Hi I would like any request for a specific FQDN to be routed over an IPsec Tunnel to a remote site and for the traffic to pass over the remotes Wan interface to the internet.
Does anyone have a recipe for this configuration?
I can see that I can create an object and a static route to forward the fqdn to a remote site
I suspect I will need to have a policy to match the request to send the traffic to the VPN
but what config do I need at the remote site to accept the traffic and forward out over the WAN interface to the internet and back via the same path?
Both units in play are fortigate 90D
Any advice or support would be apreciated
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
I think you need to have the following:
I think this is almost what I tried initally but I'm not sure I understand the following step
As a test I'm using whatsmyip.org
The following are the steps I have taken
Local:
Remote:
I think I'm making a number of mistakes in this config. Trace route on my desktop is showing that the it only makes it to the first hop
I have tried building the config with IP addressing to remove the task of DNS lookup but the result is the same.
For the phase2 config I have named addresses as a group of local subnets
and for remote I have another named group of remote subnets.
I could add the FQDN to the remote named group which will probably mean I can remove the static route specifically calling out the FQDN on the local FGT
I guess this ould mean I would do something similar for the remote FGT and add the FQDN to the local vpn subnet groups but then how to I define how to get the FQDN?
Hello
The reason for which I asked to try with simple IP object and not FQDN till it works is that technically I don't know if the IPsec will work as expected with FQDN in phase 2 selector. This is especially when FQDN points to a dynamic IP. I mean when IPsec is established when FQDN = 1.1.1.1, will it still work for FQDN = 2.2.2.2 without restarting the tunnel? Honestly I something is telling me it will not.
So yes you are right, after much testing, you can not add an FQDN to the VPN phase2, it breaks the vpn. on a 90D you can add it but it instantly drops the vpn and on a 60D it won't let you save it or if you add it into a group it drops the phase2 groups and you have to re add them
You can however add static IP addresses or a subnet. The local host will resolve the FQDN and the IP address will be matched on the FGT and then push the traffic over the VPN ect
This is OK but not too reliable as the domain is owned by a third party and can change its IP address or range at any time.
I'm not sure what the permanent answer is here. I'm looking for a solution that doesn't require regular maintenance to keep it going
So as FQDN is dynamic I think the solution to this problem is to set phase 2 selector 0 0.0.0/0 , 0.0.0.0/0 and do the rest with static routes.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1710 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.