Hi, In my environment in HQ i have Fortigate in branches offices i have mikrotik RB9XX now all traffic goes out by mikrotik,
I would like to change this traffic from mikrotik to fortigate (diagram below)
Its possible to route internet via ipsec tunnel?
I try using EOIP oraz OSPF and some policy route but its doesnt work.
Does anyone know how to solve this problem?
Split Tunnel routing interent via IPsec Tunnel
You do not have the required permissions to view the files attached to this post.
Re: Split Tunnel routing interent via IPsec Tunnel
You need to change the IPsec policy to have 0.0.0.0/0 at the Fortigate end (both in your MikroTik config and in your Fortigate).
Re: Split Tunnel routing interent via IPsec Tunnel
My policy look like.You need to change the IPsec policy to have 0.0.0.0/0 at the Fortigate end (both in your MikroTik config and in your Fortigate).
Should i change sd-dst-address or add second policy??
Code: Select all
peer:
tunnel:yes
group: default
src-address:10.10.10.0/24
src-port:any
dst-address:1.1.1.0/24
dst-port:any
protocol:all
action:encrypt
level:require
ipsec-protocols:esp
sa-src-address:1.1.3.137
sa-dst-address:1.1.2.2
proposal: default
template: yes
ph2-count:4 Re: Split Tunnel routing interent via IPsec Tunnel
That depends on what you have in the Fortigate. But in normal cases it should be enough to have a single policy with dst-address 0.0.0.0/0
(and have the same thing in the Fortigate but with src-address 0.0.0.0/0 there, in the naming convention they have there)
However, when it is possible it would be recommended to use a GRE/IPsec tunnel instead. It would have source and destination addresses equal to the endpoint address (/32) and you can route anything though the tunnel you like.
I don't know if the Fortigate offers that option.
(and have the same thing in the Fortigate but with src-address 0.0.0.0/0 there, in the naming convention they have there)
However, when it is possible it would be recommended to use a GRE/IPsec tunnel instead. It would have source and destination addresses equal to the endpoint address (/32) and you can route anything though the tunnel you like.
I don't know if the Fortigate offers that option.
Re: Split Tunnel routing interent via IPsec Tunnel
@Pozun
in my case to do that i'm using Mode Configs.
And i found that features works perfectly for apple and doesn't for windows. I haven't tested android yet.
in my case to do that i'm using Mode Configs.
And i found that features works perfectly for apple and doesn't for windows. I haven't tested android yet.
RouterOS does not have a random function. Many has tried to make script to make random text, but all seems to be flawed.
viewtopic.php?f=9&t=160183
!) Safe Mode is your friend;
viewtopic.php?f=9&t=160183
!) Safe Mode is your friend;