New Member

Question

IPSEC routing issue

Forum|Forum|4 years ago
May 30, 2022
4 replies
9285 views

Hello everyone,

I have the following problem;
I have a Fortigate 100D running 6.0.11, and I have set up an IPSEC VPN. The tunnel is online and clients in the network can access the remote network. I have created a static route on the Fortigate towards that subnet with a distance of 10 and pointing to the VPN interface.

However, when I try to ping the remote network from the Fortigate, it always uses the DMZ interface (this is disabled on our Fortigate). The remote network is only accessible from 2 local networks. The remote network is also able to access the 2 allowed local networks on the Fortigate, a traceroute reveals it passes the DMZ interface to reach its destination.

Is there a way I can add a local interface to the static route as gateway? Currently it shows the gateway as 0.0.0.0 in the static routes overview.

Any suggestions on what I'm doing wrong or what I can do to troubleshoot further?

FortiGate

sw2090

SuperUser

hm that is rather few information.

Basically the routing gives the way. So first of all there must be a route that matches the destination. Secondly there has to be a policy to allow the traffic.

If destination is a physical,vlan or switch interface you don't need explicite static routing since these automagically create a "connected" route with them.

In these cases you just need some policy to allow the traffic to flow :)

All other cases require explicit static routing.

Alas the VPN itself will listen on the interface you selected when you created it.

This is only used for the VPN itself (transport + encryption).

The rest as said is given by the routing and policies.

Could you explan you problems a bit more detailed then?

Vincent802Author

New Member

Hi sw2090, thanks for you reply, I have updated my initial post.

sw2090

SuperUser

hm if it does that there must be some route matching the destination subnet that has the dmz interface as gateway.

As said if that is physical interfaces, vlan interfaces or ipsec tunnels or switch interfaces (or trunks) there is no need for explicit static routing. The routing is already there once the interface is configured.

Routing will be looked at in this order: 1. connected routes, 2. static routes and everything that don't match 1. or 2. will hit the default route.

On the other hand it could also be that the inteface shown to you is not correct. I remember that such things happened to me on a FGT too.

Also the tunnel could run client isolation which would mean that clients would not be able to access each other.

So have a look at your routing table on the FGT and see.

ntaneja

Staff & Editor

Hi vincent

Please check below document if this helps in your case
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Self-originating-traffic-over-IPSec-VPN-For/ta-p/193456

Thanks

seshuganesh

Staff

I suspect you did not assigned any IP address to the tunnel interface of the firewall, if you do not assign any IP address to the tunnel interface it will take DMZ ip and leave the firewall. It will not go towards DMZ interface, it is just use that IP and try to enter IPSEC tunnel. If DMZ IP is not present in local phase2 selectors, firewall will block the traffic.

In order to avoid this scenario, either you need to define some IP address in tunnel interface and assign it to the local and remote selectors in phase 2 of the tunnel.

Or

You can set "execute ping-options source <lan interface ip>" (lan interface IP should be there in local phase2 selectors)

Then ping the remote network.

Debbie_FTNT

Staff & Editor

Here is a KB on this behavior (what source IP FGT uses for traffic into IPSec tunnel, if no source IP is defined manually or set on the tunnel interface): https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-for-self-originating-IPsec-tunnel/ta-p/198591

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded