Hi All
Thanks for reading. I've mounted IPSec tunnel from SITE A (many subnets) to SITE B (remote office, one subnet)
All work as expected, but i' need to push internet trafic into the tunnel from site B to site A. Here some details:
Site B Configuration:
config vpn ipsec phase1-interfaceBecause i've put dst-name "all" i have to push static route (and a blackwole was added too)
edit "FortiChili"
set interface "wan1"
set keylife 96400
set mode aggressive
set peertype any
set comments "VPN: FortiChili"
set wizard-type static-fortigate
set remote-gw 195.221.X.Y(siteA_WANIP)
set psksecret ENC nzeoinelzknflkeznf
next
end
config vpn ipsec phase2-interface
edit "FortiChili"
set phase1name "FortiChili"
set comments "VPN: FortiChili"
set src-addr-type name
set dst-addr-type name
set src-name "FortiChili_local"
set dst-name "all"
next
end
S* 0.0.0.0/0 [10/0] via 88.162.243.254, wan1Where 195.221.X.Y/32 is the remote fortigate (the central one) 88.162.243.254 is the gateway of my provider 172.20.64.0/18 is one of the remote subnet192.168.10.0/24 is the local subnet. Actually this work, i can access to 172.20.64. from 192.168.10 in both way. Now i want to push all my internet trafic from 192.168.10 into the tunnel. To achieve that i've changed the routing table shown before:
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1
S* 0.0.0.0/0 [10/0] is directly connected, FortiChili
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1
So prefered route for 195.221.X.Y/32 use the provider gateway: OK my vpn is established Then i add default route 0.0.0.0/0 with higher priority to push all trafic in the tunel: FAILED Effect is my default drop rule match all internet trafic: the fortigate want to push my internet trafic via WAN1:
ActionDeny: policy violation
Threat 131072
Policy 0
Policy Typepolicy
Source Interface Role: lan
Destination Interface Role: wan
Protocol Number 1
roll 50413
Log event original
timestamp 1543876582
dstcountry_code US
Log ID 13
PS: On the fortinet-A (central) i've added the rule to allow ipsec interface to WAN with a NAT for 192.168.10 IPs, but my problem is before this,
What is wrong? Please help me!!!
I've found the solution myself!!! That was an internal routing error.
Adding 0.0.0.0/0 via IPSec interface as BlackHole (distance 254) in the static policy routes solved my issue!
I know you solved with policy routes, but what we would regularly do in case the default route needs to go through the tunnel is:
1. set a /32 static route for the remote gateway IP (in your case 195.221.X.Y/32) to wan1 w/ its GW IP.
2. set 0/0 static route to "FortiChili" tunnel interface without GW.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.