New Member

Solved

VPN, Routing question.

Forum|Forum|1 year ago
June 26, 2024
3 replies
2402 views

Hi

Is there a way, when i guide one of my host into VPN tunnel and it works great.
Is there a way, to ping it over a WAN interface also ?

Best answer by pminarik

That sounds like you want policy-based routing (the deciding factor being the source-IP in this case), and for that you'll need two routes towards 192.168.10.0/24 at the same time (ECMP) as a basic requirement.

I don't know what the current situtation is, but traditionally ECMP wasn't allowed for routes from different sources - https://community.fortinet.com/t5/FortiGate/Technical-Tip-Explanation-of-ECMP-with-different-routing/ta-p/228587 . I guess you could make it work if you had both routes sourced from OSPF? (if it supports ECMP)

fricci_FTNT

Staff

Hi @TestUser777 ,

My understanding is that the hosts 192.168.20.2/32 and 192.168.10.2/32 are able to reach each other through the IPsec tunnel thanks to a static route.

The hosts 192.168.20.3/32 and 192.168.10.2/32 can reach each other through OSPF if OSPF is configured properly (you mentioned that they are both in the same area 0).

The below might help:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-troubleshoot-OSPF-neighborship-in-various/ta-p/252855

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-FortiOS-routing-RIP-OSPF-BGP-static-routes/ta-p/198593

https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/358640/basic-ospf-example

Best regards,

TestUser777Author

New Member

The hosts 192.168.20.3/32 and 192.168.10.2/32 can reach each other through OSPF if OSPF is configured properly (you mentioned that they are both in the same area 0).<---They are and when 192.168.10.2/32 static route are disabled, they can ping each other.

Right now i could not ping over WAN.
I have OSPF Area 0 (192.168.10.0/24 is advertised here) over WAN and OSPF Area 1 over VPN.
192.168.10.2/32 is staticaly advertised into VPN tunnel.

Monday i try to remove static routes and advertise 192.168.10.2/32 into OSPF Area 1.

fricci_FTNT

Staff

Hi @TestUser777 ,

So if I have understood correctly, you have 192.168.20.3/24 and 192.168.10.2/24 both in area 0. Then you want to have 192.168.20.2/32 advertised in Area 1 inside the VPN tunnel.

Please collect the below outputs in both situations, when the static route is enabled and when it is disabled:

On FG2:
get router info routing-table all | grep 192.168.20.
get router info routing-table database | grep 192.168.20.
get router info routing-table detail 192.168.20.2/32
get router info routing-table detail 192.168.20.3/32

diag ip rtcache list | grep 192.168.20.
get router info kernel | grep 192.168.20.

On FG1:
get router info routing-table all | grep 192.168.10.
get router info routing-table database | grep 192.168.10.
get router info routing-table detail 192.168.10.2/32

diag ip rtcache list | grep 192.168.10.
get router info kernel | grep 192.168.10.

Best regards,

TestUser777Author

New Member

I tryed to implement Routing Policy.

So i changed routing a little.
Over WAN i'm using static routes. 192.168.20.3 and 2 can ping 192.168.10.2.
Over VPN i advertise OSPF and same ip subnets.
When i try to use Policy routing, pics included i can get a match, but i cannot get a full ping.
Do i have to too reverse Policys also ?

Tnx for all the help and answers :)

TestUser777Author

New Member

I got it to work.
At first i had static route to WAN and OSPF route to VPN.
Only Static route to WAN was in the routing table.

So static route to WAN and VPN did the trick.
Had two different routes to same network over WAN and VPN and Policy Routeing could to it thing

Thank you all for your help and guidents :)

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded