Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎12-20-2020 11:51 PM Edited on ‎11-12-2023 09:26 PM By Community Manager

Article Id 190533

Technical Tip: Return traffic for IPSec VPN tunnel shows interface as root

Description


This article explains the issue where traffic originating from VPN and reply traffic that should be going via the same VPN interface on FortiGate is not working.
The reply traffic ends up in the root interface.

 

Scope

 

FortiGate.

Solution


When trying to ping the remote address via VPN tunnel, the ping does not work.

In the sniffer return traffic is somehow exiting on the root interface and not via the VPN_Tunnel despite it having the route for 10.12.10.0/24 via the VPN_Tunnel interface.

 

diagnose sniffer packet any ‘host 10.1.6.2 and icmp’ 4 0 a

2020-12-10 14:34:12.189914 VPN_Tunnel in 10.12.10.10 -> 10.1.6.2: icmp: echo request
2020-12-10 14:34:12.195421 root out 10.1.6.2 -> 10.12.10.10: icmp: echo reply
2020-12-10 14:34:12.195590 root in 10.1.6.2 -> 10.12.10.10: icmp: echo reply

 

Collect the debug flow:

 

diagnose debug flow filter addr 10.1.6.2
diagnose debug flow filter proto 1
diagnose debug flow trace start 10
diagnose debug enable

 

In the debug flow, filtered for ICMP from/to 10.1.6.2 and 10 packets, it is possible to find that traffic in the reply direction is going via root:

 

id=20085 trace_id=38 func=print_pkt_detail line=5497 msg="vd-root:0 received a packet(proto=1, 10.12.10.10:1->10.1.6.2:0) from Port2. type=0, code=0, id=1, seq=9."
id=20085 trace_id=38 func=resolve_ip_tuple_fast line=5572 msg="Find an existing session, id-0004a1f5, reply direction"
id=20085 trace_id=38 func=vf_ip_route_input_common line=2591 msg="find a route: flag=80000000 gw-10.12.10.10 via root"


If such an issue is faced, search for network interfaces overlapping the same range as the VPN IP range, VIP, or IP Pool configured on the FortiGate.

In the above scenario, this was faced because there was VIP configured hence the static route configured was not taken into account.
FortiGate was considering the destination IP for return traffic as its own IP and not forwarding the traffic via the correct interface.

For example:

 

config firewall vip
    edit "vip"
        set extip 10.12.10.1-10.12.10.254
        set extintf "port2"
        set mappedip "10.2.0.1-10.2.0.254"
    next
end

 

Adapt the VIP if needed.
Once the VIP or IP pool configured on FortiGate is removed, run the sniffer and debug again and it will show traffic following the correct path.

Related document:
IP pools and VIPs are not considered local addresses for certain FortiOS versions 

4826
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.