1

We are trying to replicate what is described at https://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel#Set_up_the_IPsec_tunnel_Phase_2

network diagram

We are using 2 Fortinet Fortigate firewalls. We previously had a functioning ipsec vpn between the two sites but LAN to LAN only. ie. Site A LAN to Site B LAN and vice versa. We have tried modifying the IPsec tunnels to also carry WAN bound traffic, but it seems to still go across Site A WAN directly.

Our configuration:

12.34.56.0/24 is Site B IP block

Site A (Branch office):

Phase 2: Local: 172.20.10.0/24 Remote: 0.0.0.0/0.0.0.0

Policy:

  • internal --> siteB, source ALL, destination, ALL
  • SiteB --> internal, source ALL, destination, ALL

Site B (Datacenter)

Phase 2: Local: 0.0.0.0/0.0.0.0 Remote: 172.20.10.0/24

Policy:

  • internal --> siteA, source ALL, destination, ALL
  • SiteA --> WAN, source ALL, destination, ALL, NAT dynamic IP pool 12.34.56.1

In addition to outbound traffic as the image depicts we would also like inbound traffic from the same IP or multiple to be directed back to Site A. So for example if site A is hosted a web page and someone goes to 12.34.56.1 it will be directed to site A server.

techfutures
  • 31
  • 1
  • 4

1 Answers1

1

Use traceroute or mtr to figure out where the packets are departing from the intended path. Then go to the router which is sending the packets the wrong way and examine its routing table. Then repair (or create) the routing table entry which is supposed to send traffic to the tunnel.

aecolley
  • 963
  • 4
  • 15
  • We did that, packets are going from internal (Site A) --> WAN (Site A), we created a policy to block that specific source computer from going out WAN (Site A), but then the packets would just get blocked, instead of going through the tunnel (internal Site A --> SiteB --> WAN Site B) – techfutures Aug 16 '14 at 20:08
  • @user219652 And the routing table? – aecolley Aug 17 '14 at 00:54
  • checked the routing table, looks like the fortigate has chosen WAN (site A) as the default and therefore isn't sending any packets over the tunnel. Will test and report back. Thanks – techfutures Aug 25 '14 at 04:12
  • didn't work. Was able to change the default gateway priority and make everything go through the tunnel but that just ended dropping all traffic. No pings to outside world... – techfutures Sep 04 '14 at 06:05
  • @techfutures You need to check that outbound packets are getting out (use mtr/traceroute as before), and you also need to check that return packets are coming through the tunnel (check routing tables and firewall filter rules on all systems from the site-B NAT box to the tunnel endpoint). – aecolley Sep 05 '14 at 09:39