Hi,
I have a problem with my users in the remote office for the connection wan from head office
This is my hardware :
on the headoffice2 fortigate 100D v5.4 mode cluster actif actif
on the remote office
1 fortigate 60D v5.4 alone
I create a vpn site to site and i can connect to my network in the head office from the remote office
I want to my users on the remote office can connect to my wan but they can't
I read this cookbook and my configuration is the same
http://cookbook.fortinet.com/remote-browsing-using-site-to-site-ipsec-vpn/
Thanks for your help
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Just create VPN Tunel as simple both side after that , In headoffice site, edit phaseII>>quick mode and enter source address 0.0.0.0/0 and in destination enter remote site subnet(e.g 192.168.1.0/24), and In Remote site PhaseII>>quick mode source assdress enter local subnet (e,g 192.168.1.0/24) and in destination subnet enter 0.0.0.0/0 and press ok,
after this create policies and routes.
In remote site add 0.0.0.0/0 route on behalf of vpn interface.
In head office define route (e.g 192.168.1.0/24) on behalf of vpn interface.
Thanks,
Zohaib Khan
FCNSA.
Hi !
Thank for your answer
In the branch office i need to create one rule in my fortigate 60D to allow the traffic on the tunnel VPN ?
My rule is
Incoming interface : Interface User
Outgoing interface : Vpn_connection
Source : Network_branch_office (192.168.3.0)
Adresse destination : All
service : ALL
Nat : disable
Route :
0.0.0.0/0.0.0.0 Interface : Vpn_Connection
In the head office i need to create two rules in my fortigate 100D to allow the traffic to access my interface Server and other to access my interface wan load balancing ?
My rule 1 is
Incoming interface : Vpn_connection
Outgoing interface : Interface_SRV
Source : Network_branch_office (192.168.3.0)
Adresse destination : All
service : ALL
Nat : disable
My rule 2 is
Incoming interface : Vpn_connection
Outgoing interface : Wan Load Balance
Source : Network_branch_office (192.168.3.0)
Adresse destination : All
service : ALL
Nat : Enable
Route :
192.168.3.0/255.255.255.0 Interface : Vpn_Connection
WanLoadBalancing :
Wan1:
IP: 192.168.0.30
Gateway : 192.168.0.1 (Modem Dlink)
Wan2: 41.X.X.X (Bridge)
I do the change that you tell me but no change is normal ?
hi,
I can resolve my problem
I must change the step 2 of my configuration in the vpn tunnel
This is the configuration for the branch office
local address : 192.168.3.0/255.255.255.0
remote address : 0.0.0.0/0.0.0.0
This is the configuration for the head office
local address : 0.0.0.0/0.0.0.0
remote address : 192.168.3.0/255.255.255.0
And the rules is the same
Now it's ready
Good luck
Question:
how does the remote office FGT contact the HQ public IP address when the tunnel is down?
When the tunnel is down the default route is removed from the routing table. So the remote FGT cannot find the HQ public address.
To solve this, create an additional host route to the HQ public address, like
8.8.8.8/32 pointing to WAN1
Now the remote FGT always has a route to HQ, and in addition, it will allow traffic from HQ public address - it's not "unknown" anymore because of the host route. So either the remote FGT or the HQ FGT will succeed to establish the tunnel connection.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1546 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.