FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to fix issues with IPsec tunnels configured with an IPpool as a local gateway.
FortiOS 6.4.9 and FortiOS 7.0.1.
Updating the firewall to FortiOS 6.4.9 or 7.0.1 might create issues with IPsec tunnels that use an IPpool as a local gateway. This is related to the fact that, since FortiOS 6.4.9 and 7.0.1, IPpools are not considered local addresses anymore.
For example, it might be seen that a configuration like the one below might not work anymore and the tunnel will not come up.
# config firewall ippool
config firewall ippool
set type one-to-one
set startip 188.8.131.52
set endip 184.108.40.206
# config vpn ipsec phase1-interface
set local-gw 220.127.116.11
The issue can be solved by configuring the IPpool address as secondary IP on the interface.
Assuming that the tunnel is terminated on the wan1 interface:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.