Community discussions

MikroTik App
 
beltskyy
just joined
Topic Author
Posts: 2
Joined: Mon Nov 28, 2022 1:06 pm

How to forward traffic from WAN to IPsec-tunnel which built itself on this WAN

Mon Nov 28, 2022 1:43 pm

I've manged to build IPsec site-to-site tunnel between Mikrotik CHR which hosted in some Europe datacenter and Fortigate 100F which hosted in my company HQ. Our Fortigate is behind double NAT (4G/LTE router's NAT and CGNAT of mobile operator) and it could dialup to Mikrotik CHR and I have good connection, both LAN's are working proper way and reach each other without any problem.

Now I have another task, is it possible to get inbound traffic from my WAN and then forward it to the server related to the other side of IPsec tunnel (it is web interface of Fortigate device which offer RDP and other services).

But it'll be better if it would be possible to get incoming Fortigate VPN-clients traffic from the WAN of Mkirotik CHR and then send them through IPsec tunnel to the interface of Fortigate which is receiving SSL-VPN clients traffic on the other side of IPsec tunnel. Long story short, is there any way to wrap SSL-VPN traffic to established IPsec tunnel, tunnel connection inside tunnel connection.

Thanks a lot beforehand!
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: How to forward traffic from WAN to IPsec-tunnel which built itself on this WAN

Mon Nov 28, 2022 6:50 pm

What are subnets behind Fortigate, what is VPN subnet in Forigate and what is subnet of CHR.

IMHO the problem is with routing between these subnets if they are different. If e.g. IP assigned to VPN users cover subnet behind CHR then you have "clash" to be solved.
 
beltskyy
just joined
Topic Author
Posts: 2
Joined: Mon Nov 28, 2022 1:06 pm

Re: How to forward traffic from WAN to IPsec-tunnel which built itself on this WAN

Mon Dec 05, 2022 7:33 pm

I've decided this task another way. I recreated the tunnel and mentioned WAN interface on the CHR as local one (remote on Fortigate) and rejected idea to use LAN in CHR at all. Such a way I made a rule dst-nat from CHR WAN interface to the remote LAN interface in Fortigate and there was hooked SSL-VPN web interface and SSL-VPN server. Now it is working fine, I can connect VPN-client of Fortigate or connect to the web-interface successfully through WAN of CHR until my IPsec is losing the connection (e.g. there is no any activity in the tunnel in the night).

In case of tunnel is lost connection it couldn't restart until I disable 2 routes to CHR from the Fortigate (mentioned to WAN CHR and blackholed one), after this the first phase become established by itself, and I manually bring-up 2nd phase, then I activate routes again and tunell is working till the next fail. I suppose the problem in routing and I request tio help me to do such a tunnel proper way.

Also a guy from tech support suggested me to ping the tunnel all the time that to save a long connection without any drops.

Who is online

Users browsing this forum: lurker888 and 65 guests