IPsec VPNs ALWAYS route hop through DMZ interface IP Address ?

Forum|Forum|10 years ago
January 25, 2016
1 reply
8152 views

Firewall : 60D with wifi

firmware : V5.2.3 Build670 (GA)

Operation mode : NAT

IPSEC VPN dhcp IP client Range: 192.168.60.10 - 192.168.60.20

VPN Client only can access the IP 192.168.10.70 (NAS)

symptom

When VPN Client trying to trace route 192.168.10.70

The first hop is ALWAYS the IP address of the FortiGate' s DMZ interface, even though I have the FortiGate' s DMZ interface administratively down.

When i change the DMZ IP and trace route again, the first hop IP will be change accordingly.

When I change the DMZ IP to 0.0.0.0/0.0.0.0 and trace route again, the first hop IP will be change WAN-1 Interface IP (Internet IP)

why the first hop IP not the gateway ip ? how can i fix this problem

thanks

Ringo

11111.jpg

5.2

idirim

New Member

any updates on the topic ?

im having the same issue on ipsec site-to-site vpn tunnel ( fgt60d 5.2.6)

ede_pfau

SuperUser

AFAIK the problem occurs because the IPsec tunnel is unnumbered, i.e. the tunnel interfaces do not have IP addresses by default. FortiOS will then choose the "next" interface where the sequence is not readily apparent from the GUI.

You can try to assign IP addresses to the tunnel ends, although only in the CLI.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded