Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
adnan_sabir
New Contributor

vpn and internet traffic

ipsec site to site vpn configured. on WAN2 i have staic Ip, and on WAN1 i have normal internet connectivity. i want to use WAN1 for internet traffic and WAN 2 (configured with static ip) for site to site and access vpn. how can i achieve it ? please help me out.

 

2 Solutions
ede_pfau
Esteemed Contributor III

If you get the routing correct this should be possible.

 

Create a default route (0.0.0.0/0.0.0.0) pointing to wan1.

Create a host route with the remote IP address of the site-to-site VPN partner, pointing to wan2: e.g. remote address is 1.2.3.4, create '1.2.3.4/32' pointing to wan2.

Of course, you still need another static route for the remote network behind the remote VPN gateway, pointing to the tunnel interface.

This will cover internet access via wan1 and site-to-site VPN via wan2.

 

VPN dialup access poses a problem: the public IP addresses of the VPN clients are not known in advance. Thus, the FGT will send negotiation traffic out wan1, according to the default route (it doesn't have any better route). So you can offer dialup VPN but only on wan1.


Ede

"Kernel panic: Aiee, killing interrupt handler!"

View solution in original post

Ede"Kernel panic: Aiee, killing interrupt handler!"
AlexW
New Contributor III

Just to be clear WAN1 has a static Public IP, WAN2 has a private IP ? (192.168.100.1)

So the ISP router on WAN2 does natting to a Public IP ?

And WAN2 is the link you want to use for Dailup VPN ?

 

 

If you want to use WAN2 and it has a Private IP recieved from the ISP. Then you need to do some natting on the ISP Router, or better bridge it so you will get a Public IP on youre WAN2. If Bridging is not Posible, maybe natting is. You can NAT (port forward) TCP/443 (For SSL VPN) to youre fortigate ip (192.168.100.1).

 

 

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

View solution in original post

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
12 REPLIES 12
adnan_sabir

thanks for reply. if you could tell, the topology i mentioned above is doable..will it work ? if you go to very first question i wanted to implement the same topology as you mentioned. like i configure WAN 1 with static IP and setup access/dial-up VPN for remote users and normal internet connection to WAN2 (which is very fast and i wanted to use it for internet access for all LAN users). As my static link is of 10Mbps and other normal internet connection is always around 60 Mbps. i am uploading topology diagram which i wanted to achieve in the start. i will be glad if you could guide me further, please. i also visited the link you mentioned. can i also configure with GUI interface.

AlexW
New Contributor III

Just to be clear WAN1 has a static Public IP, WAN2 has a private IP ? (192.168.100.1)

So the ISP router on WAN2 does natting to a Public IP ?

And WAN2 is the link you want to use for Dailup VPN ?

 

 

If you want to use WAN2 and it has a Private IP recieved from the ISP. Then you need to do some natting on the ISP Router, or better bridge it so you will get a Public IP on youre WAN2. If Bridging is not Posible, maybe natting is. You can NAT (port forward) TCP/443 (For SSL VPN) to youre fortigate ip (192.168.100.1).

 

 

Alex Wassink

NSE4,5,7,8 CCNP, ACMP, VCP6-NV

Alex Wassink NSE4,5,7,8 CCNP, ACMP, VCP6-NV
adnan_sabir

My apology SIR. I corrected the topology and is uploaded. Static IP link will be configured to WAN-1. either I could connect directly to WAN-1 or can port forward from router connected to WAN-1 of fortigate.  WAN-2  is connected to normal router for internet access. So 192.168.100.0/24 is basically a nated network from router. 

Labels
Top Kudoed Authors