Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
londonnet
New Contributor III

router specific FQDN over VPN and break out of remote wan connection

Hi I would like any request for a specific FQDN to be routed over an IPsec Tunnel to a remote site and for the traffic to pass over the remotes Wan interface to the internet.

 

Does anyone have a recipe for this configuration?

 

I can see that I can create an object and a static route to forward the fqdn to a remote site

I suspect I will need to have a policy to match the request to send the traffic to the VPN

but what config do I need at the remote site to accept the traffic and forward out over the WAN interface to the internet and back via the same path?

 

Both units in play are fortigate 90D

 

Any advice or support would be apreciated

7 REPLIES 7
AEK
SuperUser
SuperUser

Hello

I think you need to have the following:

  • The right routes on both sites:
    • On local site: route traffic towards FQDN1 through the tunnel
    • On remote site: route the traffic towards local site's LAN through the tunnel
  • Firewall policy on local site:
    • Source: LAN
    • Destination: FQDN1
    • Destination interface: Tunnel
    • Action: Allow
  • Firewall policy on remote site:
    • Source: Tunnel
    • Destination: FQDN1
    • Destination interface: WAN
    • Action: Allow
AEK
AEK
londonnet
New Contributor III

I think this is almost what I tried initally but I'm not sure I understand the following step

  • On remote site: route the traffic towards local site's LAN through the tunnel

As a test I'm using whatsmyip.org 

 

The following are the steps I have taken

Local:

  • Created an FQDN address and enabled the static route option
  • Created a static route using a named address to the FQDN via the VPN interface
  • Created a IPV4 Policy from the local LAN incoming interface to the VPN Outgoing Interface with the source being the local lan and the destination named FQDN, service all and enabled, Routed not NAT

 

Remote:

  • Created an FQDN address and enabled the static route option
  • Created a static route using a named address to the FQDN via the WAN1 Interface
  • Created a IPV4 Policy from the VPN incoming interface to WAN1 Outgoing Interface with the source being the VPN group of networks and the destination named FQDN, service all and enabled, routed not NAT

 

I think I'm making a number of mistakes in this config. Trace route on my desktop is showing that the it only makes it to the first hop

AEK

  • In the very last step of remote FG, you should NAT (unless you have an ISP router in front doing NATs)
  • What do you have in phase 2 selector of both FG
  • To start the exercise, lets try without FQDN, just with a simple address object, and once it work fine we'll do with FQDN. So let the test object be like this:
    • name h-cloudflare
    • IP: 1.1.1.1/32
AEK
AEK
londonnet
New Contributor III

I have tried building the config with IP addressing to remove the task of DNS lookup but the result is the same.

 

For the phase2 config I have named addresses as a group of local subnets 

and for remote I have another named group of remote subnets.

 

I could add the FQDN to the remote named group which will probably mean I can remove the static route specifically calling out the FQDN on the local FGT

 

I guess this ould mean I would do something similar for the remote FGT and add the FQDN to the local vpn subnet groups but then how to I define how to get the FQDN?

AEK

Hello

The reason for which I asked to try with simple IP object and not FQDN till it works is that technically I don't know if the IPsec will work as expected with FQDN in phase 2 selector. This is especially when FQDN points to a dynamic IP. I mean when IPsec is established when FQDN = 1.1.1.1, will it still work for FQDN = 2.2.2.2 without restarting the tunnel? Honestly I something is telling me it will not.

AEK
AEK
londonnet
New Contributor III

So yes you are right, after much testing, you can not add an FQDN to the VPN phase2, it breaks the vpn. on a 90D you can add it but it instantly drops the vpn and on a 60D it won't let you save it or if you add it into a group it drops the phase2 groups and you have to re add them

 

You can however add static IP addresses or a subnet. The local host will resolve the FQDN and the IP address will be matched on the FGT and then push the traffic over the VPN ect

 

This is OK but not too reliable as the domain is owned by a third party and can change its IP address or range at any time.

 

I'm not sure what the permanent answer is here. I'm looking for a solution that doesn't require regular maintenance to keep it going

AEK

So as FQDN is dynamic I think the solution to this problem is to set phase 2 selector 0 0.0.0/0 , 0.0.0.0/0 and do the rest with static routes.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors