New Member

Question

routing to Public Internet over IPSEC

Forum|Forum|1 year ago
October 22, 2024
2 replies
3682 views

Hi Guys,

I am testing a setup with 2 x 80F in two branches ( A and B) connected back to Hub (C) via an Ipsec tunnel.

The local LANs behind the branches can ping the hub local lan through the tunnel . Also I configured a second phase2 selectors to allow another local lan ( /29 each) in the branches to get to the internet through the hub. I have added default route via the ipsec interface in each branch and and a firewall policy allowing the second local lan (/29) and in the hub the required firewall policy.

For branch B which has the second /29 , the ping towards internet via the hub is working but not in the branch A.

I can see under routing monitor that a static router /29 - branch B is showing but not for /29 - branch A.

I am wondering if I am missing anything. I went to compare the config of A and B and couldnt find any difference/issue except the IP scheme is different.

Toshi_Esumi

SuperUser

I'm assuming 2x80F is in HA(a-p) at each branch, and each has only one IPsec to C. Then make sure the C-FGT has those two /29 routes to each IPsec to A and B.
Then you need traceroute from the A's /29 toward the internet to see if it actually goes to C over the tunnel, or not.

I meant "get router info routing-t all" in CLI.

Toshi

SpiderghomAuthor

New Member

Hi Toshi,

There is no HA. A & B are independent. The final setup will have about 10 of 80F..but i am testing at the moment with two branches.

I did the traceroute and it s not getting anywhere.

branch-A # execute traceroute-options source Local-LAN-allowed-to-internet

branch-A # execute traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 32 hops max, 3 probe packets per hop, 84 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * *

Toshi_Esumi

SuperUser

We need to know the topology at A including the two 80F, and which 80F the /29 is connected as well as the routing-table on the 80F. Again, "get router info routing-t all" then you can remove unrelated part from the entire table before showing it to us.

Toshi

pminarik

Staff

Is the Hub-and-spoke setup dynamic (one phase1-interface configured in hub for all spokes), or static (one phase1 per spoke)?

If dynamic, this raises the question of how you're doing routing on the hub. How does it learn about each spoke's subnets? Dynamic routing (BGP, OSPF, RIP), or does it learn the routes from phase2-selectors ("set add-route enable" in phase1 or phase2)?

SpiderghomAuthor

New Member

Hi,

yes. it's dynamic setup; single phase1-interface for all branches.

the hub gets the routes from phase2-selectors . I confirmed that by bringing up and down the phase2 selectors and the route gets added and removed.

Toshi_Esumi

SuperUser

I hate the dialup VPN after they made the change for routing after 6.0/6.2.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-set-net-device-new-route-based-IPsec-logic/ta-p/193618
I think now it works if you have "set add-route enable" after 7.0.
https://docs.fortinet.com/document/fortigate/7.0.0/administration-guide/534155/dynamic-ipsec-route-control
But not sure if it still creates "...tunnel_0", "...tunnel_1" virtual interface for routing. That's why I asked "get router info routing-table all" to see the interface names.
Why don't you just set up two completely separate/independent/different-phase1-name site-to-site IPsec VPNs? So that routing on the hub side is quite simple. If injected (add-route) based on phase2-selectors they would be pointed to those two interfaces.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded