FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alif
Staff
Staff
Article Id 367975
Description This article describes the behavior of the default gateway setting under IPsec tunnel configuration on FortiGate.
Scope FortiGate.
Solution

Consider a dialup IPsec VPN tunnel configured on FortiGate as follows:

 

config vpn ipsec phase1-interface
    edit "dialup_IPsec"
        set type dynamic
        set interface "wan1"
        set keylife 28800
        set peertype any
        set net-device enable
        set mode-cfg enable
        set ipv4-dns-server1 192.168.100.1
        set proposal aes256-sha1 aes128-sha1
        set dpd on-idle
        set xauthtype auto
        set reauth enable
        set authusrgrp "vpn_users"
        set default-gw 192.168.100.10
        set ipv4-start-ip 172.16.100.2
        set ipv4-end-ip 172.16.100.254
        set ipv4-netmask 255.255.255.0
        set psksecret ENC xxxx
        set dpd-retryinterval 5
    next
end

 

The default-gw 192.168.100.10 is the IPv4 address of the default route gateway to use for traffic exiting the interface. On the FortiGate device, it is configured on the 'port1' interface.

 

config system interface
    edit "port1"
        set vdom "root"
        set ip 192.168.100.10 255.255.255.0
        set allowaccess ping
        set type physical
        set snmp-index 17
    next
end

 

The routing table on FortiGate shows a single default route entry pointing towards the 'wan1' interface.

 

FGT # get router info routing-table all
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 100.x.x.x, wan1, [1/0]

 

When no user is connected to dialup IPsec VPN, the kernel routing table shows a single default route entry.

 

FGT # get router info kernel
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=100.x.x.x dev=20(wan1)

 

Once a user is connected via dialup IPsec VPN, the routing table stays the same. However, a default route gets added to the kernel routing table.

 

FGT # get router info kernel
tab=254 vf=0 scope=0 type=1 proto=18 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.100.10 dev=52(port1) <------
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=100.x.x.x dev=20(wan1)

 

Proto        Source Protocol
11           ZebOS
18           HA Kernel Routes

 

As lower priority is preferred, this can cause traffic disruption on FortiGate. The existing sessions won't be affected, but new sessions will start routing traffic via the 'port1' interface (instead of 'wan1') causing traffic to be dropped due to no policy match.

 

id=65308 trace_id=83 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 192.168.110.127:1->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=1404."
id=65308 trace_id=83 func=init_ip_session_common line=6047 msg="allocate a new session-00217372"
id=65308 trace_id=83 func=iprope_dnat_check line=5281 msg="in-[port2], out-[]"
id=65308 trace_id=83 func=iprope_dnat_tree_check line=824 msg="len=0"
id=65308 trace_id=83 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=83 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-192.168.100.10 via port1"
id=65308 trace_id=83 func=iprope_fwd_check line=768 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0"
id=65308 trace_id=83 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=36, len=16"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-4294967295, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-129, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-440, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-439, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-190, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-313, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-24, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-24, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-436, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-435, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-434, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-434, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-432, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-433, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-430, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-0, ret-matched, act-accept"
id=65308 trace_id=83 func=__iprope_user_identity_check line=1807 msg="ret-matched"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2251 msg="policy-0 is matched, act-drop"
id=65308 trace_id=83 func=iprope_fwd_check line=805 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=iprope_fwd_auth_check line=824 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0"
id=65308 trace_id=83 func=iprope_shaping_check line=914 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0"
id=65308 trace_id=83 func=__iprope_check line=2281 msg="gnum-100015, check-00000000ae863391"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100015 policy-4, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100015 policy-3, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100015 policy-2, ret-no-match, act-accept"
id=65308 trace_id=83 func=__iprope_check line=2298 msg="gnum-100015 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=83 func=iprope_policy_group_check line=4703 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=83 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 0)"

 

To resolve this issue, configure the default-gw-priority under IPsec configuration to a higher value (default: 0).

 

config vpn ipsec phase1-interface
    edit "dialup_IPsec"
        set default-gw-priority 10
    next
end

 

As lower priority is preferred, traffic for new sessions will be routed via the 'wan1' interface.

 

FGT # get router info kernel
tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.100.10 dev=52(port1)
tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=100.x.x.x dev=20(wan1)

 

Related articles:
Technical Tip: FortiGate - Viewing FIB/RIB routing information in CLI 
Technical Tip: Understanding kernel routing table

 

Contributors