Description

This article describes a default route entry that gets installed into the routing table of a FortiGate unit when a dialup VPN interface is established.

Scope

FortiGate.

Solution

If a dialup VPN tunnel is configured on the FortiGate, the default settings will create a static default route entry into the routing table as in the below output.

get router info routing-table details 0.0.0.0
Routing entry for 0.0.0.0/0
Known via "static", distance 15, metric 0
173.243.128.1, via FTNT-VPN

Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 96.45.32.1, via wan1

96.45.32.1 is the default gateway of the wan interface and is the preferred route due to the lower distance. The default value is 10.

173.243.128.1 is the WAN IP address of the remote peer connected to the FTNT-VPN tunnel interface.
Note that the distance is 15 (by default).

The default route for the tunnel interface is installed due to the add-route (enabled by default) command.

config vpn ipsec phase1-interface
    edit FTNT-VPN
        set add-route enable  enabled by default
    next
end

As several users connect to the dialup VPN interface, a default route for each remote peer will be installed into the routing table.

If the distance value for the default route is configured to a value higher than 15, this will cause traffic disruption in the network. To avoid this behavior, it is advised to disable add-route in the phase1-interface settings of the dialup VPN tunnel.

Note that the 'set add-route {disable | enable}' entry is only available under phase1-interface settings when the type is set to dynamic (set type dynamic).

To flush tunnel :

diagnose vpn tunnel flush <my-phase1-name>

diagnose vpn ike gateway clear name <my-phase1-name>