Solution |
Consider a dialup IPsec VPN tunnel configured on FortiGate as follows:
config vpn ipsec phase1-interface edit "dialup_IPsec" set type dynamic set interface "wan1" set keylife 28800 set peertype any set net-device enable set mode-cfg enable set ipv4-dns-server1 192.168.100.1 set proposal aes256-sha1 aes128-sha1 set dpd on-idle set xauthtype auto set reauth enable set authusrgrp "vpn_users" set default-gw 192.168.100.10 set ipv4-start-ip 172.16.100.2 set ipv4-end-ip 172.16.100.254 set ipv4-netmask 255.255.255.0 set psksecret ENC xxxx set dpd-retryinterval 5 next end
The default-gw 192.168.100.10 is the IPv4 address of the default route gateway to use for traffic exiting the interface. On the FortiGate device, it is configured on the 'port1' interface.
config system interface edit "port1" set vdom "root" set ip 192.168.100.10 255.255.255.0 set allowaccess ping set type physical set snmp-index 17 next end
The routing table on FortiGate shows a single default route entry pointing towards the 'wan1' interface.
FGT # get router info routing-table all Routing table for VRF=0 S* 0.0.0.0/0 [10/0] via 100.x.x.x, wan1, [1/0]
When no user is connected to dialup IPsec VPN, the kernel routing table shows a single default route entry.
FGT # get router info kernel tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=100.x.x.x dev=20(wan1)
Once a user is connected via dialup IPsec VPN, the routing table stays the same. However, a default route gets added to the kernel routing table.
FGT # get router info kernel tab=254 vf=0 scope=0 type=1 proto=18 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.100.10 dev=52(port1) <------ tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=100.x.x.x dev=20(wan1)
Proto Source Protocol 11 ZebOS 18 HA Kernel Routes
As lower priority is preferred, this can cause traffic disruption on FortiGate. The existing sessions won't be affected, but new sessions will start routing traffic via the 'port1' interface (instead of 'wan1') causing traffic to be dropped due to no policy match.
id=65308 trace_id=83 func=print_pkt_detail line=5862 msg="vd-root:0 received a packet(proto=1, 192.168.110.127:1->8.8.8.8:2048) tun_id=0.0.0.0 from port2. type=8, code=0, id=1, seq=1404." id=65308 trace_id=83 func=init_ip_session_common line=6047 msg="allocate a new session-00217372" id=65308 trace_id=83 func=iprope_dnat_check line=5281 msg="in-[port2], out-[]" id=65308 trace_id=83 func=iprope_dnat_tree_check line=824 msg="len=0" id=65308 trace_id=83 func=iprope_dnat_check line=5293 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000" id=65308 trace_id=83 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-192.168.100.10 via port1" id=65308 trace_id=83 func=iprope_fwd_check line=768 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0, app_id: 0, url_cat_id: 0" id=65308 trace_id=83 func=__iprope_tree_check line=524 msg="gnum-100004, use int hash, slot=36, len=16" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-4294967295, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-129, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-440, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-439, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-190, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-313, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-24, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-24, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-436, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-435, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-434, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-434, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-432, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-433, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-430, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100004 policy-0, ret-matched, act-accept" id=65308 trace_id=83 func=__iprope_user_identity_check line=1807 msg="ret-matched" id=65308 trace_id=83 func=__iprope_check_one_policy line=2251 msg="policy-0 is matched, act-drop" id=65308 trace_id=83 func=iprope_fwd_check line=805 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0" id=65308 trace_id=83 func=iprope_fwd_auth_check line=824 msg="after iprope_captive_check(): is_captive-0, ret-matched, act-drop, idx-0" id=65308 trace_id=83 func=iprope_shaping_check line=914 msg="in-[port2], out-[port1], skb_flags-02000000, vid-0" id=65308 trace_id=83 func=__iprope_check line=2281 msg="gnum-100015, check-00000000ae863391" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100015 policy-4, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100015 policy-3, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check_one_policy line=2033 msg="checked gnum-100015 policy-2, ret-no-match, act-accept" id=65308 trace_id=83 func=__iprope_check line=2298 msg="gnum-100015 check result: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=65308 trace_id=83 func=iprope_policy_group_check line=4703 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000" id=65308 trace_id=83 func=fw_forward_handler line=837 msg="Denied by forward policy check (policy 0)"
To resolve this issue, configure the default-gw-priority under IPsec configuration to a higher value (default: 0).
config vpn ipsec phase1-interface edit "dialup_IPsec" set default-gw-priority 10 next end
As lower priority is preferred, traffic for new sessions will be routed via the 'wan1' interface.
FGT # get router info kernel tab=254 vf=0 scope=0 type=1 proto=18 prio=10 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.100.10 dev=52(port1) tab=254 vf=0 scope=0 type=1 proto=11 prio=1 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=100.x.x.x dev=20(wan1)
Related articles: Technical Tip: FortiGate - Viewing FIB/RIB routing information in CLI Technical Tip: Understanding kernel routing table
|