Description
This article explains how to Identify the remote subnet routes injected on FortiGate 7000/6000.
Remote subnets route injection:
To reach static IPSec VPN tunnels remote subnets, static routes using the tunnel phase1 interface are needed in configuration.
Whenever such new routes are configured on the master FPM, the FPM would send a notification message to the FIM to force ipsec destination subnets to be delivered on the master FPM.
This is a requirement since only the master FPM can process ipsec tunnels. This notification is handled by daemon ‘fctrlproxyd’.
When an IPsec tunnel is up, flow rules are automatically pushed to motherboard to force traffic encryption. Flow rules are either based on phase2 selectors or routes towards a tunnel interface.
As of 5.6.6 (B4184), flow rules are pushed based on static routes towards an ipsec tunnel but only installed when the tunnel is up.
Useful links:
External
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-7000/7000-ipsec-vpn-troubleshoot.htm
Scope
FortiGate 6000
FortiGate 7000
Solution
Example Configuration:
# Phase 1
#config vpn ipsec phase1-interface
edit "swan_p1"
set interface "v986"
set ike-version 2
set peertype any
set proposal aes128-sha1
set dhgrp 14
set remote-gw 172.31.203.130
set psksecret ENC xxxxxxx
next
end
# Phase 2
#config vpn ipsec phase2-interface
edit "swan_p2"
set phase1name "swan_p1"
set proposal aes128-sha1
set pfs disable
set src-subnet 10.10.0.0 255.255.240.0
set dst-subnet 10.118.0.0 255.255.0.0
next
end
# Static route
#config router static
edit 2
set dst 10.118.0.0 255.255.0.0
set device "swan_p1"
next
# IPSEC routes on the FIM
#FG74E43E16****** [FIM01] (global) # diagnose test application fctrlproxyd 2
fcp route dump : last_update_time 992760
Slot:3
routecache entry: (1)
checksum:3B B2 EC 83 87 C9 04 11 4B E1 44 2F D3 5C F5 85
vd 4 seq:2 p1:swan_p1 p2: subnet:10.118.0.0 mask:255.255.0.0 enable:1
=========================================
Slot:4
routecache entry: (1)
checksum:3B B2 EC 83 87 C9 04 11 4B E1 44 2F D3 5C F5 85
vd 4 seq:2 p1:swan_p1 p2: subnet:10.118.0.0 mask:255.255.0.0 enable:1
#fctrlproxyd debugs upon route addition/removal
FG74E43E16****** [FIM01] (ipsec_s) # diag debug app fctrlproxyd -1
FG74E43E16****** [FIM01] (ipsec_s) # diag deb en
# static route pointing to vpn interface added
[fcp_proto_fim_recv:720] Recv pkt FCP_PUSH_ROUTE_INFO from slot 4
[routecache_slot_add_rt:231] Add p1:swan_p1 p2: rt:10.118.0.0/255.255.0.0 on slot4 <----- Added to slot4
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
fcp_proto_proc_local_port_info 917: received port info from 2 entry_nr 17
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
# static route pointing to vpn interface removed
[fcp_proto_fim_recv:720] Recv pkt FCP_PUSH_ROUTE_INFO from slot 4
[routecache_slot_del_rt:204] Delete p1:swan_p1 p2: rt:10.118.0.0/255.255.0.0 seq 2 vd 4 on slot4 <----- Removed from slot4
fcp_proto_proc_local_port_info 917: received port info from 2 entry_nr 17
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
