FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sparta_FTNT
Staff
Staff

Description
This article explains how to Identify the remote subnet routes injected on FortiGate 7000/6000.

Remote subnets route injection:

To reach static IPSec VPN tunnels remote subnets, static routes using the tunnel phase1 interface are needed in configuration.
Whenever such new routes are configured on the master FPM, the FPM would send a notification message to the FIM to force ipsec destination subnets to be delivered on the master FPM.
This is a requirement since only the master FPM can process ipsec tunnels. This notification is handled by daemon ‘fctrlproxyd’.

When an IPsec tunnel is up, flow rules are automatically pushed to motherboard to force traffic encryption. Flow rules are either based on phase2 selectors or routes towards a tunnel interface.
As of 5.6.6 (B4184), flow rules are pushed based on static routes towards an ipsec tunnel  but only installed when the tunnel is up.


Useful links:


External
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-7000/7000-ipsec-vpn-troubleshoot.htm

Scope

FortiGate 6000 
FortiGate 7000


Solution
Example Configuration:

# Phase 1

#config vpn ipsec phase1-interface
  edit "swan_p1"
     set interface "v986"
     set ike-version 2
     set peertype any
     set proposal aes128-sha1
     set dhgrp 14
     set remote-gw 172.31.203.130
     set psksecret ENC xxxxxxx
  next
end

# Phase 2

#config vpn ipsec phase2-interface
     edit "swan_p2"
       set phase1name "swan_p1"
       set proposal aes128-sha1
       set pfs disable
       set src-subnet 10.10.0.0 255.255.240.0
       set dst-subnet 10.118.0.0 255.255.0.0
     next
end

# Static route

#config router static
   edit 2
    set dst 10.118.0.0 255.255.0.0
    set device "swan_p1"
next

# IPSEC routes on the FIM

#FG74E43E16****** [FIM01] (global) # diagnose test application fctrlproxyd 2
fcp route dump : last_update_time 992760
Slot:3
routecache entry: (1)
checksum:3B B2 EC 83 87 C9 04 11 4B E1 44 2F D3 5C F5 85
vd 4 seq:2 p1:swan_p1 p2: subnet:10.118.0.0 mask:255.255.0.0 enable:1
=========================================
Slot:4
routecache entry: (1)
checksum:3B B2 EC 83 87 C9 04 11 4B E1 44 2F D3 5C F5 85
vd 4 seq:2 p1:swan_p1 p2: subnet:10.118.0.0 mask:255.255.0.0 enable:1
#fctrlproxyd debugs upon route addition/removal

FG74E43E16****** [FIM01] (ipsec_s) # diag debug app fctrlproxyd -1
FG74E43E16****** [FIM01] (ipsec_s) # diag deb en

# static route pointing to vpn interface added


[fcp_proto_fim_recv:720] Recv pkt FCP_PUSH_ROUTE_INFO from slot 4
[routecache_slot_add_rt:231] Add p1:swan_p1 p2: rt:10.118.0.0/255.255.0.0 on slot4                 <----- Added to slot4
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
fcp_proto_proc_local_port_info 917: received port info from 2 entry_nr 17
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343

# static route pointing to vpn interface removed
[fcp_proto_fim_recv:720] Recv pkt FCP_PUSH_ROUTE_INFO from slot 4
[routecache_slot_del_rt:204] Delete p1:swan_p1 p2: rt:10.118.0.0/255.255.0.0 seq 2 vd 4 on slot4   <----- Removed from slot4
fcp_proto_proc_local_port_info 917: received port info from 2 entry_nr 17
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4


Contributors