FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how to fix issues with IPsec tunnels configured with an IPpool as a local gateway.
Scope
FortiOS 6.4.9 and FortiOS 7.0.1.
Solution
Updating the firewall to FortiOS 6.4.9 or 7.0.1 might create issues with IPsec tunnels that use an IPpool as a local gateway. This is related to the fact that, since FortiOS 6.4.9 and 7.0.1, IPpools are not considered local addresses anymore.
For example, it might be seen that a configuration like the one below might not work anymore and the tunnel will not come up.
# config firewall ippool
edit "192.0.1.1"
show
config firewall ippool
edit "192.0.1.1"
set type one-to-one
set startip 192.0.1.1
set endip 192.0.1.1
next
end
# config vpn ipsec phase1-interface
edit My_tunnel
set local-gw 192.0.1.1
The issue can be solved by configuring the IPpool address as secondary IP on the interface.
Assuming that the tunnel is terminated on the wan1 interface:
