Description
This article describes how to add an automatic route towards each remote side with a different subnet when multiple Dial-Up VPN Clients are used.
If there are 300+ Dial-Up Clients, then it would be hectic to add a quick mode selector in phase 2 for each Dial-Up client. So, this article describes how to add an automatic route toward each remote subnet through the tunnel with only one quick mode selector.
Scope
FortiOS.
Solution
Whenever a Dial-Up VPN is created then the automatic route is always created from the H0 FortiGate where Dial-Up server is configured. It will create a route towards the destination which is configured as a remote address in phase 2 quick mode selectors.
- The settings Add route should be enabled in the VPN settings for automatic route creation.
If 0.0.0.0/0 is added as a remote address in quick mode selectors, then it will add a default route via tunnel interface which will affect the internet traffic.
Routing table for VRF=0
S 0.0.0.0/0 [15/0] via HO tunnel 10.40.19.15, [1/0]
S *> 0.0.0.0/0 [10/0] via 10.40.31.254, port1, [1/0]-- Where Port1 is wan link
If a specific subnet is added as a remote address in quick mode selectors, then a specific subnet route will be there via tunnel interface but if there are multiple Dial-Up users (300+) then one needs to keep on adding 300 quick mode selectors which will be hectic.
Let’s take an example over here as shown in the diagram below: -
HO Subnet: - 10.10.10.0/24
BO1 Subnet: - 30.30.30.0/24
BO2 Subnet: - 20.20.20.0/24
The configuration needed to be done are as follows:-
HO quick mode selector configuration: -
Add the local address as 10.10.10.0/24 and leave the remote address as 0.0.0.0/0 since there will be multiple Dial-Up clients with different subnets and adding a single quick mode selector will be enough to avoid creating a default route conflicting with the Internet default route certain changes in BO FortiGate needs to be done.
BO1 quick mode selector configuration: -
BO2 quick mode selector configuration: -
In all the branches do not leave any quick mode selectors as 0.0.0.0/0.
Add the local subnet as per the branch subnet and in the remote subnet will be the same for all the branches which will be the HO subnets.
Now looking at the routing table in HO FortiGate: -
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.40.31.254, port1, [1/0]
S 20.20.20.0/24 [15/0] via HO tunnel 10.40.19.60, [1/0]
S 30.30.30.0/24 [15/0] via HO tunnel 10.40.19.15, [1/0]
Users can see automatic routes for two branch subnets through the tunnel interface even when adding 0.0.0.0/0 as a remote address in quick mode selectors in HO FortiGate Phase 2 settings because the quick mode selectors are configured in each branch will automatically get populated in HO FortiGate.
Another scenario:-
- Suppose there are multiple subnets in one BO, in that case, the quick mode selectors need to be configured as below in BO:
No need to change anything in HO.
Now the routing table in HO FortiGate looks like:-
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 10.40.31.254, port1, [1/0]
S 20.20.20.0/24 [15/0] via HO tunnel 10.40.19.60, [1/0]
S 30.30.30.0/24 [15/0] via HO tunnel 10.40.19.15, [1/0]
S 40.40.40.0/24 [15/0] via HO tunnel 10.40.19.15, [1/0]
Now subnets 30.30.30.0/24 & 40.40.40.0/24 are reachable via tunnel 10.40.19.15.
- What happens if the local subnet is left as 0.0.0.0/0 in BO FortiGate:
Here BO2 local subnet is configured as 0.0.0.0/0 and one can see in the routing table that only for BO1 the specific route for the subnets has been created and for BO2 there is a default route.
Routing table for VRF=0
S 0.0.0.0/0 [15/0] via HO tunnel 10.40.19.60, [1/0]
S *> 0.0.0.0/0 [10/0] via 10.40.31.254, port1, [1/0]
S *> 30.30.30.0/24 [15/0] via HO tunnel 10.40.19.15, [1/0]
Conclusion: -
One should leave the remote address as 0.0.0.0/0 in HO FortiGate and configure the individual subnets in every BO FortiGate and add both the local and remote address in BO FortiGate
Debug flow looks like this
ike 0:HO_0:60039:181840: peer proposal is: peer:0:20.20.20.0-20.20.20.255:0, me: 0:10.10.10.0-10.10.10.255:0
ike 0:HO_0:60039:HO:181840: IPsec SA selectors #src=1 #dst=1
ike 0:HO_0:60039:HO:181840: src 0 7 0:10.10.10.0-10.10.10.255:0
ike 0:HO_0:60039:HO:181840: dst 0 7 0:20.20.20.0-20.20.20.255:0
ike 0:HO_0:60039:HO:181840: add dynamic IPsec SA selectors
ike 0:HO_0:60039:HO:181840: added dynamic IPsec SA proxyids, new serial 1
ike 0:HO:181840: add route 20.20.20.0/255.255.255.0 gw 10.40.19.60 oif HO(27) metric 15 priority 1
ike 0:HO_1:60040:181841: peer proposal is: peer:0:30.30.30.0-30.30.30.255:0, me: 0:10.10.10.0-10.10.10.255:0
ike 0:HO_0:60039: sent IKE msg (quick_r1send): 10.40.19.12:500 > 10.40.19.60:500, len=380, vrf=0, id=d685be3f62423893/10819ab514477771:010443ba
ike 0:HO_1:60040:HO:181841: replay protection enabled
ike 0:HO_1:60040:HO:181841: SA life soft seconds=43188.
ike 0:HO_1:60040:HO:181841: SA life hard seconds=43200.
ike 0:HO_1:60040:HO:181841: IPsec SA selectors #src=1 #dst=1
ike 0:HO_1:60040:HO:181841: src 0 7 0:10.10.10.0-10.10.10.255:0
ike 0:HO_1:60040:HO:181841: dst 0 7 0:30.30.30.0-30.30.30.255:0
ike 0:HO_1:60040:HO:181841: add dynamic IPsec SA selectors
ike 0:HO_1:60040:HO:181841: added dynamic IPsec SA proxyids, new serial 1
ike 0:HO:181841: add route 30.30.30.0/255.255.255.0 gw 10.40.19.15 oif HO(27) metric 15 priority 1
It will show us the subnets that is being received from the branch sides and it will add it in its routing table. The distance and priority used over here is 15 & 1 which is the default value and it can be changed from phase 1 settings through CLI:-
# config vpn ipsec phase1-interface
edit <tunnel_name>
set distance <>
set priority <>
end
Note:-
-The distance & priority entry is only available under phase1-interface settings when the type is set to dynamic (set type dynamic).
- From BO sides static route needs to be configured to reach HO subnets and the automatic route will only be added in HO FortiGate where dial-up server has been configured.
