I have a VPN tunnel defined which comes up OK. Traffic on the far side is coming through the tunnel without a problem (CISCO RV042 device). On the Fortigate 60D (5.0.310) I have a rule defined where the source is DMZ, 192.168.18.0/24, destination is WAN2, 192.168.54.0/24, all services and IPsec using the defined VPN tunnel. When a do a TRACERT from a PC at 192.168.18.100 I see it hit the DMZ gateway address as 192.168.18.3 and the next hop is 10.15.224.1 which is not one of my IP's. If the traffic were being sent down the tunnel the second hop should show 192.168.54.1 which is the gateway at the far side. For some reason the traffic is not being sent down the tunnel, instead it is being sent over the internet. Is there something different for the DMZ interface compared to the internal interface? I have many VPN's on the internal interface which are working. Why does it seem that it is ignoring the rule to force the traffic down the tunnel?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
following configurations cut from a backup showing the relevant parts (external ip's changed). policy 30 is the one that i assume would push the traffic down the tunnel but appears to be ignored. rule 31 if enabled catches the source and destination address and denies the traffic as expected.
#config-version=FGT60D-5.00-FW-build310-150123:opmode=0:vdom=0:user=admin
#buildno=0310 config router static edit 1 set device "wan2" set gateway 111.111.111.129 next end config system interface edit "all" next edit "dmz" set vdom "root" set ip 192.168.18.3 255.255.255.0 set allowaccess ping set type physical set alias "192-168-18-0" set snmp-index 1 next edit "wan2" set vdom "root" set ip 111.111.111.144 255.255.255.224 set allowaccess ping set type physical set alias "Cox" set snmp-index 3 next end config system dhcp server edit 1 set default-gateway 192.168.18.3 set interface "dmz" config ip-range edit 1 set end-ip 192.168.18.149 set start-ip 192.168.18.20 next end set netmask 255.255.255.0 set dns-server1 192.168.18.2 next end config firewall address edit "all" next edit "Plant-Internal" set subnet 192.168.54.0 255.255.255.0 next edit "Office-Internal" set subnet 192.168.18.0 255.255.255.0 next end config vpn ipsec phase1 edit "all" next edit "WAN2-Plant-Tunnel" set interface "wan2" set proposal 3des-sha1 3des-md5 set remote-gw 222.222.222.66 set psksecret ENC IHRvb9GJlNhwKx8e3fCcPaEdYQ= next end config vpn ipsec phase2 edit "all" next edit "WAN2-Plant-Phase2" set phase1name "WAN2-Plant-Tunnel" set proposal 3des-sha1 3des-md5 set keylifeseconds 28800 set src-subnet 192.168.18.0 255.255.255.0 set dst-subnet 192.168.54.0 255.255.255.0 next end config firewall policy edit "all" next edit 30 set srcintf "dmz" set dstintf "wan2" set srcaddr "Office-Internal" set dstaddr "Plant-Internal" set action ipsec set schedule "always" set service "ALL" set inbound enable set vpntunnel "WAN2-Plant-Tunnel" next edit 31 set srcintf "dmz" set dstintf "wan2" set srcaddr "Office-Internal" set dstaddr "Plant-Internal" set status disable set schedule "always" set service "ALL" set logtraffic all next edit 27 set srcintf "dmz" set dstintf "wan2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set nat enable next end
"set outbound enable"?
That was absolutely the problem. Can't tell you how many times I was comparing the GUI for this tunnel to other tunnels that worked. Unfortunately this parameter is not visible in the GUI. I always set up the tunnels using the GUI never the CLI. Hindsite is always 20/20, and I should have compared the backup CLI commands to one that worked. Evidently the DMZ interface defaults the outbound to disabled. Thank you for the help.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.