Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dholton912
New Contributor

Created on ‎12-27-2023 07:54 AM Edited on ‎02-26-2024 05:04 AM By Community Manager

IPSEC Site-to-Site force vlan for Internet

I have a site-to-site link between two offices and I need to force one VLAN from site A to use site B as it's gateway for internet access. Currently the site-to-site link allows for devices from either network (including other VLANs) to communicate with each other, but they use their home firewall for internet access. I need this one site A VLAN to go out site B's firewall for internet access. 

784
0 Kudos
1 Solution
abarushka
Staff
Staff
In response to dholton912

Created on ‎01-09-2024 02:09 AM

Hello,

 

I think that policy route may work in your scenario:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

 

FortiGate

View solution in original post

446
0 Kudos
9 REPLIES 9
abarushka
Staff
Staff

Created on ‎12-27-2023 08:05 AM

Hello,

 

Similar scenario is described in the KB below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Remote-browsing-over-IPSec-VPN-tunnel/ta-p...

 

FortiGate
770
0 Kudos
dholton912
New Contributor
In response to abarushka

Created on ‎12-27-2023 08:07 AM

It looks like they are using a newer firmware than my FW has. I see they are adding a second Phase 2 selector. How can I do that in v. 5.2?

765
0 Kudos
abarushka
Staff
Staff
In response to dholton912

Created on ‎12-27-2023 08:14 AM

Hello,

 

In case it is not available in GUI you can try to add it in CLI:

 

config vpn ipsec phase2-interface
edit <name>

FortiGate
759
0 Kudos
dholton912
New Contributor
In response to abarushka

Created on ‎12-28-2023 09:56 AM

What would be the other commands to complete those steps? I apologize for the additional questions. 

702
0 Kudos
mle2802
Staff
Staff
In response to dholton912

Created on ‎12-28-2023 10:47 AM

Hi @dholton912,
You can refer to this CLI reference of 5.2 for more information https://docs.fortinet.com/document/fortigate/5.2.0/cli-reference

694
0 Kudos
dholton912
New Contributor
In response to abarushka

Created on ‎01-03-2024 01:05 PM

I apologize for the multiple questions, but I have the additional selectors in on both sides. I have the policies in place. I put the 0.0.0.0 static route in but I still cannot browse on this VLAN to the internet. I'm just really lost as to my issue. I don't need my entire network passing for remote browsing, just this one VLAN.

523
0 Kudos
dholton912
New Contributor
In response to abarushka

Created on ‎01-02-2024 12:06 PM

I also noticed in the default route section they are making a 0.0.0.0. Will my situation be different since I only want one VLAN to pass through the VPN for internet access. For example, the main subnet would be 192.168.1.0/24 and the VLAN subnet would be 192.168.10.0/24. I would only want the 192.168.10.0/24 network to pass through for internet access, the main subnet would use internet locally. Thanks!

568
0 Kudos
abarushka
Staff
Staff
In response to dholton912

Created on ‎01-09-2024 02:09 AM

Hello,

 

I think that policy route may work in your scenario:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-policy-routes-for-route-based-in...

 

FortiGate
447
0 Kudos
dholton912
New Contributor

Created on ‎01-02-2024 04:50 PM

Also the setting of IPs in the tunnel interface is confusing to me. It shows them being set as 2.2.2.2 and 2.2.2.3. Are these just fillers, where should this IP come from?

558
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.