Skip to main content
boneyard
boneyard
Valued Contributor
June 19, 2021
Question

VPN on interface behind (not in routing path) FortiGate

  • June 19, 2021
  • 6 replies
  • 9991 views

due to the VPN traffic possibly coming in or going out via one of three interfaces (due to BGP) i felt i should configure the VPN on another interface of the FortiGate.

 

only the VPN process doesn't want to start the VPN now, the debug logs shows:

 

2021-06-19 14:41:49.269526 ike 0:p1-01:91: could not send IKE Packet(SA_INIT):x.x.x.x:500->y.y.y.y:500, len=248: error 101:Network is unreachable

 

it set ups the VPN tunnel fine for incoming VPN requests, but it refuses to initiate a VPN itself. tried on both 6.0 and 6.4.

 

i can sort of understand it, but it feels not needed, if i do ping-options for the same source IP x.x.x.x i can ping y.y.y.y fine.

 

i can workaround it with a loopback interface, but that means no IPsec traffic offloading. another option is a second VDOM with the network used in the routing direction but that feels adding quite some config.

 

anyone encountered this and has an another solution to make it work in both directions?

    6 replies

    jps
    jps
    New Member
    August 2, 2022

    Did you ever find a solution for this?  I'm trying to do the exact same thing.

    Ysiak
    Ysiak
    New Member
    November 2, 2022

    Any solution? I have a similar problem with two BGP interfaces. 

    jps
    jps
    New Member
    November 3, 2022

    The only answer I was given by TAC was to use a loopback interface.  I have the subnet configured on a VLAN interface and don't want to do this.

    gfleming
    Staff
    gfleming
    Staff
    November 3, 2022

    I think the problem with using a VLAN (or other interface that's not a WAN interface) is the tunnel by default attempts to build it by egressing said interface.

     

    It appears you may be able to use policy routing to dictate the outgoing interface and enabling "set ike-policy-route" in system settings:

     

    https://docs.fortinet.com/document/fortigate/6.4.11/cli-reference/18620/config-system-settings

     

    https://docs.fortinet.com/document/fortigate/6.4.11/cli-reference/535620/config-router-policy

     

     

    Cheers,
    Graham
    gfleming
    Staff
    gfleming
    Staff
    November 2, 2022

    Are the remote sites under your control? If so a possible solutions would be to create multiple VPN tunnels, one for each physical WAN interface IP (i.e. not using an IP in your block of routable IPs)?

     

    Then you can either use SD-WAN to select the appropriate interface or, most likely preferable in your situation create an aggregate interface (if the other side has FGT as well).

    Ysiak
    Ysiak
    New Member
    November 2, 2022

     

    Unfortunately not. I must configure many IPSec tunnels for different clients. I have 3 VLANs on wan1. Two are /30 for BGP connection from ISP with a default route, and the third has my public network /28, which I received from IPS. If I set this third VLAN as IPSec source interface, I get error 101:Network is unreachable.

     

    gfleming
    Staff
    gfleming
    Staff
    November 2, 2022

    What version of FOS are you running?

    hrvoje
    hrvoje
    New Member
    May 2, 2023

    I have the same issue. Setting "ike-policy-route enable" helped to get VPN tunnel up, but traffic doesn't go through the tunnel.

    aosav
    aosav
    New Member
    February 6, 2026

    I came across with the same issue. On our Fortigate, VPNs are terminated on a vlan interface, DMZ so to speak and not on the Internet facing interface. The solution for us was to set localgw interface as the internet facing interface and use the vlan interface ip on the VPN config. No policy routing or ike-policy-routing was needed.

    Hope it helps anyone looking for a solution

    Terms & ConditionsAccessibility statement