Skip to main content
MaitM
MaitM
New Member
August 15, 2022
Question

SSL, IPSEC,GRE routing

  • August 15, 2022
  • 2 replies
  • 2825 views

Hi

 

I'm struggling with routing issue. We have IPSEC tunnel over gre to parter Cisco routers. For that we needed to crate overlapping ip address interface for IPSEC. Now i have /29 for main WAN connection and /32 for IPSEC interface. In general everything works fine but if we need to access WAN interface IP from internal network (over routing) then /32 connected interface is the best match. In our case it is IPSEC vpn. But that will not work for SSL clients. 

So from internal network we can not use same profile as we would use over internet for SSLVPN. It is bit confusing for end user as some of the resources are accessible only over SSL VPN. 

Is there a trick to allow traffic from internal networks to wan interface if there is a better route available (/32 rules over /29 connected interface)?

 

#SSL #IPSEC #GRE

2 replies

Hasnatriad
Staff
Hasnatriad
Staff
August 15, 2022

Routing behaviour can be changed by modifying priority and distance. You can follow the KB below to understand the behaviour 

https://community.fortinet.com/t5/FortiGate/Technical-Note-Routing-behavior-depending-on-distance-and/ta-p/198221

MaitM
MaitMAuthor
New Member
August 15, 2022

Unfortunately that will affect static routes. In my case both are connected routes so in routing table both appear generated automatically with priority and distance as "0"

syordanov
Staff
syordanov
Staff
August 16, 2022

Dear @MaitM,

 

You can try with policy routing . As a source you can configure the source IP addresses from your internal network, as a destination interface  the WAN interface.

 

Useful KB-> https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-the-firewall-Policy-Routes/ta-p/189996

 

MaitM
MaitMAuthor
New Member
August 18, 2022

Tried out that one but did not help. Not sure but I believe the policy route will not be used as the traffic has local devices as destination. 

syordanov
Staff
syordanov
Staff
August 30, 2022

Dear MaitM ,

 

Can you share something about the routing, did you check with debug flow how traffic is flowing from ssl to your WAN interface?

 

diagnose debug reset

diagnose debug disable

diagnose debug flow trace stop

diagnose debug flow filter clear

diagnose debug flow show iprope enable

diagnose  debug  flow show function-name enable

diagnose debug flow filter saddr x.x.x.x <---- SSL source IP

diagnose  debug  console timestamp enable

diagnose debug flow trace start 9999

diagnose debug enable

diag sys session filter src x.x.x.x <---- SSL source IP

diag sys session list

 

 

 

 

Terms & ConditionsAccessibility statement