- Fortinet Forum
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCWP
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiPortal
- FortiProxy
- FortiRecorder
- FortiSandbox
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- Customer Service
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: How to Identify the remote subnet r...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Description
This article explains how to Identify the remote subnet routes injected on FortiGate 7000/6000.
Remote subnets route injection:
To reach static IPSec VPN tunnels remote subnets, static routes using the tunnel phase1 interface are needed in configuration.
Whenever such new routes are configured on the master FPM, the FPM would send a notification message to the FIM to force ipsec destination subnets to be delivered on the master FPM.
This is a requirement since only the master FPM can process ipsec tunnels. This notification is handled by daemon ‘fctrlproxyd’.
When an IPsec tunnel is up, flow rules are automatically pushed to motherboard to force traffic encryption. Flow rules are either based on phase2 selectors or routes towards a tunnel interface.
As of 5.6.6 (B4184), flow rules are pushed based on static routes towards an ipsec tunnel but only installed when the tunnel is up.
Useful links:
External
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-7000/7000-ipsec-vpn-troubleshoot.htm
Scope
Solution
Example Configuration:
# Phase 1
Internal Notes
https://fortivision.fortinet.com/index.php?/topic/14110-fortigate-7000-series-for-tac/
This article explains how to Identify the remote subnet routes injected on FortiGate 7000/6000.
Remote subnets route injection:
To reach static IPSec VPN tunnels remote subnets, static routes using the tunnel phase1 interface are needed in configuration.
Whenever such new routes are configured on the master FPM, the FPM would send a notification message to the FIM to force ipsec destination subnets to be delivered on the master FPM.
This is a requirement since only the master FPM can process ipsec tunnels. This notification is handled by daemon ‘fctrlproxyd’.
When an IPsec tunnel is up, flow rules are automatically pushed to motherboard to force traffic encryption. Flow rules are either based on phase2 selectors or routes towards a tunnel interface.
As of 5.6.6 (B4184), flow rules are pushed based on static routes towards an ipsec tunnel but only installed when the tunnel is up.
Useful links:
External
https://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-7000/7000-ipsec-vpn-troubleshoot.htm
Scope
FortiGate 6000
FortiGate 7000
Solution
Example Configuration:
# Phase 1
#config vpn ipsec phase1-interface# Phase 2
edit "swan_p1"
set interface "v986"
set ike-version 2
set peertype any
set proposal aes128-sha1
set dhgrp 14
set remote-gw 172.31.203.130
set psksecret ENC xxxxxxx
next
end
#config vpn ipsec phase2-interface# Static route
edit "swan_p2"
set phase1name "swan_p1"
set proposal aes128-sha1
set pfs disable
set src-subnet 10.10.0.0 255.255.240.0
set dst-subnet 10.118.0.0 255.255.0.0
next
end
#config router static# IPSEC routes on the FIM
edit 2
set dst 10.118.0.0 255.255.0.0
set device "swan_p1"
next
#FG74E43E16****** [FIM01] (global) # diagnose test application fctrlproxyd 2
fcp route dump : last_update_time 992760
Slot:3
routecache entry: (1)
checksum:3B B2 EC 83 87 C9 04 11 4B E1 44 2F D3 5C F5 85
vd 4 seq:2 p1:swan_p1 p2: subnet:10.118.0.0 mask:255.255.0.0 enable:1
=========================================
Slot:4
routecache entry: (1)
checksum:3B B2 EC 83 87 C9 04 11 4B E1 44 2F D3 5C F5 85
vd 4 seq:2 p1:swan_p1 p2: subnet:10.118.0.0 mask:255.255.0.0 enable:1
#fctrlproxyd debugs upon route addition/removal
FG74E43E16****** [FIM01] (ipsec_s) # diag debug app fctrlproxyd -1
FG74E43E16****** [FIM01] (ipsec_s) # diag deb en
# static route pointing to vpn interface added
[fcp_proto_fim_recv:720] Recv pkt FCP_PUSH_ROUTE_INFO from slot 4
[routecache_slot_add_rt:231] Add p1:swan_p1 p2: rt:10.118.0.0/255.255.0.0 on slot4 <----- Added to slot4
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
fcp_proto_proc_local_port_info 917: received port info from 2 entry_nr 17
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
send local port info entry_nr 38
fcp_proto_send_local_port_info 886: send packet len 1343 ret 1343
# static route pointing to vpn interface removed
[fcp_proto_fim_recv:720] Recv pkt FCP_PUSH_ROUTE_INFO from slot 4
[routecache_slot_del_rt:204] Delete p1:swan_p1 p2: rt:10.118.0.0/255.255.0.0 seq 2 vd 4 on slot4 <----- Removed from slot4
fcp_proto_proc_local_port_info 917: received port info from 2 entry_nr 17
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 3
[fcp_proto_send_route_cs_req:307] Send pkt FCP_GET_ROUTE_CHECK_SUM to slot 4
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 3
[fcp_proto_fim_recv:725] Recv pkt FCP_GET_ROUTE_CHECK_SUM_RET from slot 4
Internal Notes
https://fortivision.fortinet.com/index.php?/topic/14110-fortigate-7000-series-for-tac/
Labels:
News & Articles
Security Research
Company
- Copyright 2021 Fortinet, Inc. All Rights Reserved.
- Terms of Service
- Privacy Policy
- GDPR