Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
robertwb2
New Contributor

Site-to-Site VPN Routing Internet Traffic

So I have something I thought would be quite simple, but I just cannot wrap my head around. 

 

Right now, I have a Site to Site IPSEC VPN setup between my two 100D Fortigates. 

 

What I'm looking to do is route all the traffic from Site B thru Site A so we can use some of the public IPs available at Site A over at Site B. My best thought was to route all the traffic from Site B to Site A and exit out to the internet at Site A, but I cannot get the internet traffic to go thru the tunnel and I was hoping someone could step me thru it and see what I'm doing wrong.

 

Thanks so much

Robert

19 REPLIES 19
ede_pfau
SuperUser
SuperUser

So, what have you done so far? Do you have a default route in place? Policies?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
MikePruett
Valued Contributor

Yeah, give us an example of how things are on the Gates and we can point you in a general direction.

Mike Pruett Fortinet GURU | Fortinet Training Videos
rwpatterson
Valued Contributor III

For starters, if you want the Internet traffic to flow through the tunnel, you should set that distance shorter than that of your default gateway (at site B). The tunnel should be your preferred gateway, in other words. You may still wish to go out directly for things like DNS, but that's your call.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
robertwb2

So I think I got it going, but I'm not sure what I did is correct.

 

I was changing the static route on Site B to go thru the Tunnel Interface. On my Site A fortigate I had setup a VPN_interface to WAN firewall rule to allow that traffic to go out. When I would change the static route on Site B to go thru the Tunnel and change the distances, I would lose all connection at Site B. No traffic was going thru.

 

So I created a new Phase 2 line in my Tunnel at each end.

Site A: Local Address: 0.0.0.0/0 - Remote Address: Site B/24

Site B: Local Address: Site B/24 - Remote Address: 0.0.0.0/0

 

And it started working perfectly.

 

So like I said, Im not sure thats the correct way to do it, and I hope i didn't miss a step describing it here, but if there is a better way to do it, I'm 100% open to hearing that I'm wrong! ha!

 

Thanks

 

Robert

rwpatterson
Valued Contributor III

In your own best interest, you should narrow down tunnel phase 2 selectors to the smallest possible subnets as possible. This will eliminate stray routing issues like you just saw. If your are using a routing protocol (such as OSPF), that may not be possible.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
robertwb2

I agree, I'm not too keen on what I did in Phase 2, but its the only thing I could figure out to make all internet traffic to go over the tunnel. What else can I do to force all the internet traffic over the VPN tunnel? 

 

Like I said, I'm pretty sure I'm wrong here so let me have it! ha!

 

Robert

rwpatterson
Valued Contributor III

robertwb2 wrote:

I agree, I'm not too keen on what I did in Phase 2, but its the only thing I could figure out to make all internet traffic to go over the tunnel. What else can I do to force all the internet traffic over the VPN tunnel? 

 

Like I said, I'm pretty sure I'm wrong here so let me have it! ha!

 

Robert

LOL! The traffic going through the tunnel is dependent on the source IP, not the destination, so you only need to specify the interesting traffic that's originating from site B headed towards site A in the phase 2 selectors. There will be no spankings here. It's better to learn from your mistakes than being burned at a stake. ;)

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
robertwb2

Ok, so this is where my knowledge breaks down, I'm not sure what to specify in that phase 2 to make it work.

 

We already have the IPSEC VPN working between the two sites for internal traffic. Yet when I take out that all encompassing phase 2 line (0.0.0.0/0) the internet traffic does not flow (the internal site to site traffic is ok), even tho I have my static routes setup and the policies set too. So that is where I'm at a loss.

 

Thanks so much for your help so far

 

Robert

rwpatterson
Valued Contributor III

OK, for this 'lesson', we'll focus on Site A. The selectors local should be 0.0.0.0/0 because you want all Internet traffic to flow down the tunnel. The remote was fine designated as the subnet over there. That was perfect, for your case.

 

The other option would be to use the local subnet as the local selector, and in the 'Site B-> Internet' policy, NAT all inbound traffic to an address on the Site A local LAN. The selectors would then only need to be local: Site A subnet and remote: Site B subnet. All internet traffic would be NATted to a single IP address on the LAN, so the tunnel scope would be nice and small.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors