Skip to main content
zoriax
zoriax
New Member
April 7, 2022
Solved

Dialup VPN : Strange tracroute

  • April 7, 2022
  • 4 replies
  • 3548 views

Hi ! 

 

I have a strange behaviour with dialup vpn. I have an HQ Fortigate with theses interfaces configured :

port1 : 172.15.1.1/24

dmz : 172.18.1.1/24

 

I have a Fortigate Client connected with dial-up vpn to this HQ. When I execute a traceroute on this Foritgate Client to reach for exemple a server behind my HQ Forigate with IP 172.15.1.218, the result is shown like that : 

 

traceroute to 172.15.1.218 (172.15.1.218), 32 hops max, 3 probe packets per hop, 84 byte packets
1 172.18.1.1 4.866 ms 5.031 ms 5.181 ms
2 1172.15.1.218 5.355 ms 4.989 ms 4.527 ms

 

Why dmz interface ip is in the path ????? Is it a normal behaviour ? 

 

Thanks

Best answer by Sachin_Alex_Cherian_

Hi,

The IPsec tunnel interface is unnumbered by default.

Meaning it does not have an Ip address unless you add it manually.

When you do a traceroute, the FG has to reply with an IP. And if the tunnel interface does not have an IP, it picks an IP of another interface (mostly the one with the lowest index) and replies with that IP address. So what you are seeing is normal behaviour.

 

 

4 replies

Sachin_Alex_Cherian_
Staff
Sachin_Alex_Cherian_Answer
Staff
April 8, 2022

Hi,

The IPsec tunnel interface is unnumbered by default.

Meaning it does not have an Ip address unless you add it manually.

When you do a traceroute, the FG has to reply with an IP. And if the tunnel interface does not have an IP, it picks an IP of another interface (mostly the one with the lowest index) and replies with that IP address. So what you are seeing is normal behaviour.

 

 

    zoriax
    zoriaxAuthor
    New Member
    April 8, 2022

    Hi Sachin,

     

    Thanks for the explaination. This mean that I need to add IP in my dialup tunnel or I can let it unnumbered. 

     

    Thanks

    Sachin_Alex_Cherian_
    Staff
    Sachin_Alex_Cherian_
    Staff
    April 8, 2022

    Hi,

    I was only explaining the behaviour as to why FG shows the DMZ IP in the traceroute.

    You can leave it unnumbered or add an IP.

    In case you need to use a dynamic routing protocol on the IPsec tunnel interface you need to have the tunnel interface IP added. When it comes to traceroute, it really doesn't matter I guess and depends on your choice.

     

    zoriax
    zoriaxAuthor
    New Member
    April 8, 2022

    Ok nice ! Thanks 

    Terms & ConditionsAccessibility statement