FGT to FGT with 0.0.0.0 and understanding VPN Routing

Forum|Forum|9 years ago
November 1, 2016
1 reply
10035 views

VPN routing concepts seemed to have changed for any FortiOS 5.2 or higher. It is in the what's new area of 5.2. VPN tunnels now use "add-route" which I don't understand in a 0.0.0.0/0 scenario.

I did many FGT<>FGT with split tunnel VPN and with old routing (Static routes), but not with the new routing.

I need help understanding how routing is controlled without static routes.

Toshi_Esumi

SuperUser

As far as I know nothing has changed with 5.2 routing with IPSec tunnel. With main mode you can leave the networks in phase2 as default 0.0.0.0 (it doesn't show up in CLI) and use static routes to control split tunnel if you want. We use BGP for that part but it's just a routing protocol, no difference from static routes. When we migrated from 5.0 to 5.2 on both sides, we didn't have to change anything. Only differences we noticed were password encryption level and the default DH group/keylife timer values.

Paul_SAuthor

New Member

I know that routing changed, because all my static routes for FGT-to-FGT VPN tunnels were deleted when I upgraded to 5.2.x and this note from "What's new", see screenshot.

2016-11-01 17_01_43-Clipboard.jpg

Paul_SAuthor

New Member

I should mention that I setup my FGT-to-FGT tunnels in dynamic mode so that the site IP address can change without affecting the VPN tunnel.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded