Skip to main content
Jirka1
Jirka1
Explorer II
September 3, 2017
Question

Route Base VPN problem

  • September 3, 2017
  • 2 replies
  • 34024 views

Hello, I'm trying to set site 2 site IPsec VPN site between 60E and 100D to route all traffic from a specific 60E port to IPsec tunnel (remote browsing). I used a route-based VPN. The minor problem was with the default router, but it was possible to resolve it by setting priorities. The central unit is 100D in the A/P cluster. Behind it is Win2008 (AD, DNS, DHCP) and using DHCP relay at 60E

allocates addresses to clients via IPsec tunnel. It all works. However, the customer's requirement is also the use of two additional ports on the 60E which must go through the WAN interface directly (with NAT) to the Internet (outside the IPsec tunnel). I set the interface, IP ranges, DHCP, DNS, Policy ... Unfortunately, the internet from these networks was inaccessible. I was looking for why and the problem is lower priority (2) default routing for IPsec tunnel - 0.0.0.0/0->TUNNEL  than default route 0.0.0.0/0->DEFAULT GW (4). So I tried to use Policy Routing to define that these two networks should route traffic directly to WAN. Unfortunately, this is not the case. Unfortunately, it does not work So I set up a Policy Base VPN between 60E and 100D. Now all networks are working, but traffic generated at 60E (ping, connect to FAZ, etc.) all goes through this IPsec tunnel, which is undesirable.

How to best solve this scenario? Ideally using a route-based VPN?

Thank you.

2 replies

Allan_Lago
Allan_Lago
New Member
September 3, 2017

Hi,

 

You could do the opposite. Create a route 0.0.0.0/0->DEFAULT GW (4) and then create a policy route to match only the traffic you want to go trought the VPN, e.g.

 

172.16.0.0/24 -> TUNNEL

172.160.1.0/24 -> TUNNEL

 

You shouldnt have any problems with route based vpn, in fact they usually have better usage then policy based vpns.

 

Hope it helps.

 

 

Jirka1
Jirka1Author
Explorer II
September 4, 2017
Hi, problem is, that I need all traffic through the tunnel from specific subnet/interfaces. Not only some subnet. And if I create two default routes 0.0.0.0/0 (one with priority 2 to the tunnel and one with priority 4 to the wan gw), traffic from interface, which I won't routed to tunnel is routed to tunnel :\
oheigl
oheigl
New Member
September 4, 2017

Yeah but that's exactly what he meant, configure the WAN gateway route with lower priority than the one into the VPN tunnel (lower priority means actually that it's preferred to the higher priority value). After that, create a policy route with source and destination 0.0.0.0 pointing to the VPN tunnel, and set the source interface to the specific interface which should go through the VPN. This should work just fine :)

Allan_Lago
Allan_Lago
New Member
September 4, 2017

Hi,

 

Correct me if im wrong, You have:

WAN1 interface responsible for the internet traffic.

Internal2 is your LAN

XDC is a VLAN tied to Internal2

UniFi is a VLAN tied to Interna2

 

You want to route only internal2 trought the VPN (IPsec->HQ) right?

 

Same distance means that both WAN1 and IPSec Route will be active at the same time.

Lower priority to WAN1 means that the traffic will routed trought it while the WAN1 link is active

config router static     edit 3         set gateway 62.xxx.xxx.xxx

        set distance 10         set priority 1 #Change it to a lower priority than the IPsec Tunnel.         set device "wan1"     next     edit 2

        set distance 10         set priority 2 #Change it to a higher priority         set device "IPsec->HQ"     next end

 

Now, about your policy routes you just need to create one from internal2 to IPsec->HQ, all the other interfaces will assume the lower priority static route.

config router policy     edit 1         set input-device "internal2"         set srcaddr "all"         set dstaddr "all"         set output-device "IPsec->HQ"     next end

 

Try this and give us a feedback please, if it doesnt work post the results for the following commands:

 

show full-configuration system interface wan1

show full-configuration system interface IPsec->HQ

get router info routing-table database

 

Hope it helps

 

 

Jirka1
Jirka1Author
Explorer II
September 4, 2017

Hi alago,

 

thanks for you feedback.

I tried your cfg with this result:

1) IPsec tunnel is functional 2) other networks (UniFi, XDC) do not work - they do not pass through FGT

 

cfg:

 

config system interface
    edit "wan1"
        set vdom "root"
        set fortilink disable
        set mode static
        set dhcp-relay-service disable
        set ip 62.xxx.xxx.xxx 255.255.255.192
        set allowaccess ping https ssh snmp
        set fail-detect disable
        set pptp-client disable
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set l2forward disable
        set icmp-redirect enable
        set vlanforward disable
        set stpforward disable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set subst disable
        set substitute-dst-mac 00:00:00:00:00:00
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type physical
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set description ''
        set alias "WAN"
        set l2tp-client disable
        set security-mode none
        set device-identification disable
        set lldp-transmission vdom
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set vrrp-virtual-mac disable
        set role wan
        set snmp-index 1
        set secondary-IP disable
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-address ::/0
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set speed auto
        set mtu-override disable
        set wccp disable
        set drop-overlapped-fragment disable
        set drop-fragment disable
    next
end
config system interface
    edit "IPsec->HQ"
        set vdom "root"
        set distance 5
        set dhcp-relay-service disable
        set ip 0.0.0.0 0.0.0.0
        unset allowaccess
        set arpforward enable
        set broadcast-forward disable
        set bfd global
        set icmp-redirect enable
        set ips-sniffer-mode disable
        set ident-accept disable
        set ipmac disable
        set status up
        set netbios-forward disable
        set wins-ip 0.0.0.0
        set type tunnel
        set netflow-sampler disable
        set sflow-sampler disable
        set scan-botnet-connections disable
        set src-check enable
        set sample-rate 2000
        set polling-interval 20
        set sample-direction both
        set explicit-web-proxy disable
        set explicit-ftp-proxy disable
        set proxy-captive-portal disable
        set tcp-mss 0
        set inbandwidth 0
        set outbandwidth 0
        set spillover-threshold 0
        set ingress-spillover-threshold 0
        set weight 0
        set external disable
        set remote-ip 0.0.0.0
        set description ''
        set alias ''
        set l2tp-client disable
        set security-mode none
        set fortiheartbeat disable
        set estimated-upstream-bandwidth 0
        set estimated-downstream-bandwidth 0
        set role undefined
        set snmp-index 4
        set preserve-session-route disable
        set auto-auth-extension-device disable
        set ap-discover enable
        config ipv6
            set ip6-mode static
            set nd-mode basic
            unset ip6-allowaccess
            set ip6-reachable-time 0
            set ip6-retrans-time 0
            set ip6-hop-limit 0
            set dhcp6-prefix-delegation disable
            set dhcp6-information-request disable
            set ip6-address ::/0
            set ip6-send-adv disable
            set autoconf disable
            set dhcp6-relay-service disable
        end
        set wccp disable
        set interface "wan1"
    next
end
odes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       > - selected route, * - FIB route, p - stale info

S *> 0.0.0.0/0 [10/0] is directly connected, IPsec->HQ, [2/0]
     *> [10/0] via 62.xxx.xxx.xxx, wan1, [4/0]
C *> 10.33.1.0/24 is directly connected, UniFi
C *> 62.xxx.xxx.xxx/26 is directly connected, wan1
C *> 100.10.20.0/24 is directly connected, XDC
C *> 172.17.14.0/24 is directly connected, internal2
C *> 172.20.0.0/16 is directly connected, XDC-VPN
C *> 192.168.1.0/24 is directly connected, internal

Allan_Lago
Allan_Lago
New Member
September 4, 2017

Hi,

 

Please run show full-configuration router static and post the result.

 

 

 

 

Terms & ConditionsAccessibility statement