Skip to main content
pierrec
pierrec
New Member
January 25, 2022
Solved

Policy routing configuration

  • January 25, 2022
  • 3 replies
  • 3773 views

Hi,

I'm using a Fortigate 1500D with VDOMs in 6.0.14.

Here is my network topology :

pierrec_1-1643133596706.png

Initialy, there is only N2 and N3 communicating with a static route on my firewall by R1 and R2.

My goal here is to add N1 which has to communicate with N3 using IPSEC connection over internet.

To do so I first tried to use policy routing through IPSEC using this CB which didn't worked.

Then I tried applying policy routing between N2 and N3 so that I could use static route for the IPSEC routing.

It only worked half way.

Here is my policy routing configuration :

pierrec_2-1643134268211.png

When I'm pinging from N2 to N3 it's OK but on the other half, it's impossible to ping from N3 to N2.

Packets arrives to the firewall by R1 but the firewall isn't routing them. Here is a packet capture from the interface between the firewall and R1 :

pierrec_3-1643134629854.png

Nothing is comming on the packet capture on N2.

What am I missing here ?

Best answer by pierrec

Tested today, it worked :D

Final configuration on the firewall :

  • First configure IPSEC with remote IP address like on this KB
  • Configure one route to N3 using IPSEC GW with weight of 10
  • Configure one route to N3 using R1 GW with weight of 10
  • Configure one policy route for N1 -> N3 using IPSEC GW
  • Configure one policy route for N2 -> N3 using R1 GW

 

Thank you for the HELP !!

3 replies

AlexC-FTNT
Staff
AlexC-FTNT
Staff
January 26, 2022

It seems that the problem is on R3.

If N2 > N3 is ok, it means the packet is routed back by R3 the way it came (from IPSEC).

if N3 > N2 is not ok, and traffic arrives from R1, it means that R3 is routing according to routing table (to R1, not through IPSEC) 

pierrec
pierrecAuthor
New Member
January 26, 2022

There is no R3 in the topology, N2 and N3 have to communicate by the link beetwin R1 and R2 and N1 and N3 have to communicate through IPSEC.

When policy routing is enabled, I can communicate from N2 to N3 but on the opposite, beetwin N3 an N2, ping packets get no responses from the firewall.

It's like the firewall has forgot about N2 beeing a directly connected network.

I tried using a "stop policy routing" policy on the firewall for any packets that were comming from the interface beetwin the firewall and R1 but it did nothing.

pierrec
pierrecAuthor
New Member
January 26, 2022

cancel

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
January 26, 2022

Is your intention below?

N2<->FGT<->R1<->R2<->N3

N1<->FGT<-(IPSec)->R2<->N3

If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.

And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.

 

Toshi

    pierrec
    pierrecAuthor
    New Member
    January 26, 2022

    Yes this is my intention

    @Toshi_Esumi wrote:

    If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.

    So policy routes do not replace static routes but indicate which static route stream should uses whatever the weight ?

     

    And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.

    On the other side this is way simplier, I can just have one route to N2 by R2 and one route to N1 by IPSEC since the destination isn't the same.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    January 26, 2022

    Correct. To be a candidate of policy-route "steering", there needs to be a proper/allowing route in RIB.

    Terms & ConditionsAccessibility statement