Technical Tip: FortiGate in Transparent Mode misroutes traffic over Policy-Based IPSec VPN when ISDB is enabled

When Policy-Based IPsec VPN is configured on a FortiGate in Transparent Mode and ISDB is added in the destination field of the Policy-Based IPsec VPN policy, locally initiated traffic incorrectly egresses via IPSEC tunnel.

Sample Config:

config system settings
    set opmode transparent
    set manageip 10.1.1.2/255.255.255.0
    set gui-policy-based-ipsec enable
end

config firewall policy
    edit 1
        set name "Internet"
        set srcintf "port2"
        set dstintf "port3"
        set action accept
        set srcaddr "10.1.1.0/24"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
    next
    edit 2
        set name "ISDB"
        set srcintf "port2"
        set dstintf "port3"
        set action ipsec
        set srcaddr "100.100.100.100/32"
        set internet-service enable
        set internet-service-name "Apple-SSH"
        set schedule "always"
        set vpntunnel "IPSECVPN"
    next
end

Though the source IP and destination IP/port do not match the IP address and port corresponding to the Internet service, traffic may be seen misrouted over the IPSec VPN tunnel. This issue does not occur when the FortiGate is in NAT mode.

id=65308 trace_id=5 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 10.1.1.2:8->223.5.5.5:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=8, seq=0."
id=65308 trace_id=5 func=init_ip_session_common line=6047 msg="allocate a new session-0000ab44"
id=65308 trace_id=5 func=ip_session_confirm_final line=3110 msg="npu_state=0x0, hook=4"
id=65308 trace_id=5 func=ipsec_tunnel_output4 line=1189 msg="enter IPsec tunnel-IPSECVPN" <-------
id=65308 trace_id=5 func=esp_output4 line=921 msg="IPsec encrypt/auth"
id=65308 trace_id=5 func=nipsec_set_ipsec_sa_enc line=933 msg="Trying to offload IPsec encrypt SA (p1/p2/spi={IPSECVPN/IPSECVPN/0xdaaf028}), npudev=-1, skb-dev=root.b"

When ISDB is not enabled in destination field of the firewall policy, local traffic is sent out of WAN interface(port3) as expected.

id=65308 trace_id=6 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 10.1.1.2:9->223.5.5.5:2048) tun_id=0.0.0.0 from local. type=8, code=0, id=9, seq=0."
id=65308 trace_id=6 func=init_ip_session_common line=6047 msg="allocate a new session-0000ba16"
id=65308 trace_id=6 func=ip_session_confirm_final line=3110 msg="npu_state=0x0, hook=4"
id=65308 trace_id=6 func=__if_queue_push_xmit line=391 msg="send out via dev-port3, dst-mac-50:00:00:03:00:01"

This issue has been resolved in FortiOS version 7.6.3.

General debug information required by FortiGate TAC for investigation:

1. Debugs:

diagnose debug flow filter addr <>
diagnose debug flow show function-name enable
diagnose debug flow show iprope enable
diagnose debug flow trace start 100
diagnose debug enable

Reproduce the issue.

diagnose debug reset
diagnose sys session list
diagnose firewall iprope list 0x100004
diagnose internet-service id <Internet Service ID>

2. TAC Report:

execute tac report

3. Configuration file of the FortiGate.

Workaround:

Allow an additional NAT VDOM to handle DNS and other locally-originated traffic.