Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
TSTelecom
New Contributor II

Created on ‎07-31-2024 10:57 AM

redirect internet traffic over IPSec tunnel

Hello,

 

I am implementing a scenario in which I have branches connected to the headquarters through IPSec tunnels.

 

In my environment, I need to direct all traffic originating from the branch's local network through the IPsec tunnel so that this traffic destined for the internet uses the headquarters' WAN.

 

For other services at the branch, I need to use the local WAN link.

 

For example, branch office ether1, network 192.168.56.0/24, all traffic must be routed through the IPsec tunnel.

 

As for ether2, network 172.16.56.0/24, traffic must be directed through the local WAN.

 

I already have this working environment, I am using IPsec SDWAN to close the tunnels, make them redundant across different WANs and my question/problem is the following.

 

For traffic originating from the branch network, 192.168.56.0/24 and destined for the internet to work, I must have a static default route created in the headquarters firewall, with gateway to the WAN 10.100.100.2, without this, navigation will not be possible. It doesn't works, even using an SDWAN rule to route, only navigation through the tunnel works if I have this default route active.

 

The problem is that, for this WAN, 10.100.100.2, I need to direct ONLY the traffic originating from the units' remote networks, other traffic I cannot direct to it, that is, the default route becomes a problem in my case.


I have been researching, but so far I have not been successful in finding a configuration recommendation for this environment, in which I need to be able to somehow use WAN1 (10.100.100.2) as the default route only for specific source networks, in practice, I would like to use SDWAN for this, but it didn't work in my environment.

 

I would like to know what the community recommends in this case.


Thank you very much in advance.

 

vpn fortinet (2).png

Labels:
564
0 Kudos
2 Solutions
HiralShah
Staff
Staff
In response to TSTelecom

Created on ‎07-31-2024 12:57 PM Edited on ‎07-31-2024 12:59 PM

Hello @TSTelecom 

 

In this case, You can use policy route: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

So you can send the traffic for specific remote network to wan2.

Hiral

View solution in original post

527
Umer221
Staff
Staff
In response to TSTelecom

Created on ‎07-31-2024 02:13 PM Edited on ‎07-31-2024 02:13 PM

You can use any other options listed previously, for the return traffic initiated from HQ to the Branch. SD-WAN, Policy Route, or a Static Route will do the job.

View solution in original post

487
7 REPLIES 7
Umer221
Staff
Staff

Created on ‎07-31-2024 12:27 PM Edited on ‎07-31-2024 12:29 PM

Hello,

 

To my understanding, you are trying to route all the internet traffic from the branches to the HQ connected via IPSec Tunnel.

In simple terms theoretically, you have 3 options:
1. Create an SD-WAN rule on the branches with source to their local networks and destination set to all; while destination interface should be the HQ IPSec Tunnel interface.
2. Create a static route with 0.0.0.0/0.0.0.0 and the outgoing interface set to the HQ IPsec Tunnel, as long as you have static IP assigned to branch WAN ports.

3. Create a policy route and enable Outgoing interface as HQ IPSec Tunnel:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

If any of these options do not work, then probably needs to be troubleshoot.

539
TSTelecom
New Contributor II
In response to Umer221

Created on ‎07-31-2024 12:37 PM

Hello,

 

Today the scenario already works, but for it to work, it is mandatory that I have a static route with 0.0.0.0/0.0.0.0 and gateway 10.100.100.2, to precisely direct traffic through the WAN2 of the headquarters.

 

However, this static route impacts my other accesses, such as traffic originating from Fortinet itself, for example.

 

My goal is to ensure that only traffic originating from remote networks uses the default route with gateway 10.100.100.2.

 

For this, I created SDWAN rules, but if I simply disable the 0.0.0.0/0.0.0.0 route, the branch traffic is not directed to WAN2 through the SDWAN rule.

536
0 Kudos
HiralShah
Staff
Staff
In response to TSTelecom

Created on ‎07-31-2024 12:57 PM Edited on ‎07-31-2024 12:59 PM

Hello @TSTelecom 

 

In this case, You can use policy route: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-...

 

So you can send the traffic for specific remote network to wan2.

Hiral
528
TSTelecom
New Contributor II
In response to HiralShah

Created on ‎07-31-2024 01:35 PM

I believe it will really resolve the issue. Thanks!!!

 

Another question, the policy-based route solves my problem in the branch -> head office -> wan -> internet direction.

But the return traffic, head office -> branch, is it an error to follow using a static route or SDWAN? Do I need to use policy-based too?

what do you suggest?

508
0 Kudos
Umer221
Staff
Staff
In response to TSTelecom

Created on ‎07-31-2024 02:13 PM Edited on ‎07-31-2024 02:13 PM

You can use any other options listed previously, for the return traffic initiated from HQ to the Branch. SD-WAN, Policy Route, or a Static Route will do the job.

488
spoojary
Staff
Staff

Created on ‎07-31-2024 01:33 PM

Hello,
If that is the scenario you are going for policy route would be the best option. A policy route in FortiGate is a routing rule that directs traffic based on criteria such as source IP, destination IP, and other attributes, rather than just the destination IP address. It allows for more granular control over traffic routing by defining specific conditions under which traffic should follow a particular path or use a specific gateway. 

 

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/144044/policy-routes

 

Siddhanth Poojary
510
TSTelecom
New Contributor II
In response to spoojary

Created on ‎07-31-2024 01:55 PM

Hello!

 

Thanks for your suggestion.

492
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.