Hi, In my environment in HQ i have Fortigate in branches offices i have mikrotik RB9XX now all traffic goes out by mikrotik,
I would like to change this traffic from mikrotik to fortigate (diagram below)
Its possible to route internet via ipsec tunnel?
I try using EOIP oraz OSPF and some policy route but its doesnt work.
Does anyone know how to solve this problem?
You need to change the IPsec policy to have 0.0.0.0/0 at the Fortigate end (both in your MikroTik config and in your Fortigate).
My policy look like.
Should i change sd-dst-address or add second policy??
peer:
tunnel:yes
group: default
src-address:10.10.10.0/24
src-port:any
dst-address:1.1.1.0/24
dst-port:any
protocol:all
action:encrypt
level:require
ipsec-protocols:esp
sa-src-address:1.1.3.137
sa-dst-address:1.1.2.2
proposal: default
template: yes
ph2-count:4
That depends on what you have in the Fortigate. But in normal cases it should be enough to have a single policy with dst-address 0.0.0.0/0
(and have the same thing in the Fortigate but with src-address 0.0.0.0/0 there, in the naming convention they have there)
However, when it is possible it would be recommended to use a GRE/IPsec tunnel instead. It would have source and destination addresses equal to the endpoint address (/32) and you can route anything though the tunnel you like.
I don’t know if the Fortigate offers that option.
in my case to do that i’m using Mode Configs.
And i found that features works perfectly for apple and doesn’t for windows. I haven’t tested android yet.