- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Note : Configuring and verifying an IP i...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Purpose
This article describes how to configure and troubleshoot an IP in IP tunnel between two FortiGates.
Scope
FortiGate or VDOM in NAT mode.
Diagram
The following topology is used:
Expectations, Requirements
Configuration
Verification
Routing table of FortiGate 1:
FG1 # get router info routing-table all
Routing table of FortiGate 2:
FG2 # get router info routing-table all
Note : Both routing tables show that the remote subnets 10.x.x.x appear as pseudo-connected (a static route appearing as directly connected and pointing to a local interface instead of a next-hop).
Verify the IP in IP tunnels:
Troubleshooting
While starting a ping from PC1 to PC2, take a sniffer trace on either FortiGate to see if the traffic reaches and is forwarded on all interfaces
FG1 # diagnose sniffer packet any "icmp" 4
FG2 # diagnose sniffer packet any "icmp" 4
This article describes how to configure and troubleshoot an IP in IP tunnel between two FortiGates.
Scope
FortiGate or VDOM in NAT mode.
Support for IP in IP tunneling (RFC 1853) was added in FortiOS 5.0.3/5.2.GA
Diagram
The following topology is used:
PC1(.1) - 10.1.1.0/24-port2-[ FG1 ]-port1-(198.51.100.1) =====
I
(Internet) I IP-in-IP tunnel
I
PC2(.2) - 10.2.2.0/24-port2-[ FG2 ]-port1-(203.0.113.2) ====== (Internet) I IP-in-IP tunnel
I
Expectations, Requirements
- Establish an IP in IP tunnel between both FortiGates to be able to reach each remote LAN 10.x.x.x
- The IP in IP interface will remain unnumbered and remote subnets reachable via static routes.
Configuration
| CLI configuration of FortiGate 1 config system interface edit "port1" set ip 198.51.100.1 255.255.255.0 set alias Internet next edit "port2" set ip 10.1.1.254 255.255.255.0 set alias LAN next end config system ipip-tunnel edit "toFG2" set interface "port1" set local-gw 198.51.100.1 set remote-gw 203.0.113.2 next end config firewall policy edit 0 set srcintf "port2" set dstintf "toFG2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 0 set srcintf "toFG2" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config router static edit 0 set device "port1" set gateway 198.51.100.254 set comment "default-route to Internet ISP" next edit 0 set device "toFG2" set dst 10.2.2.0 255.255.255.0 next end |
| CLI configuration of FortiGate 2 config system interface edit "port1" set ip 203.0.113.2 255.255.255.0 set alias Internet next edit "port2" set ip 10.2.2.254 255.255.255.0 set alias LAN next end config system ipip-tunnel edit "toFG1" set interface "port1"set local-gw 203.0.113.2 set remote-gw 198.51.100.1 next end config firewall policy edit 0 set srcintf "port2" set dstintf "toFG1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 0 set srcintf "toFG1" set dstintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next end config router static edit 0 set device "port1" set gateway 203.0.113.254 set comment "default-route to Internet ISP" edit 0next set device "toFG1" set dst 10.1.1.0 255.255.255.0 next end |
Verification
Routing table of FortiGate 1:
FG1 # get router info routing-table all
| Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 198.51.100.254, port1 C 10.1.1.0/24 is directly connected, port2 S 10.2.2.0/24 [10/0] is directly connected, toFG2 C 198.51.100.0/24 is directly connected, port1 |
Routing table of FortiGate 2:
FG2 # get router info routing-table all
| Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default S* 0.0.0.0/0 [10/0] via 203.0.113.254, port1 C 10.2.2.0/24 is directly connected, port2 S 10.1.1.0/24 [10/0] is directly connected, toFG1 C 203.0.113.0/24 is directly connected, port1 |
Note : Both routing tables show that the remote subnets 10.x.x.x appear as pseudo-connected (a static route appearing as directly connected and pointing to a local interface instead of a next-hop).
Verify the IP in IP tunnels:
FG2 # diag netlink interface list | grep -A1 "toFG1"
if=toFG1 family=00 type=768 index=20 mtu=1480 link=0 master=0 ref=11 state=off start fw_flags=0 flags=up p2p run noarp multicast |
FG2 # get system interface
| [...] == [ toFG1 ] name: test ip: 0.0.0.0 0.0.0.0 status: up netbios-forward: disable type: tunnel netflow-sampler: disable sflow-sampler: disable scan-botnet-connections: disable explicit-web-proxy: disable explicit-ftp-proxy: disable wccp: disable |
Troubleshooting
While starting a ping from PC1 to PC2, take a sniffer trace on either FortiGate to see if the traffic reaches and is forwarded on all interfaces
FG1 # diagnose sniffer packet any "icmp" 4
| interfaces=[any] filters=[icmp] 2.901412 port2 in 10.1.1.1 -> 10.2.2.2: icmp: echo request 2.901429 toFG2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request 2.901954 toFG2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply 2.901979 port2 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply |
FG2 # diagnose sniffer packet any "icmp" 4
| interfaces=[any] filters=[icmp] 7.241465 toFG1 in 10.1.1.1 -> 10.2.2.2: icmp: echo request 7.241529 port2 out 10.1.1.1 -> 10.2.2.2: icmp: echo request 7.241815 port2 in 10.2.2.2 -> 10.1.1.1: icmp: echo reply 7.241836 toFG1 out 10.2.2.2 -> 10.1.1.1: icmp: echo reply |
Related Articles
Technical Tip: Configuring and verifying an IP in IP tunnel
Technical Note: Configuring and verifying an IP in IP over IPsec tunnel
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.