Hi,
Does anyone tried to pass internet traffic from a remote site that has VIP configured via IPsec =>without<= using NAT in the policy for the inbound traffic for that VIP?
Basically what i am trying to do here is to pass the Public IP source info to various servers in following inbound flow: Internet -> VIP -> FTG-site1 ->IPsec->FTG-site2->Servers
Due to local restrictions something like VIP -> FTG-site2->Servers won't be possible, so my only option is the one above via FTG-site1.
I have no issues revealing Public IPs via VIP inbound that are connected to local LAN on FTG-site1 by having disabled the NAT on the responsible inbound policies, but when comes to IPsec, such approach does not work only with NAT enabled in the policy so now the servers on the remote site FTG-site2 only sees the IPsec interface IP for each session that is not ideal for security logging purposes.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
In general, this setup should work—connecting from an external source to the target server through an IPsec tunnel. However, there are a couple of important points to keep in mind:
Default Gateway on Target Server: The target server must have its default gateway set through the tunnel on FGT-site2. This ensures that the return traffic goes back through the IPsec tunnel.
IPsec Phase 2 Configuration: In the IPsec tunnel's Phase 2 settings, you need to allow internet addresses. The best way to achieve this is by configuring the proxy-ID to 0.0.0.0/0. This allows all IP addresses through the tunnel.
Ensuring these settings should help maintain the original source IP addresses and allow your setup to work as expected.
Yes because the VIP is meant for that given server so you map it to that server and nothing else. Again, nothing special. Treat it as if the server behind the spoke is just a LAN extension of the hub even though in reality they’re different locations + networks
The connection below will work
Internet -> VIP -> FTG-site1 ->IPsec->FTG-site2->Servers
provided that you have this configuration:
1. 0.0.0.0/0 is configured on FTG-site2 IPSEC tunnel Phase2 as Remote Subnet
Remote Subnet : 0.0.0.0/0
Local Subnet : Server IP/Subnet
2. 0.0.0.0/0 configured on FTG-site1 IPSEC tunnel Phase2 as Local Subnet
Remote Subnet : Server IP/Subnet
Local Subnet : 0.0.0.0/0
3. Routes for 0.0.0.0/0 is installed on FTG-site2 going to IPSEC tunnel interface. You can achieve this via static route. You can put higher priority on static route to avoid issue on your local internet connection.
4. Necessary firewall policies are configured on both FGTs.
I think that traffic is dropped by FGT_Site2 due to reverse path check.
You can check this using debug flow.
https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-First-steps-to-troubleshoot-connecti...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1705 | |
1093 | |
752 | |
446 | |
230 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.