup VPN, not site to site.. it' s not the same..
Preview file
39 KB
3135
0 Kudos
Alimov
New Contributor II

Created on ‎08-27-2014 03:46 AM

Thank you for helping me. I made the policy route But tarfik still goes in the wan1. May need to remove or change the static route to 0.0.0.0/0 gw 88.52.227.65 ? firewall policy -
3135
0 Kudos
hklb
Contributor II

Created on ‎08-27-2014 04:12 AM

PBR (policy route) has a higher priority has the static. so you don' t need to remove the static route 0.0.0.0 (if you do that, your firewall will not have internet anymore..) You need to do : On FGT2, you will need to create a firewall policy : - from lan - to VPN - src : lanSubnet - dst : any on FGT1, you will need to create a firewall policy : - from VPN - to WAN - src : lanSubnetOfFGT2 - dst any - and enable NAT
3135
0 Kudos
Alimov
New Contributor II
In response to hklb

Created on ‎08-27-2014 05:26 AM

That something is wrong with my policy route. For testing I created the policy route of FGT1 where all traffic from subnet 192.168.110/24 leaves the wan2-and it works. And here' s policy route for FGT2 - does not work and the packages come in a static route. For FGT2 rule I' m not sure what the " Gateway Address" -need to write 0.0.0.0? On the firewall policy FGT1-NAT is enable I' m not sure you need a firewall policy for FGT2 also enable NAT?
3134
0 Kudos
hklb
Contributor II

Created on ‎08-27-2014 05:53 AM

did you have specify subnet in your phase 2 (Phase 2 selector) ? If yes, remove them (you don' t need when you have fortigate on both side) and try again. Did you see something in the log ? If not, try a debug command in CLI on both firewall : dia deb reset dia deb en dia deb flow filter addr 8.8.4.4 (If you use this address as DNS, write an another IP) dia deb flow show cons en dia deb flow trace start 20 When you set this diag debug commande, connect on terminal server and type in CMD " ping -n 1 8.8.4.4" . Post output of the diagnose commande here when finish, don' t forget to do diag deb di diag deb reset
3134
0 Kudos
Alimov
New Contributor II
In response to hklb

Created on ‎08-27-2014 06:10 AM

Tunnel on FGT1: Tunnel FGT2: log on FGT2: id=20085 trace_id=4 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=5 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=5 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=5 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=6 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=6 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=6 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=7 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=7 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=7 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=8 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=8 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=8 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=9 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=9 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=9 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=10 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=10 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=10 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=11 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=11 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=11 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=12 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=12 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=12 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=13 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=13 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=13 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=14 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=14 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=14 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=15 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=15 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=15 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=16 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=16 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=16 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=17 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=17 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=17 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=18 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=18 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=18 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" id=20085 trace_id=19 msg=" vd-root received a packet(proto=1, 192.168.50.110:512->8.8.4.4:8) from internal." id=20085 trace_id=19 msg=" Find an existing session, id-0000073c, original direction" id=20085 trace_id=19 msg=" SNAT 192.168.50.110->88.52.227.77:62464" id=20085 trace_id=20 msg=" vd-root received a packet(proto=1, 8.8.4.4:62464->88.52.227.77:0) from wan1." id=20085 trace_id=20 msg=" Find an existing session, id-0000073c, reply direction" id=20085 trace_id=20 msg=" DNAT 88.52.227.77:0->192.168.50.110:512" [image][/image]
3134
0 Kudos
hklb
Contributor II

Created on ‎08-27-2014 06:22 AM

there is a route cache for 8.8.4.4 on your firewall (when you initiate a connection, fortigate add a route temporary for this host on his routing table) Could you please do the same test with IP 208.91.112.199? dia deb reset dia deb en dia deb flow filter addr 208.91.112.199 dia deb flow show cons en dia deb flow trace start 20 And do " ping -n 1 208.91.112.199" from your TS ?
3134
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.