- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[Solved] Push internet trafic into an IPSEC tunnel (via interface mode) does not work
Hi All
Thanks for reading. I've mounted IPSec tunnel from SITE A (many subnets) to SITE B (remote office, one subnet)
All work as expected, but i' need to push internet trafic into the tunnel from site B to site A. Here some details:
Site B Configuration:
config vpn ipsec phase1-interfaceBecause i've put dst-name "all" i have to push static route (and a blackwole was added too)
edit "FortiChili"
set interface "wan1"
set keylife 96400
set mode aggressive
set peertype any
set comments "VPN: FortiChili"
set wizard-type static-fortigate
set remote-gw 195.221.X.Y(siteA_WANIP)
set psksecret ENC nzeoinelzknflkeznf
next
end
config vpn ipsec phase2-interface
edit "FortiChili"
set phase1name "FortiChili"
set comments "VPN: FortiChili"
set src-addr-type name
set dst-addr-type name
set src-name "FortiChili_local"
set dst-name "all"
next
end
S* 0.0.0.0/0 [10/0] via 88.162.243.254, wan1Where 195.221.X.Y/32 is the remote fortigate (the central one) 88.162.243.254 is the gateway of my provider 172.20.64.0/18 is one of the remote subnet192.168.10.0/24 is the local subnet. Actually this work, i can access to 172.20.64. from 192.168.10 in both way. Now i want to push all my internet trafic from 192.168.10 into the tunnel. To achieve that i've changed the routing table shown before:
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1
S* 0.0.0.0/0 [10/0] is directly connected, FortiChili
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1
So prefered route for 195.221.X.Y/32 use the provider gateway: OK my vpn is established Then i add default route 0.0.0.0/0 with higher priority to push all trafic in the tunel: FAILED Effect is my default drop rule match all internet trafic: the fortigate want to push my internet trafic via WAN1:
ActionDeny: policy violation
Threat 131072
Policy 0
Policy Typepolicy
Source Interface Role: lan
Destination Interface Role: wan
Protocol Number 1
roll 50413
Log event original
timestamp 1543876582
dstcountry_code US
Log ID 13
PS: On the fortinet-A (central) i've added the rule to allow ipsec interface to WAN with a NAT for 192.168.10 IPs, but my problem is before this,
What is wrong? Please help me!!!
- Labels:
-
5.6
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've found the solution myself!!! That was an internal routing error.
Adding 0.0.0.0/0 via IPSec interface as BlackHole (distance 254) in the static policy routes solved my issue!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know you solved with policy routes, but what we would regularly do in case the default route needs to go through the tunnel is:
1. set a /32 static route for the remote gateway IP (in your case 195.221.X.Y/32) to wan1 w/ its GW IP.
2. set 0/0 static route to "FortiChili" tunnel interface without GW.
