Description
This article describes that when a NATed session is created on the FortiGate and if there is then a route change that affects the destination IP address of that session, the outgoing interface is not changed. This behavior is by design.
This could impact some cases with the IPSec scenario. For example, in the case where there is a static default route on a physical interface and another static route on an IPSec interface.
When the IPsec tunnel goes down, the more specific route over the tunnel is uninstalled from the routing table, traffic destined to the IPSec route can create a session using the default route, because the default route at this point will be the better route to reach the destination.
If that happens, even when the IPSec interface is brought up the traffic destined to go through the IPSec static route will still be sent through the already-established session over the default route.
Scope
FortiGate.
Solution
There are two options to change this behavior:
- Create a deny policy on top to deny traffic that must go to the VPN tunnel not to go via the physical interface set on the default route.
- Create a blackhole route for the destination reachable via the VPN tunnel with higher distance than the default value (higher than 10) than the IPSec static route. When the IPsec interface goes up, the static route associated to it will take precedence over the blackhole route.
