New Member

Question

IPSec tunnel, not routing

Forum|Forum|15 years ago
April 19, 2011
18 replies
11440 views

I have a new IPSec tunnel and I have control over both ends of it. Local - FG60B 4.0 MR3 Remote - FG60C 4.0 MR1 The tunnel shows successful P1 and P2, but no successful pings. My first step was to tracert to a remote host. The tracert went to the firewall as expected but then it went out the default gateway not the virtual interface bound to the tunnel. the route states : destination = 10.154.154.0/24 device = rmg_dev (virtual interface) I think that just having this route should force traffic to the virtual interface, even if the tunnel was down, so why would traffic continue to gateway of last resort?

rwpatterson

New Member

If you use interface tunnels, you then also need a static route for the remote end traffic.

zmagAuthor

New Member

That' s the route I have. The remote network is 10.154.154.0/24 Tracing route to 10.154.154.14 over a maximum of 30 hops 1 2 ms 2 ms 3 ms 192.168.32.1 2 6 ms 1 ms 1 ms 172.16.32.1 3 1 ms 1 ms 1 ms chicrt1.mydomain.com [192.168.40.1] 4 1 ms 1 ms 1 ms 192.168.40.100 << My Firewall 5 2 ms 2 ms 2 ms hge14-1.hge.net [216.19.237.1] << my default gtwy 6 3 ms 2 ms 2 ms hge12-1.hge.net [216.19.235.1] 7 2 ms 2 ms 2 ms 216.19.226.250 8 5 ms 4 ms 5 ms vlan187.car1.boston1.level3.net [4.53.49.197] 9 * * ^C Tracing route to 10.154.154.14 over a maximum of 30 hops

ede_pfau

SuperUser

I see that you have the static route to the VPN interface configured. But traceroute clearly shows that the route is not active - what do you see in the Routing Monitor? VPN traffic going out the WAN port can only happen if the tunnel is down, and thus the route is deleted. In the CLI, the routing monitor is given by

 get router info routing-table all

zmagAuthor

New Member

There is no reference to the route in the monitor. It does seem that the tunnel is down but in the analyzer I see P2 and P2 successful. Thanks for the reply.

ede_pfau

SuperUser

Can you check the tunnel status on (one of) the FGT? VPN>IPSec>Monitor.

zmagAuthor

New Member

tunnel is up, i bounced it, comes right back with the same results. Both sides show the tunnel is up. For the sake of troubleshooting I removed all but one quick mode selector with one host on each side, also changed the policies to reflect one host on each side. Also (for what its worth) I upgraded the firmware on the remote side (60B) to MR3.

ede_pfau

SuperUser

creating and tearing down a tunnel MUST insert/delete the corresponding static route in the Routing Monitor. The QM selectors only determine who is able to trigger the negotiations so here they don' t matter. IMHO be cautious to upgrade to a different major version. Would be wise to find the root cause and not explore all the little things that have changed between 4.2 and 4.3... And you can bet that IPSec VPN funtionality does work in any FortiOS version, or else Fortinet would get a lot of support calls. Please post the routing table when the tunnel is up, and the static route definition. Maybe it' s just a typo.

zmagAuthor

New Member

I may have just found something. One the remote side, 60B MR3, >System >Network > Interface > there is an option for switch mode management, it is set to " Switch Mode" pretty sure that should be " Interface Mode" . I' ll download to Manual for this 60B (dev)

ede_pfau

SuperUser

Nope. The internal ports of the 60B can be combined into ONE switch interface or be split into several independent ports. Your issue doesn' t deal with physical ports at all but virtual VPN interfaces. And routes.

zmagAuthor

New Member

The 60C is a DEV box which is why we went to the newest firmware. It looks like that may have been released today according to the " Alert Message Console" Widget. chifgt02 (root) # get router info routing-table all Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 216.19.237.1, port16 [10/0] via 12.178.80.241, port15, [100/0] C 10.10.10.0/24 is directly connected, port17 S 10.66.4.0/24 [10/0] is directly connected, meditech S 10.66.6.0/24 [10/0] is directly connected, meditech S 10.68.48.0/24 [10/0] via 192.168.40.1, port1 S 10.240.0.0/24 [10/0] is directly connected, meditech S 10.240.64.0/24 [10/0] is directly connected, meditech S 12.123.1.233/32 [10/0] via 12.178.80.241, port15 S 12.127.16.67/32 [10/0] via 12.178.80.241, port15 S 12.127.16.68/32 [10/0] via 12.178.80.241, port15 S 12.127.17.72/32 [10/0] via 12.178.80.241, port15 S 12.129.20.0/24 [10/0] via 216.19.237.1, port16 S 12.129.199.61/32 [10/0] via 216.19.237.1, port16 S 12.129.219.155/32 [10/0] via 216.19.237.1, port16 S 12.130.132.46/32 [10/0] via 216.19.237.1, port16 S 12.147.116.3/32 [10/0] is directly connected, hologic C 12.178.80.240/28 is directly connected, port15 S 12.178.87.2/32 [10/0] via 192.168.40.9, port1 S 38.126.166.7/32 [10/0] via 12.178.80.241, port15 S 38.126.166.10/32 [10/0] via 12.178.80.241, port15 S 38.126.166.11/32 [10/0] via 12.178.80.241, port15 S 38.128.166.8/32 [10/0] via 12.178.80.241, port15 S 63.239.162.4/32 [10/0] via 12.178.80.241, port15 S 63.241.222.0/24 [10/0] via 216.19.237.1, port16 S 64.14.91.64/26 [10/0] is directly connected, dictaphone S 65.55.88.0/24 [10/0] via 216.19.237.1, port16 S 66.92.246.210/32 [10/0] via 216.19.237.1, port16 S 68.17.74.31/32 [10/0] via 216.19.237.1, port16 S 68.17.74.198/32 [10/0] via 216.19.237.1, port16 S 69.25.46.5/32 [10/0] via 12.178.80.241, port15 S 69.25.46.7/32 [10/0] via 12.178.80.241, port15 S 69.25.46.8/32 [10/0] via 12.178.80.241, port15 S 69.25.46.10/32 [10/0] via 12.178.80.241, port15 S 69.25.46.11/32 [10/0] via 12.178.80.241, port15 S 69.25.46.17/32 [10/0] via 12.178.80.241, port15 S 69.25.46.20/32 [10/0] via 12.178.80.241, port15 S 69.60.160.0/24 [10/0] via 216.19.237.1, port16 S 72.248.115.7/32 [10/0] via 216.19.237.1, port16 S 94.245.120.64/26 [10/0] via 216.19.237.1, port16 S 128.11.42.81/32 [10/0] via 12.178.80.241, port15 S 128.11.160.0/24 [10/0] is directly connected, nehen S 128.167.135.0/24 [10/0] is directly connected, nehen S 131.239.33.20/32 [10/0] via 216.19.237.1, port16 S 161.77.40.136/32 [10/0] via 216.19.237.1, port16 S 161.77.40.142/32 [10/0] via 216.19.237.1, port16 S 162.95.80.230/32 [10/0] via 216.19.237.1, port16 S 164.120.156.14/32 [10/0] is directly connected, nehen S 192.68.48.0/22 [10/0] is directly connected, philips S 192.168.1.0/24 [10/0] is directly connected, amherst S 192.168.1.11/32 [10/0] is directly connected, amherst S 192.168.1.12/32 [10/0] is directly connected, amherst S 192.168.1.105/32 [10/0] is directly connected, amherst S 192.168.1.107/32 [10/0] is directly connected, amherst S 192.168.1.109/32 [10/0] is directly connected, amherst S 192.168.1.113/32 [10/0] is directly connected, amherst S 192.168.30.0/24 [10/0] via 192.168.40.1, port1 S 192.168.32.0/24 [10/0] via 192.168.40.1, port1 S 192.168.36.0/24 [10/0] via 192.168.40.1, port1 S 192.168.37.0/24 [10/0] via 192.168.40.1, port1 S 192.168.38.0/24 [10/0] via 192.168.40.1, port1 S 192.168.39.0/24 [10/0] via 192.168.40.1, port1 C 192.168.40.0/22 is directly connected, port1 C 192.168.99.0/24 is directly connected, port2 S 192.168.143.0/24 [10/0] via 192.168.40.1, port1 S 192.168.230.0/24 [10/0] via 192.168.40.1, port1 S 192.168.238.0/24 [10/0] via 192.168.40.1, port1 S 192.168.240.0/24 [10/0] via 192.168.40.1, port1 S 195.33.169.46/32 [10/0] via 216.19.237.1, port16 S 198.92.116.3/32 [10/0] is directly connected, dictaphone S 198.92.118.0/24 [10/0] is directly connected, dictaphone S 198.92.119.247/32 [10/0] is directly connected, dictaphone S 198.92.119.248/32 [10/0] is directly connected, dictaphone S 199.26.210.197/32 [10/0] via 12.178.80.241, port15 S 199.107.238.205/32 [10/0] via 216.19.237.1, port16 S 203.163.124.46/32 [10/0] via 216.19.237.1, port16 S 204.165.229.185/32 [10/0] via 216.19.237.1, port16 S 204.165.229.186/32 [10/0] via 216.19.237.1, port16 S 204.228.201.10/32 [10/0] via 216.19.237.1, port16 S 204.228.201.11/32 [10/0] via 216.19.237.1, port16 S 204.250.122.121/32 [10/0] via 216.19.237.1, port16 S 206.16.57.70/32 [10/0] via 216.19.237.1, port16 S 206.28.216.0/28 [10/0] is directly connected, dictaphone S 207.46.51.64/26 [10/0] via 216.19.237.1, port16 S 207.46.163.0/24 [10/0] via 216.19.237.1, port16 S 207.127.11.8/32 [10/0] via 216.19.237.1, port16 S 208.78.140.29/32 [10/0] is directly connected, company_medical S 208.78.140.30/32 [10/0] is directly connected, company_medical S 208.86.145.233/32 [10/0] via 12.178.80.241, port15 S 208.86.145.235/32 [10/0] via 12.178.80.241, port15 S 208.86.145.239/32 [10/0] via 12.178.80.241, port15 S 208.86.145.253/32 [10/0] via 12.178.80.241, port15 S 208.86.145.254/32 [10/0] via 12.178.80.241, port15 S 209.117.210.233/32 [10/0] via 12.178.80.241, port15 S 209.117.210.235/32 [10/0] via 12.178.80.241, port15 S 209.117.210.253/32 [10/0] via 12.178.80.241, port15 S 209.117.210.254/32 [10/0] via 12.178.80.241, port15 S 209.237.226.38/32 [10/0] via 216.19.237.1, port16 S 213.199.154.0/24 [10/0] via 216.19.237.1, port16 S 213.199.180.128/26 [10/0] via 216.19.237.1, port16 C 216.19.237.0/27 is directly connected, port16 S 216.32.180.0/24 [10/0] via 216.19.237.1, port16 S 216.32.181.0/24 [10/0] via 216.19.237.1, port16 S 216.57.136.43/32 [10/0] via 216.19.237.1, port16 S 216.165.132.231/32 [10/0] is directly connected, epic [10/0] via 216.19.237.1, port16 S 216.231.91.67/32 [10/0] via 216.19.237.1, port16 S 216.231.91.167/32 [10/0] via 216.19.237.1, port16

Show more replies

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded