Description
This article describes how to configure a policy route that only certain traffic will traverse through a route-based IPsec VPN tunnel.
Scope
FortiGate.
Solution
Although a static route with a destination interface of a VPN tunnel does not require a gateway IP address, a policy route does. The solution is to configure an 'IP' and 'Remote IP' on the virtual tunnel interface and use the 'Remote IP as the gateway IP address in the policy routes. By specifying the 'Remote IP " at tunnel interface will not require any static route through the tunnel to match the gateway IP address.
Note:
The IP is not required to be configured on the remote gateway tunnel interface. When the Policy route is configured with the tunnel interface, it doesn't check whether the gateway IP is reachable, unlike in the case of the physical interface.
- Define the IP and the Remote IP to be used for the tunnel interface. The best practice is to choose IP addresses in a subnet that is not currently used on the FortiGate.
From the CLI:
config system interface
edit "VPN01"
set vdom "root"
set ip 10.1.1.1 255.255.255.255
set type tunnel
set remote-ip 10.1.1.2 255.255.255.252
set interface "port1"
next
end
edit "VPN01"
set vdom "root"
set ip 10.1.1.1 255.255.255.255
set type tunnel
set remote-ip 10.1.1.2 255.255.255.252
set interface "port1"
next
end
- Use the 'Remote IP' as the gateway IP address in the policy route.
From the CLI:
config router policy
edit 1
set input-device "port3”
set src "VPN01_local"
set dst "VPN01_remote"
set gateway 10.1.1.2
set output-device "VPN01"
next
end
edit 1
set input-device "port3”
set src "VPN01_local"
set dst "VPN01_remote"
set gateway 10.1.1.2
set output-device "VPN01"
next
end
Note:
As of v6.2, matching policy routing can be checked from the debug flow.
As of v6.2, matching policy routing can be checked from the debug flow.
2019-12-27 16:03:02 id=20085 trace_id=148 func=print_pkt_detail line=5460 msg="vd-root:0 received a packet(proto=1, 172.16.1.1:1->192.168.1.1:2048) from port3. type=8, code=0, id=1, seq=87."
2019-12-27 16:03:02 id=20085 trace_id=148 func=init_ip_session_common line=5625 msg="allocate a new session-00975287"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=1: to 192.168.1.1 via ifindex-50"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.1.1.2 via VPN01"
2019-12-27 16:03:02 id=20085 trace_id=148 func=fw_forward_handler line=783 msg="Allowed by Policy-1:"
2019-12-27 16:03:02 id=20085 trace_id=148 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN01"
2019-12-27 16:03:03 id=20085 trace_id=148 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2019-12-27 16:03:03 id=20085 trace_id=148 func=ipsec_output_finish line=622 msg="send to 10.104.7.80 via intf-wan1"
2019-12-27 16:03:02 id=20085 trace_id=148 func=init_ip_session_common line=5625 msg="allocate a new session-00975287"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2581 msg="Match policy routing id=1: to 192.168.1.1 via ifindex-50"
2019-12-27 16:03:02 id=20085 trace_id=148 func=vf_ip_route_input_common line=2596 msg="find a route: flag=04000000 gw-10.1.1.2 via VPN01"
2019-12-27 16:03:02 id=20085 trace_id=148 func=fw_forward_handler line=783 msg="Allowed by Policy-1:"
2019-12-27 16:03:02 id=20085 trace_id=148 func=ipsecdev_hard_start_xmit line=777 msg="enter IPsec interface-VPN01"
2019-12-27 16:03:03 id=20085 trace_id=148 func=esp_output4 line=904 msg="IPsec encrypt/auth"
2019-12-27 16:03:03 id=20085 trace_id=148 func=ipsec_output_finish line=622 msg="send to 10.104.7.80 via intf-wan1"
