I don't fiddle much with my routers, there were set up and I kind of forgot about them :) other than updates.
All are FG60 units
Looking to route all WEB traffic (ports 80,443) to a remove FG60 over its IPSec tunnel
What I have done.
WORK(local) FG60 I have set up my 3 external wan IP's x.x.10.186, x.x.10.187 and .189 the internal IP's are 192.168.1.0
HOME(remote) FG60 have 1 wan IP x.x.20.108 and the internal IP 192.168.2.0
Both sites have ipsec tunnel to the others network. They work fine. either site I can access the local networks, with the associated internal IP's
I want to route from a work external IP all web traffic to a web server set up on the home network with an internal ip.
WORK
Network -> Interfaces - wan I have defined my 3 external IP address
Policy & Objects -> Virtual IP's -> External IP .189 mapped to my internal ip 192.168.2.222 port forwarding port 80 to port 80 And the another VIP for port 443
Policy & Objects -> Firewall Policy -> Incoming interface I select the WAN, Outgoing interface I selected the Tunnel (work 2 home) , Source ALL, Destination I selected my two VIP's, service ALL
HOME
Did not make any changes here
This now makes me able to use my Internal IP or the External IP from the WORK internal network and I get to the web server. What does not work is if I try from my phone trying to hit the external IP I never get to my web server.
I have tried on the Firewall Policy selecting Local network and that does not work the internal network works for the internal ip but stops working for the WAN ip. I'm missing something but not sure if its possible or not. I can get this to work if its just from the WAN to the Local network, what is new for me is sending the traffic over the Tunnel to the far end.
Any suggestions or questions would be appreciated.
Thanks
Andy
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Andy,
Thank you for contacting Fortinet !
As far as i understand, you have topology like this one :
local_network_1 <-> FG(home) <---IPsec--->FG(work)<->local_network_2.
The idea is to access from 'local_network_1' VIP/DNAT x.x.10.186, x.x.10.187 and .189 which are mapped to IP addresses from local_network_2 ?
If this is the case, first check if the routing for x.x.10.186, x.x.10.187 and .189 on your 'FG(home)' is pointing via the IPsec tunnel, then check FW rules on both ends. Make sure that you have included 'x.x.10.186, x.x.10.187 and .189' as a remote encryption domain(phase-2 selectors) on your FG(home) and as a local encryption domain on your FG(work).
Best regards,
Fortinet
The IPSec link works and routing all is working on the local networks, I'm trying to use that link to forward from an external IP (work) to an internal IP (home) - at the far end.
WAN_external_ip <-> FG(work) <--IPSec--> FG(home) <-> local_network_1 <-> webserver_.222
So from the work WAN ip I want to forward web traffic to my web server sitting at home.
Andy
Hello Andy,
As far as i understand, you want for example when i access WAN_external_ip from internet, that traffic to be forwarded to the IPsec tunnel and webserver_.222 ?
Best regards,
Fortinet
Yes,
I have no problem doing this if the local is on the same FG, but I can't seem to get it to route to the far end over the IPsec.
Thanks
Hi @AndyW_PS.,
Please run the following debug flows to see where the traffic goes. Replace x.x.x.x with the public IP address of your phone which you are using to access the website. You can run it on both work and home FortiGate.
di deb disable
di deb res
diagnose debug flow filter clear
di deb flow filter addr x.x.x.x
di deb flow filter port 443
diagnose debug flow show function-name enable
di deb flow show iprope en
diagnose debug console timestamp enable
diagnose debug flow trace start 500
diagnose debug enable
Regards,
hbac,
Where is the output to this trace stored. I've only done traces via the interface, and using the CLI is not something i use regularly.
Thanks :)
Nevermind, I figured it displays to console if I use the correct IP Address
Townie # di deb disable
Townie # di deb res
Townie # diagnose debug flow filter clear
Townie # di deb flow filter addr 172.56.177.178
Townie # di deb flow filter port 80
Townie # diagnose debug flow show function-name enable
show function name
Townie # di deb flow show iprope en
show trace messages about iprope
Townie # diagnose debug console timestamp enable
Townie # diagnose debug flow trace start 500
Townie # diagnose debug enable
Townie # 2023-12-11 07:50:07 id=65308 trace_id=37 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=6, 172.56.177.178:39
056->47.181.10.189:80) tun_id=0.0.0.0 from wan1. flag [S], seq 3913640496, ack 0, win 65535"
2023-12-11 07:50:07 id=65308 trace_id=36 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=6, 172.56.177.178:45830->47.1
81.10.189:80) tun_id=0.0.0.0 from wan1. flag [S], seq 2538047454, ack 0, win 65535"
2023-12-11 07:50:07 id=65308 trace_id=36 func=init_ip_session_common line=5980 msg="allocate a new session-00064ce4, tun_id=0.0.0.0"
2023-12-11 07:50:07 id=65308 trace_id=37 func=init_ip_session_common line=5980 msg="allocate a new session-00064ce4, tun_id=0.0.0.0"
2023-12-11 07:50:07 id=65308 trace_id=37 func=iprope_dnat_check line=5297 msg="in-[wan1], out-[]"
2023-12-11 07:50:07 id=65308 trace_id=36 func=iprope_dnat_check line=5297 msg="in-[wan1], out-[]"
2023-12-11 07:50:07 id=65308 trace_id=36 func=iprope_dnat_tree_check line=834 msg="len=1"
2023-12-11 07:50:07 id=65308 trace_id=37 func=iprope_dnat_tree_check line=834 msg="len=1"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_dnat_policy line=5160 msg="checking gnum-100000 policy-3"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_dnat_policy line=5160 msg="checking gnum-100000 policy-3"
2023-12-11 07:50:07 id=65308 trace_id=37 func=get_new_addr line=1231 msg="find DNAT: IP-192.168.2.222, port-80"
2023-12-11 07:50:07 id=65308 trace_id=36 func=get_new_addr line=1231 msg="find DNAT: IP-192.168.2.222, port-80"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_dnat_policy line=5252 msg="matched policy-3, act=accept, vip=3, flag=100, sf
lag=2000000"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_dnat_policy line=5252 msg="matched policy-3, act=accept, vip=3, flag=100, sf
lag=2000000"
2023-12-11 07:50:07 id=65308 trace_id=37 func=iprope_dnat_check line=5309 msg="result: skb_flags-02000000, vid-3, ret-matched, act-accept, fl
ag-00000100"
2023-12-11 07:50:07 id=65308 trace_id=36 func=iprope_dnat_check line=5309 msg="result: skb_flags-02000000, vid-3, ret-matched, act-accept, fl
ag-00000100"
2023-12-11 07:50:07 id=65308 trace_id=37 func=fw_pre_route_handler line=180 msg="VIP-192.168.2.222:80, outdev-wan1"
2023-12-11 07:50:07 id=65308 trace_id=36 func=fw_pre_route_handler line=180 msg="VIP-192.168.2.222:80, outdev-wan1"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__ip_session_run_tuple line=3402 msg="DNAT 47.181.10.189:80->192.168.2.222:80"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__ip_session_run_tuple line=3402 msg="DNAT 47.181.10.189:80->192.168.2.222:80"
2023-12-11 07:50:07 id=65308 trace_id=36 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-47.181.21.108 via Townie
2Home"
2023-12-11 07:50:07 id=65308 trace_id=37 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-47.181.21.108 via Townie
2Home"
2023-12-11 07:50:07 id=65308 trace_id=36 func=iprope_fwd_check line=792 msg="in-[wan1], out-[Townie2Home], skb_flags-020000c0, vid-3, app_id:
0, url_cat_id: 0"
2023-12-11 07:50:07 id=65308 trace_id=37 func=iprope_fwd_check line=792 msg="in-[wan1], out-[Townie2Home], skb_flags-020000c0, vid-3, app_id:
0, url_cat_id: 0"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=63, len=3"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=63, len=3"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-7, ret-matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-7, ret-matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_policy line=2068 msg="failed to match vid-3"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_policy line=2068 msg="failed to match vid-3"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_user_identity_check line=1825 msg="ret-matched"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_user_identity_check line=1825 msg="ret-matched"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check line=2299 msg="gnum-4e21, check-ffffffbffc02b9c4"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check line=2299 msg="gnum-4e21, check-ffffffbffc02b9c4"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check line=2316 msg="gnum-4e21 check result: ret-no-match, act-accept, flag-00000000,
flag2-00000000"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check line=2316 msg="gnum-4e21 check result: ret-no-match, act-accept, flag-00000000,
flag2-00000000"
2023-12-11 07:50:07 id=65308 trace_id=37 func=__iprope_check_one_policy line=2269 msg="policy-8 is matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=36 func=__iprope_check_one_policy line=2269 msg="policy-8 is matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=37 func=iprope_fwd_check line=829 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-acc
ept, idx-8"
2023-12-11 07:50:07 id=65308 trace_id=36 func=iprope_fwd_check line=829 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-acc
ept, idx-8"
2023-12-11 07:50:07 id=65308 trace_id=37 func=iprope_fwd_auth_check line=848 msg="after iprope_captive_check(): is_captive-0, ret-matched, ac
t-accept, idx-8"
2023-12-11 07:50:07 id=65308 trace_id=36 func=iprope_fwd_auth_check line=848 msg="after iprope_captive_check(): is_captive-0, ret-matched, ac
t-accept, idx-8"
2023-12-11 07:50:07 id=65308 trace_id=37 func=fw_forward_handler line=990 msg="Allowed by Policy-8:"
2023-12-11 07:50:07 id=65308 trace_id=36 func=fw_forward_handler line=990 msg="Allowed by Policy-8:"
2023-12-11 07:50:07 id=65308 trace_id=36 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Townie2Home, tun_id=0.0.0.0"
2023-12-11 07:50:07 id=65308 trace_id=37 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Townie2Home, tun_id=0.0.0.0"
2023-12-11 07:50:07 id=65308 trace_id=36 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Townie2Home vrf 0"
2023-12-11 07:50:07 id=65308 trace_id=37 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Townie2Home vrf 0"
2023-12-11 07:50:07 id=65308 trace_id=37 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
2023-12-11 07:50:07 id=65308 trace_id=36 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
2023-12-11 07:50:07 id=65308 trace_id=38 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=6, 172.56.177.178:38962->47.1
81.10.189:80) tun_id=0.0.0.0 from wan1. flag [S], seq 345843989, ack 0, win 65535"
2023-12-11 07:50:07 id=65308 trace_id=38 func=init_ip_session_common line=5980 msg="allocate a new session-00064ce6, tun_id=0.0.0.0"
2023-12-11 07:50:07 id=65308 trace_id=38 func=iprope_dnat_check line=5297 msg="in-[wan1], out-[]"
2023-12-11 07:50:07 id=65308 trace_id=38 func=iprope_dnat_tree_check line=834 msg="len=1"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_dnat_policy line=5160 msg="checking gnum-100000 policy-3"
2023-12-11 07:50:07 id=65308 trace_id=38 func=get_new_addr line=1231 msg="find DNAT: IP-192.168.2.222, port-80"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_dnat_policy line=5252 msg="matched policy-3, act=accept, vip=3, flag=100, sf
lag=2000000"
2023-12-11 07:50:07 id=65308 trace_id=38 func=iprope_dnat_check line=5309 msg="result: skb_flags-02000000, vid-3, ret-matched, act-accept, fl
ag-00000100"
2023-12-11 07:50:07 id=65308 trace_id=38 func=fw_pre_route_handler line=180 msg="VIP-192.168.2.222:80, outdev-wan1"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__ip_session_run_tuple line=3402 msg="DNAT 47.181.10.189:80->192.168.2.222:80"
2023-12-11 07:50:07 id=65308 trace_id=38 func=vf_ip_route_input_common line=2611 msg="find a route: flag=00000000 gw-47.181.21.108 via Townie
2Home"
2023-12-11 07:50:07 id=65308 trace_id=38 func=iprope_fwd_check line=792 msg="in-[wan1], out-[Townie2Home], skb_flags-020000c0, vid-3, app_id:
0, url_cat_id: 0"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_tree_check line=528 msg="gnum-100004, use int hash, slot=63, len=3"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-7, ret-matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_policy line=2068 msg="failed to match vid-3"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_policy line=2051 msg="checked gnum-100004 policy-8, ret-matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_user_identity_check line=1825 msg="ret-matched"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check line=2299 msg="gnum-4e21, check-ffffffbffc02b9c4"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_policy line=2051 msg="checked gnum-4e21 policy-6, ret-no-match, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check line=2316 msg="gnum-4e21 check result: ret-no-match, act-accept, flag-00000000,
flag2-00000000"
2023-12-11 07:50:07 id=65308 trace_id=38 func=__iprope_check_one_policy line=2269 msg="policy-8 is matched, act-accept"
2023-12-11 07:50:07 id=65308 trace_id=38 func=iprope_fwd_check line=829 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-acc
ept, idx-8"
2023-12-11 07:50:07 id=65308 trace_id=38 func=iprope_fwd_auth_check line=848 msg="after iprope_captive_check(): is_captive-0, ret-matched, ac
t-accept, idx-8"
2023-12-11 07:50:07 id=65308 trace_id=38 func=fw_forward_handler line=990 msg="Allowed by Policy-8:"
2023-12-11 07:50:07 id=65308 trace_id=38 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Townie2Home, tun_id=0.0.0.0"
2023-12-11 07:50:07 id=65308 trace_id=38 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Townie2Home vrf 0"
2023-12-11 07:50:07 id=65308 trace_id=38 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
2023-12-11 07:50:08 id=65308 trace_id=39 func=print_pkt_detail line=5795 msg="vd-root:0 received a packet(proto=6, 172.56.177.178:45830->47.1
81.10.189:80) tun_id=0.0.0.0 from wan1. flag [S], seq 2538047454, ack 0, win 65535"
2023-12-11 07:50:08 id=65308 trace_id=39 func=resolve_ip_tuple_fast line=5883 msg="Find an existing session, id-00064ce4, original direction"
2023-12-11 07:50:08 id=65308 trace_id=39 func=ipv4_fast_cb line=53 msg="enter fast path"
2023-12-11 07:50:08 id=65308 trace_id=39 func=ip_session_run_all_tuple line=7115 msg="DNAT 47.181.10.189:80->192.168.2.222:80"
2023-12-11 07:50:08 id=65308 trace_id=39 func=ipsecdev_hard_start_xmit line=669 msg="enter IPSec interface Townie2Home, tun_id=0.0.0.0"
2023-12-11 07:50:08 id=65308 trace_id=39 func=_do_ipsecdev_hard_start_xmit line=229 msg="output to IPSec tunnel Townie2Home vrf 0"
2023-12-11 07:50:08 id=65308 trace_id=39 func=ipsec_common_output4 line=785 msg="No matching IPsec selector, drop"
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.