Skip to main content
rkhair
rkhair
New Member
October 1, 2017
Question

Site to site VPN, second hop through the DMZ interface?

  • October 1, 2017
  • 1 reply
  • 4682 views
Fortigate 100D 5.6.0 Hi, we have site to site VPNs setup with other offices, when you run a trace route it seems the second hop is always the DMZ interface? The interface is down and even disabled, yet still does it?!? Any ideas?? As you can see attached , first hop is our firewall (192.168.1.100), second hop is the DMZ interface (172.16.254.1) and then it reaches the device on other side of VPN (172.16.201.5).. Thanks

    1 reply

    bommi
    bommi
    New Member
    October 1, 2017

    Hi,

     

    this is an normal behavior when using unnumbered ipsec interfaces.

    This KB article describes the behavior and how to "workaround" it if you want:

    http://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD36799&sliceId=1&docTypeID=DT_KCARTICLE_1_1&dialogID=116930985&stateId=0%200%20116932943

     

    Regards,

    bommi

    Terms & ConditionsAccessibility statement