FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff
Article Id 202210
Description

This article describes how to configure FortiGate to verify policy routing as well for local-out IKE negotiations.

By default, FortiGate checks only the routing-table for the VPN gateway IP address and fails to send the local-out IKE packet if no active route is available via the outgoing interface mentioned in the VPN configuration.

 

Policy routes are not checked.

Scope

FortiGate v7.0.2 onwards.

Solution

This can be controlled by the 'ike-policy-route' configuration available under the 'config system setting'.

 

Consider the below scenario:

 

VPN configuration.

 

config vpn ipsec phase1-interface

    edit "VPN1-test"

        set interface "port1"  <--

        set peertype any

        set net-device disable

        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

        set comments "VPN: VPN1-test (Created by VPN wizard)"

        set wizard-type static-fortigate

        set remote-gw 1.1.1.1  <--

        set psksecret ENC YlQzOvpJN1ZajQg1iga8tAl2mMAMdeEOxK+7f3YO4/qv/CMGFHfYNF4ncJub0S11RxszRFnq/sEd2/VmEGwHZrqH0SbSXHbTnLmuhOe1xTwrHN9/nhz7GIni+2hCEnZzv7uwyrzL7hNCvAeAll0qJLHKRO4IfZN4cUCTg4LSnyU3CQ2fXVDXN3QdBSnuif+b1SE1QQ==

    next

end

 

boson-kvm20 # sh vpn ipsec phase2-interface

config vpn ipsec phase2-interface

    edit "VPN1-test"

        set phase1name "VPN1-test"

        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305

        set comments "VPN: VPN1-test (Created by VPN wizard)"

        set src-addr-type name

        set dst-addr-type name

        set src-name "VPN1-test_local"

        set dst-name "VPN1-test_remote"

    next

end

 

Routing.

 

get router info routing-table all

Routing table for VRF=0

S*      0.0.0.0/0 [10/0] via 10.5.63.254, port3         <----- No active route for VPN gateway available via port1.

C       10.5.16.0/20 is directly connected, port1

C       10.5.48.0/20 is directly connected, port3

C       10.220.0.0/20 is directly connected, port2

S       10.230.0.0/20 [254/0] is a summary, Null

 

# config router policy

    edit 1

        set dst "1.1.1.1/32"

        set gateway 10.5.31.254

        set output-device "port1"   <----- Policy route available via port1 for VPN  gateway 1.1.1.1.

    next

end

 

Case 1: When 'ike-policy-route' is disable.

 

config system setting

    set ike-policy-route disable

end

 

Policy routes were not checked and the IKE negotiation packet was not sent with the below errors in IKE debugs:

 

ike 0:VPN1-test: created connection: 0xf0bf260 3 10.5.25.20->1.1.1.1:500.

ike 0:VPN1-test:4: initiator: main mode is sending 1st message...

ike 0:VPN1-test:4: cookie 12c428e6d639a238/0000000000000000

ike 0:VPN1-test:4: out 12C428E6D639A238000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000

ike 0:VPN1-test:4: could not send IKE Packet(ident_i1send):10.5.25.20:500->1.1.1.1:500, len=572 vrf=0: error 101:Network is unreachable 

 

Case 2: When 'ike-policy-route' is enabled.

 

config system setting

    set ike-policy-route enable

end

 

Policy routes were checked and the IKE negotiation packet was sent via port1:

 

ike 0:VPN1-test: created connection: 0xf0bf780 3 10.5.25.20->1.1.1.1:500.

ike 0:VPN1-test:12: initiator: main mode is sending 1st message...

ike 0:VPN1-test:12: cookie 470e063f6311bc2b/0000000000000000

ike 0:VPN1-test:12: out 470E063F6311BC2B000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000

ike 0:VPN1-test:12: sent IKE msg (ident_i1send): 10.5.25.20:500->1.1.1.1:500, len=572, vrf=0, id=470e063f6311bc2b/0000000000000000

 

 

boson-kvm20 # diag sniffer packet any "host 1.1.1.1" 4 o a

Using Original Sniffing Mode

interfaces=[any]

filters=[host 1.1.1.1]

2021-12-26 18:32:34.091798 port1 out 10.5.25.20.500 -> 1.1.1.1.500: udp 572

 

Lastly, bear in mind that when the particular setting is enabled it is also recommended to clear the old IKE session during a short maintenance window.

 

FortiOS periodically sends IKE traffic thus the old session will exist in the session table without timing out thus the new settings cannot be triggered.

 

diag sys session filter clear
diag sys session filter src <Source IP address of IKE packets>
diag sys session filter dst <Destination IP address of IKE packets>
diag sys session filter dport <500 or 4500 if NAT traversal is used>
diag sys session clear

diag sys session filter clear