New Member

Solved

S2S ipsec, route specific traffic through specific tunnel

Forum|Forum|2 years ago
September 19, 2023
3 replies
1919 views

Hi all
I have the following configuration:
site A and site B, both with 2 wan connections, connected to each other via 4 ipsec tunnels (A1<->B1, A2<->B1, A1<->B2, A2<->B2)
on each tunnel I have the same phases2 and the same routes, the latter with different distances.
the 4 VPN interfaces are grouped in one zone on both sides.
Now I need to rotate all the traffic coming from a specific IP from office B and directed towards a specific IP in office A through a specific IPsec tunnel (for example A1<->B2)
in addition to the fw rules to allow traffic, I also created a route policy, but the traffic continues to pass through the tunnel with the minimum distance route
any hint to improve and/or debug the issue? is there I'd be aware of and that I'm clearly ignoring?
Thank you in advance

FortiGate

Best answer by pminarik

Couple basic rules to remember:

1, Between a /16 /24 route, the longest prefix will always win (/24; using these just as examples)

2, Between routes with identical prefix length, the better (lower) admin distance will always win, the worse admin distance route will not appear in the routing table at all (!!!)

3, Policy routes operate on top of the regular routing table (a valid route over the desired egress interface must exist in the routing table)

Pay attention especially to combinations of #2 and #3. I imagine that this could potentially be your issue:

- /24 route via A2-B1, admin distance 10

- /24 route via A1-B2, admin distance 20

- policy route saying "route from <srcip> to <dst within the /24> via A1-B2

This setup will "fail" because the second route (admin distance 20) will not be present in the routing table, therefore the policy route will not be active at all.

This is a common misconfiguration. If it is your case as well, the solution is to use equal distances for the "duplicate" routes (to keep both in the routing table), but set the generally prefered route to a better (lower) priority value (= this route will always be used for egress, unless down or overridden by a policy route).

pminarikAnswer

Staff

Couple basic rules to remember:

1, Between a /16 /24 route, the longest prefix will always win (/24; using these just as examples)

2, Between routes with identical prefix length, the better (lower) admin distance will always win, the worse admin distance route will not appear in the routing table at all (!!!)

3, Policy routes operate on top of the regular routing table (a valid route over the desired egress interface must exist in the routing table)

Pay attention especially to combinations of #2 and #3. I imagine that this could potentially be your issue:

- /24 route via A2-B1, admin distance 10

- /24 route via A1-B2, admin distance 20

- policy route saying "route from <srcip> to <dst within the /24> via A1-B2

This setup will "fail" because the second route (admin distance 20) will not be present in the routing table, therefore the policy route will not be active at all.

This is a common misconfiguration. If it is your case as well, the solution is to use equal distances for the "duplicate" routes (to keep both in the routing table), but set the generally prefered route to a better (lower) priority value (= this route will always be used for egress, unless down or overridden by a policy route).

hbac

Staff

Hi @nenonano,

Policy route is the right path. However, please make sure both tunnels have the same administrative distance. You can give them different priority instead. Both routes need to be in the routing table in order for policy route to work. You can check the routing table by running "get router info routing-table all"

Regards,

nenonanoAuthor

New Member

Hi there

setting the correct distance and priority solved my issue, now I see the traffic flowing through the right tunnel.
Thank you

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded