Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hichem95
New Contributor

vpn user use wan head office

Hi,

 

I have a problem with my users in the remote office for the connection wan from head office

 

This is my hardware :

 

on the headoffice2 fortigate 100D v5.4 mode cluster actif actif

 

on the remote office

1 fortigate 60D v5.4 alone

 

 

I create a vpn site to site and i can connect to my network in the head office from the remote office

 

I want to my users on the remote office can connect to my wan but they can't

 

I read this cookbook and my configuration is the same

 

http://cookbook.fortinet.com/remote-browsing-using-site-to-site-ipsec-vpn/

 

 

Thanks for your help

 

 

 

4 REPLIES 4
zohaibm27
New Contributor

Hi,

  Just create VPN Tunel as simple both side after that , In headoffice site, edit phaseII>>quick mode and enter source address 0.0.0.0/0 and in destination enter remote site subnet(e.g 192.168.1.0/24), and In Remote site PhaseII>>quick mode source assdress enter local subnet (e,g 192.168.1.0/24) and in destination subnet enter 0.0.0.0/0 and press ok,

after this create policies and routes.

In remote site add 0.0.0.0/0 route on behalf of vpn interface.

In head office define route (e.g 192.168.1.0/24) on behalf of vpn interface.

 

Thanks,

Zohaib Khan

FCNSA.

 

 

hichem95

Hi !

 

Thank for your answer

 

In the branch office i need to create one rule in my fortigate 60D to allow the traffic on the tunnel VPN ?

 

My rule is 

Incoming interface : Interface User

Outgoing interface : Vpn_connection

Source : Network_branch_office (192.168.3.0)

Adresse destination : All

service : ALL

 

Nat : disable

 

Route :

0.0.0.0/0.0.0.0  Interface : Vpn_Connection 

 

In the head office i need to create two rules in my fortigate 100D to allow the traffic to access my interface Server and other to access my interface wan load balancing ?

 

My rule 1 is 

Incoming interface : Vpn_connection

Outgoing interface : Interface_SRV

Source : Network_branch_office (192.168.3.0)

Adresse destination : All

service : ALL

 

Nat : disable

 

 

My rule 2 is 

Incoming interface : Vpn_connection

Outgoing interface : Wan Load Balance

Source : Network_branch_office (192.168.3.0)

Adresse destination : All

service : ALL

 

Nat : Enable

 

Route :

192.168.3.0/255.255.255.0  Interface : Vpn_Connection 

 

WanLoadBalancing :

Wan1:

IP: 192.168.0.30

Gateway : 192.168.0.1 (Modem Dlink)

 

Wan2: 41.X.X.X (Bridge)

 

 

I do the change that you tell me but no change is normal ?

 

 

hichem95

hi,

 

I can resolve my problem

 

I must change the step 2 of my configuration in the vpn tunnel

 

This is the configuration for the branch office

 

local address : 192.168.3.0/255.255.255.0

remote address : 0.0.0.0/0.0.0.0

 

This is the configuration for the head office

 

local address : 0.0.0.0/0.0.0.0

remote address : 192.168.3.0/255.255.255.0

 

And the rules is the same

 

Now it's ready

 

Good luck

 

ede_pfau
Esteemed Contributor III

Question:

how does the remote office FGT contact the HQ public IP address when the tunnel is down?

When the tunnel is down the default route is removed from the routing table. So the remote FGT cannot find the HQ public address.

To solve this, create an additional host route to the HQ public address, like

8.8.8.8/32 pointing to WAN1

 

Now the remote FGT always has a route to HQ, and in addition, it will allow traffic from HQ public address - it's not "unknown" anymore because of the host route. So either the remote FGT or the HQ FGT will succeed to establish the tunnel connection.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Top Kudoed Authors