Created on ‎12-30-2021 01:18 AM Edited on ‎11-16-2023 02:56 AM By Jean-Philippe_P
Description |
This article describes how to configure FortiGate to verify policy routing as well for local-out IKE negotiations. By default, FortiGate checks only the routing-table for the VPN gateway IP address and fails to send the local-out IKE packet if no active route is available via the outgoing interface mentioned in the VPN configuration.
Policy routes are not checked. |
Scope |
FortiGate v7.0.2 onwards. |
Solution |
This can be controlled by the 'ike-policy-route' configuration available under the 'config system setting'.
Consider the below scenario:
VPN configuration.
config vpn ipsec phase1-interface edit "VPN1-test" set interface "port1" <-- set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: VPN1-test (Created by VPN wizard)" set wizard-type static-fortigate set remote-gw 1.1.1.1 <-- set psksecret ENC YlQzOvpJN1ZajQg1iga8tAl2mMAMdeEOxK+7f3YO4/qv/CMGFHfYNF4ncJub0S11RxszRFnq/sEd2/VmEGwHZrqH0SbSXHbTnLmuhOe1xTwrHN9/nhz7GIni+2hCEnZzv7uwyrzL7hNCvAeAll0qJLHKRO4IfZN4cUCTg4LSnyU3CQ2fXVDXN3QdBSnuif+b1SE1QQ== next end
boson-kvm20 # sh vpn ipsec phase2-interface config vpn ipsec phase2-interface edit "VPN1-test" set phase1name "VPN1-test" set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305 set comments "VPN: VPN1-test (Created by VPN wizard)" set src-addr-type name set dst-addr-type name set src-name "VPN1-test_local" set dst-name "VPN1-test_remote" next end
Routing.
get router info routing-table all Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 10.5.63.254, port3 <----- No active route for VPN gateway available via port1. C 10.5.16.0/20 is directly connected, port1 C 10.5.48.0/20 is directly connected, port3 C 10.220.0.0/20 is directly connected, port2 S 10.230.0.0/20 [254/0] is a summary, Null
# config router policy edit 1 set dst "1.1.1.1/32" set gateway 10.5.31.254 set output-device "port1" <----- Policy route available via port1 for VPN gateway 1.1.1.1. next end
Case 1: When 'ike-policy-route' is disable.
config system setting set ike-policy-route disable end
Policy routes were not checked and the IKE negotiation packet was not sent with the below errors in IKE debugs:
ike 0:VPN1-test: created connection: 0xf0bf260 3 10.5.25.20->1.1.1.1:500. ike 0:VPN1-test:4: initiator: main mode is sending 1st message... ike 0:VPN1-test:4: cookie 12c428e6d639a238/0000000000000000 ike 0:VPN1-test:4: out 12C428E6D639A238000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:VPN1-test:4: could not send IKE Packet(ident_i1send):10.5.25.20:500->1.1.1.1:500, len=572 vrf=0: error 101:Network is unreachable
Case 2: When 'ike-policy-route' is enabled.
config system setting set ike-policy-route enable end
Policy routes were checked and the IKE negotiation packet was sent via port1:
ike 0:VPN1-test: created connection: 0xf0bf780 3 10.5.25.20->1.1.1.1:500. ike 0:VPN1-test:12: initiator: main mode is sending 1st message... ike 0:VPN1-test:12: cookie 470e063f6311bc2b/0000000000000000 ike 0:VPN1-test:12: out 470E063F6311BC2B000000000000000001100200000000000000023C0D000154000000010000000100000148010100080300002801010000800B0001000C00040001518080010007800E008080030001800200048004000E0300002802010000800B0001000C00040001518080010007800E00808003000180020004800400050300002803010000800B0001000C00040001518080010007800E010080030001800200048004000E0300002804010000800B0001000C00040001518080010007800E01008003000180020004800400050300002805010000800B0001000C00040001518080010007800E008080030001800200028004000E0300002806010000800B0001000C00040001518080010007800E00808003000180020002800400050300002807010000800B0001000C00040001518080010007800E010080030001800200028004000E0000002808010000800B0001000C00040001518080010007800E01008003000180020002800400050D0000144A131C81070358455C5728F20E95452F0D0000147D9419A65310CA6F2C179D9215529D560D000014CD60464335DF21F87CFDB2FC68B6A4480D00001490CB80913EBB696E086381B5EC427B1F0D00001416F6CA16E4A4066D83821A0F0AEAA8620D0000144485152D18B6BBCD0BE8A8469579DDCC0D000014AFCAD71368A1F1C96B8696FC775701000D0000144048B7D56EBCE88525E7DE7F00D6C2D30D0000184048B7D56EBCE88525E7DE7F00D6C2D3C0000000000000148299031757A36082C6A621DE00000000 ike 0:VPN1-test:12: sent IKE msg (ident_i1send): 10.5.25.20:500->1.1.1.1:500, len=572, vrf=0, id=470e063f6311bc2b/0000000000000000
boson-kvm20 # diag sniffer packet any "host 1.1.1.1" 4 o a Using Original Sniffing Mode interfaces=[any] filters=[host 1.1.1.1] 2021-12-26 18:32:34.091798 port1 out 10.5.25.20.500 -> 1.1.1.1.500: udp 572
Lastly, bear in mind that when the particular setting is enabled it is also recommended to clear the old IKE session during a short maintenance window.
FortiOS periodically sends IKE traffic thus the old session will exist in the session table without timing out thus the new settings cannot be triggered.
diag sys session filter clear diag sys session filter clear |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.