Hi guys,
I'm trying to work out how to get traffic from my local LAN to secondary
remote IPSEC networks. For example:
home <----> work <--> remotesite
(where each of the links is an IPSEC tunnel).
If I use Forticlient I can do this fine by:
- define phase2 dst & src subnets as 0.0.0.0/0.0.0.0
- existing routes from work --> remotesite still function as expected
- make sure local client routes 192.168.0.0/16 over IPSEC gateway address
- setup policy on fortigate as follows:
incoming interface: Forticlient interface
outgoing interface: remoteVPN interface
incoming subnet: Forticlient Range
outgoing subnet: remote range
ports etc: as required
I can add a specific P2 route by using
/ip ipsec policy
and this is working OK - but only for the specific subnet that I define in
the policy.
What I want to do is create a generic policy that only routes traffic via
the IPSEC tunnel when it needs to - and not - when it doesn't need to.
But... the issue here is I can't define a route - because there's no
virtual interface associated with the IPSEC tunnel (whereas on Fortigate
you do get a virtual interface that can be referenced in policies / routes
etc). And you can't use a standard route, because the gateway in this case
is remote (i.e. it's the router at work).
If I try to setup a 0/0 P2 it breaks the VPN completely.
Any tips for how I might go about making a more generic / scalable approach
here?