Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Adrien
New Contributor

[Solved] Push internet trafic into an IPSEC tunnel (via interface mode) does not work

Hi All

Thanks for reading. I've mounted IPSec tunnel from SITE A (many subnets) to SITE B (remote office, one subnet)

All work as expected, but i' need to push internet trafic into the tunnel from site B to site A. Here some details:

Site B Configuration:

config vpn ipsec phase1-interface
    edit "FortiChili"
        set interface "wan1"
        set keylife 96400
        set mode aggressive
        set peertype any
        set comments "VPN: FortiChili"
        set wizard-type static-fortigate
        set remote-gw 195.221.X.Y(siteA_WANIP)
        set psksecret ENC nzeoinelzknflkeznf
    next
end
config vpn ipsec phase2-interface
    edit "FortiChili"
        set phase1name "FortiChili"
        set comments "VPN: FortiChili"
        set src-addr-type name
        set dst-addr-type name
        set src-name "FortiChili_local"
        set dst-name "all"
    next
end
Because i've put dst-name "all" i have to push static route (and a blackwole was added too) 
S* 0.0.0.0/0 [10/0] via 88.162.243.254, wan1
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1
Where 195.221.X.Y/32 is the remote fortigate (the central one) 88.162.243.254 is the gateway of my provider 172.20.64.0/18 is one of the remote subnet192.168.10.0/24 is the local subnet. Actually this work, i can access to 172.20.64. from 192.168.10 in both way. Now i want to push all my internet trafic from 192.168.10 into the tunnel. To achieve that i've changed the routing table shown before:
S* 0.0.0.0/0 [10/0] is directly connected, FortiChili
C 88.162.243.0/24 is directly connected, wan1
S 172.20.64.0/18 [10/0] is directly connected, FortiChili
S 172.20.133.0/24 [10/0] is directly connected, FortiChili
C 192.168.10.0/24 is directly connected, lan
S 195.221.X.Y/32 [5/0] via 88.162.243.254, wan1

So prefered route for 195.221.X.Y/32 use the provider gateway: OK my vpn is established Then i add default route 0.0.0.0/0 with higher priority to push all trafic in the tunel: FAILED Effect is my default drop rule match all internet trafic: the fortigate want to push my internet trafic via WAN1:

 

ActionDeny: policy violation
Threat 131072
Policy 0
Policy Typepolicy

Source Interface Role: lan
Destination Interface Role: wan
Protocol Number 1
roll 50413
Log event original
timestamp 1543876582
dstcountry_code US
Log ID 13

 

PS: On the fortinet-A (central) i've added the rule to allow ipsec interface to WAN with a NAT for 192.168.10 IPs, but my problem is before this,

 

What is wrong? Please help me!!! 

2 REPLIES 2
Adrien
New Contributor

I've found the solution myself!!! That was an internal routing error.

Adding 0.0.0.0/0 via IPSec interface as BlackHole  (distance 254) in the static policy routes solved my issue!

 

Toshi_Esumi
SuperUser
SuperUser

I know you solved with policy routes, but what we would regularly do in case the default route needs to go through the tunnel is:

1. set a /32 static route for the remote gateway IP (in your case 195.221.X.Y/32) to wan1 w/ its GW IP.

2. set 0/0 static route to "FortiChili" tunnel interface without GW.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors