How do I forward IPsec traffic for the peer residing behind Peplink? Below is my scenario and wanted a help from peplink perspective and wanted to know what changes do I need to make on peplink?
So I have remote encryption domain as 10.10.99.0/24
And mine is 192.168.100.0/24
My firewall is natted with 5.6.7.8 <–> 10.1.1.2
And I have tunnel built from my firewall to Fortinet. IPsec tunnel shows up and route is added on my firewall for 10.10.10.99.0/24 NH 10.1.1.1
but traffic is being forwarded to 7.8.9.0 and not able to ping other end.
Is there any other configuration needed for VPN pass through?
I think this route - 10.10.99.0/24 —> 10.1.1.1 is not needed since traffic between 10.10.99.0/24 and 192.168.100.0/24 was encrypted in IPSec tunnel.
Please enable IPsec NAT-T passthrough via Network > Service Passthrough > IPsec NAT-T. Please define custom ports if your IPSec ports are out of UDP ports 500, 4500, and 10000.
Please find the diagram above. Your routing path will be Source host > Firewall > IPSec tunnel > Fortinet > Destination host when you perform trace route from 192.168.100.0/24 to 10.10.99.0/24. This was invisible by Peplink router.
Please find the screenshot below to add custom ports for IPsec. Please take note Peplink will route IPSec traffic to WAN1 by default after enabled IPsec NAT-T passthrough.
I see, but in this case my Firewall is natted with WAN3 IP and per you since the traffic will be forwarded to WAN1 by default when IPsec pass-through enabled. How do I make it routed through WAN3 then?
Again the issue I see is and you are absolutely right the destination encryption domain should be invisible to peplink as it is an site-to-site tunnel. But when I tracert 10.10.99.x IP I can see the peplik IP and then traffic is forwarded to Internet through WAN1 as I stated in my other post.
Hi,
We have a clients Router building an IP-Sec connection.
We had an Outbound policy to force most of the traffic (also IP-SEC) through the tunnel.
IPSEC Port 500 was routed through WAN1 by the Router.
Only when I set the Checkbox “Send all traffic through Tunnel” then also IPSEC Port 500 is routed through the tunnel.
Is there a way to route IP-SEC Traffic through Outbound Policy?
Service Passthrough only allows setting of WAN Interfaces, not Tunnels.
I understand. Thanks.
But main question was, why IP-SEC 500 is not routed by outbound policy through the tunnel, even I had created a rule for routing all traffic to this server through the tunnel.
UDP Package on port 500 bypassed this rule and left through WAN1.
AND at the bottom of the Rule-Set I had an additional Rule “src-any-dst-any, enforced through tunnel” - even this rule was ignored.
Is IPSEC handled different?
UDP port 500 was only routed through tunnel, when I “sent all traffic to …”
Kind regards
Johannes
@jfickeis, this is due to IPsec NAT-T (Network > Service Passthrough) was enabled. You may disable it then control the IPSec traffic with outbound policy.
