ipsec site to site vpn configured. on WAN2 i have staic Ip, and on WAN1 i have normal internet connectivity. i want to use WAN1 for internet traffic and WAN 2 (configured with static ip) for site to site and access vpn. how can i achieve it ? please help me out.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
If you get the routing correct this should be possible.
Create a default route (0.0.0.0/0.0.0.0) pointing to wan1.
Create a host route with the remote IP address of the site-to-site VPN partner, pointing to wan2: e.g. remote address is 1.2.3.4, create '1.2.3.4/32' pointing to wan2.
Of course, you still need another static route for the remote network behind the remote VPN gateway, pointing to the tunnel interface.
This will cover internet access via wan1 and site-to-site VPN via wan2.
VPN dialup access poses a problem: the public IP addresses of the VPN clients are not known in advance. Thus, the FGT will send negotiation traffic out wan1, according to the default route (it doesn't have any better route). So you can offer dialup VPN but only on wan1.
Just to be clear WAN1 has a static Public IP, WAN2 has a private IP ? (192.168.100.1)
So the ISP router on WAN2 does natting to a Public IP ?
And WAN2 is the link you want to use for Dailup VPN ?
If you want to use WAN2 and it has a Private IP recieved from the ISP. Then you need to do some natting on the ISP Router, or better bridge it so you will get a Public IP on youre WAN2. If Bridging is not Posible, maybe natting is. You can NAT (port forward) TCP/443 (For SSL VPN) to youre fortigate ip (192.168.100.1).
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
thanks for reply. if you could tell, the topology i mentioned above is doable..will it work ? if you go to very first question i wanted to implement the same topology as you mentioned. like i configure WAN 1 with static IP and setup access/dial-up VPN for remote users and normal internet connection to WAN2 (which is very fast and i wanted to use it for internet access for all LAN users). As my static link is of 10Mbps and other normal internet connection is always around 60 Mbps. i am uploading topology diagram which i wanted to achieve in the start. i will be glad if you could guide me further, please. i also visited the link you mentioned. can i also configure with GUI interface.
Just to be clear WAN1 has a static Public IP, WAN2 has a private IP ? (192.168.100.1)
So the ISP router on WAN2 does natting to a Public IP ?
And WAN2 is the link you want to use for Dailup VPN ?
If you want to use WAN2 and it has a Private IP recieved from the ISP. Then you need to do some natting on the ISP Router, or better bridge it so you will get a Public IP on youre WAN2. If Bridging is not Posible, maybe natting is. You can NAT (port forward) TCP/443 (For SSL VPN) to youre fortigate ip (192.168.100.1).
Alex Wassink
NSE4,5,7,8 CCNP, ACMP, VCP6-NV
My apology SIR. I corrected the topology and is uploaded. Static IP link will be configured to WAN-1. either I could connect directly to WAN-1 or can port forward from router connected to WAN-1 of fortigate. WAN-2 is connected to normal router for internet access. So 192.168.100.0/24 is basically a nated network from router.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.