Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
martinsd
Staff
Staff

Created on ‎04-28-2023 08:58 AM

Article Id 254489

Technical Tip: IPsec specific default routes

Description This article describes how to check and manipulate the priority of specific default routes for IPSec tunnels.
Scope FortiGate.
Solution

It is possible to configure specific default routes to establish each IPSec Tunnel.

 

For example:

 

# config vpn ipsec phase1-interface

edit "XPTO_Tunnel"

set type dynamic

set interface "vlan100"

set local-gw 1.1.1.1

set mode aggressive

set peertype one

set net-device disable

set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1

set dpd on-idle

set wizard-type dialup-fortigate

set peerid "peerxpto"

set default-gw 1.1.1.2

set psksecret 12345678

next

end

 

To check this route, run the following command in the FortiGate CLI. Example output is attached here.

 

# get router info kernel
tab=254 vf=0 scope=0 type=1 proto=17 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=1.1.1.2 dev=45(vlan100)

 

To increase the route priority, run the following configuration:

 

# config vpn ipsec phase1-interface

edit "XPTO_Tunnel"

set default-gw-priority 100

next

end

 

# get router info kernel
tab=254 vf=0 scope=0 type=1 proto=17 prio=100 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=1.1.1.2 dev=45(vlan100)
585
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.