Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
D__Pintaric
New Contributor

Policy based routing through VPN for specific source IP and only port 80 and 443

Dear all,

 

I have this scenario:

Site DC - Datacentre in Germany

Site France - Branch Office in Paris

Both locations have a FortiGate and their own Internet connection (SDSL). This connection is used for IPSec Phase1 Interface Mode Tunnels to establish the inter-site connection to reach services in the datacentre. This works well since two years.

Devices located in France use the on site Internet connection, the FortiGate there is the default gateway, for everything. But they connect through the VPN tunnel to the terminal server (Citrix) with their PCs and terminal clients and are using the Web there. This is done with a static route, which is a common configuration. But wow the public IP of the provider in Germany is used, and the users often get the German site, like Google, Amazon, etc. To avoid this my plan was to redirect on the FortiGate in the datacentre with a policy route the traffic for HTTP port 80 and HTTPS port 443 for the source IP of the Citrix server back through the VPN tunnel to France, for usage of their French public IP. But how to configure the policy route? I don't know what to enter in the Gateway field. I've tried the LAN Interface IP of the FortiGate in France and the public IP and Gateway of the provider already. Nothing works. Policy is configured in France which allows traffic comming from the VPN and the Citrix server going to WAN1. The policy route is configured for destination 0.0.0.0, source the IP of the Citrix server and port 80 and another for port 443. Everything else is under control of static routes, to reach the subnets in the datacentre.

I can see that the policy route matches, because I've checked it in the routing monitor but I can't open any websites on the Citrix server. When the policy doesn't match, because deleted or configured with different IP, I can open any website but the datacentre IP is still in use and that means it's routed through the datacentre router.

I hope somone could help me. Thank you.

1 Solution
localhost
Contributor III

I was able to get this working by assigning IP addresses to both VPN tunnel interfaces on each side (under system->network->interfaces). Use the remote ip as the default gateway address.

I think 0.0.0.0/0.0.0.0 doesn't work, because it cannot find the route in the routing table as described here:

http://kb.fortinet.com/kb/documentLink.do?externalID=100116 (nr 10).

 

You might also want to look into wccp: http://kb.fortinet.com/kb/viewContent.do?externalId=FD32926

View solution in original post

3 REPLIES 3
localhost
Contributor III

I was able to get this working by assigning IP addresses to both VPN tunnel interfaces on each side (under system->network->interfaces). Use the remote ip as the default gateway address.

I think 0.0.0.0/0.0.0.0 doesn't work, because it cannot find the route in the routing table as described here:

http://kb.fortinet.com/kb/documentLink.do?externalID=100116 (nr 10).

 

You might also want to look into wccp: http://kb.fortinet.com/kb/viewContent.do?externalId=FD32926

D__Pintaric

Hi localhost,

 

thank you for your answer. I wasn't aware there is an interface which is configurable with IP.

I configured the IP and also as the gateway for the policy based routing. But I can't get it working. I'm also not sure which firewall settings would be correct on source and target FortiGate.

Maybe you could help me again. Thank you.

D__Pintaric

Hi localhost,   thank you for your answer. I wasn't aware there is an interface which is configurable with IP. I configured the IP and also as the gateway for the policy based routing. But I can't get it working. I'm also not sure which firewall settings would be correct on source and target FortiGate. Maybe you could help me again. Thank you.