Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cyber_Guard
New Contributor

Routing certain traffic over IPSEC VPN

We have site to site VPN between our remote sites and head - office. Both locations are using Fortigate firewalls. We have IPSEC tunnel up and running between these 2 sites. This IPSEC tunnel let our remote site access our servers on the network 10.0.50.0/24.

Here is what we have under phase 2 on our remote firewall as well as head - office firewall:

Remote firewall phase 2:

Source : 10.25.1.0/24

Destination: 10.0.50.0/24

 

Head-office firewall phase 2:

Source: 10.0.50.0/24

Destination: 10.25.1.0/24

 

This is a route based VPN with policies for in/out traffic. On the remote site I have a Static route in place for traffic going to 10.0.50.0 (server network at head - office). Static route looks like this:

 

10.0.50.0/24 network then use device Interface Phase1 of VPN

 

We have some external server farms which are connected to head - office over IPSEC tunnel and this remote site also need to access those external farms. So rather than creating Site to Site VPN between remote site and external farms, I want to route remote site's traffic through our existing tunnel between head-office. Right now, traffic destined for network 10.25.1.0/24 from remote site only travels over the VPN.

 

What changes can I make so I can route our remote site's traffic to external farm through our existing tunnel between head - office? Happy to provide more information as required. Thanks all

 

Regards,

Karan

Karan

FCSNA | CCNP | VCP | CCNA | MCITP

Karan FCSNA | CCNP | VCP | CCNA | MCITP
5 REPLIES 5
gschmitt
Valued Contributor

I highly recommend you establish a third IPSec Tunnel between the remote site and the server farm

Otherwise all your traffic will go from the farm into the head office, out of the head office and into the remote site and vice versa

 

BUT if you don't want that

 

You need to add the IP Range of the server farm to the P2 of the existing tunnel (create policies aswell)

 

You can now either use the head office to NAT the traffic OR add the new IP range to the P2 of this IPSec Tunnel aswell

Cyber_Guard

Thanks for your reply mate. The reason I wanna route traffic through our HO is because we have MPLS between HO & external server farm so definitely I would like to route through HO

 

Could you please elaborate a little more on the second option? Does it mean I have to create another entry in phase 2 between HO and remote site for external server farms? Say external server farm network is 10.26.1.0/24, so is this what I need to configure on HO and remote site firewall:

 

Head - office firewall (New phase 2 entry)

Source: 10.26.1.0/24 (external server farm network)

Destination: 10.25.1.0/24 (remote site)

 

Remote-Site firewall (New phase 2 entry)

Source: 10.25.1.0/24 (local subnet)

Destination: 10.26.1.0/24 (external server farm network)

 

Static route on remote site:

If destination is 10.26.1.0 then use device VPN phase 1 name

 

Is this what I have to do to achieve this? Also, do I have to create policies as well? 

 

Thanks mate :)

Karan

FCSNA | CCNP | VCP | CCNA | MCITP

Karan FCSNA | CCNP | VCP | CCNA | MCITP
cbesse
New Contributor

Hope this help. The configuration in details : Remote-Site Firewall Configuration - New phase 2 entry :     Source: 10.25.1.0/24 (local subnet)     Destination: 10.26.1.0/24 (external server farm network) - New Policy :     Source Interface : LAN Interface     Source Subnet : 10.25.1.0/24     Destination Interface : VPN Interface Name     Destination Subnet : 10.26.1.0/24 - New Static route :     Subnet : 10.26.1.0/24     Device : VPN Phase1 name. Head - office firewall - New phase 2 entry     Source: 10.26.1.0/24 (external server farm network)     Destination: 10.25.1.0/24 (remote site) - New Policy :     Source Interface : VPN Interface Name     Source Subnet : 10.25.1.0/24     Destination Interface :  Server Farm Interface     Destination Subnet : 10.26.1.0/24      In this configuration, you need to edit the routing table of the mpls network to send the traffic to 10.25.1.0/24 through the Head Office Firewall. If you can't edit the routing table of the mspl network, juste turn on NAT in the policy on the Head Office Firewall.

FGTnewbie

Hello, 

 

I have this same issue. The only difference is that our remote sites are not connected via VPN tunnel but via MPLS. 

 

On the remote site we have static routes to head office and in head office we have a tunnel. we want the remote sites to access resources in our external site via the tunnel. 

We did a trace route and discovered that the traffic drops once it reaches the MPLS interface on the fortinet. 

 

Really do not know what to do. Please help

 

thanks 

 

FGTnewbie

Hello All, 

 

I finally solved this issue. 

 

My Current Set Up is as follows

 

Layer 2 MPLS Connection between Remote Site and HO 

 

IPSec VPN Tunnel Between HO and external (Lets call it Site A) 

 

Remote site needed to communicate with Site A through Ipsec VPN Tunnel existing in HO 

 

SOLUTION

 

Remote Site

1. Create a static route from remote site to site A using HO interface address

2. Create an address object using the site A subnet  

3. Create a bi directional policy from remote site to wan with source address as Site A address object already created

 

HO 

1. Create an IP pool using one IP address (if you have multiple remote sites and you want to track connections to the tunnel from them, you'll need to create several IP pools all with one IP each)

2. Create a NATed policy from remote site to Vpn Tunnel using the IP pool 

 

The remote site should be able to connect to site A through the VPN

 

Thanks  ede_pfau for your help

 

 

 

 

Top Kudoed Authors