Created on 08-03-2021 07:27 AM Edited on 06-09-2022 03:08 PM By Anonymous
Description
When FortiGate is forwarding traffic with outgoing interface IPsec tunnel, and the tunnel does not have an overlay IP, the FortiGate is selecting the physical interface with the smallest index as source IP.
Example.
FortiGate-61F # diagnose netlink interface list
if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=9 state=present fw_flags=0 flags=loopback
if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=6 state=present fw_flags=0 flags=broadcast noarp
if=wan1 family=00 type=1 index=5 mtu=1500 link=0 master=0
ref=37 state=start present fw_flags=0 flags=up broadcast run multicast
if=wan2 family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=18 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
if=dmz family=00 type=1 index=7 mtu=1500 link=0 master=0
ref=19 state=start present no_carrier fw_flags=8000 flags=up broadcast multicast
if=internal1 family=00 type=1 index=8 mtu=1500 link=0 master=0
ref=14 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
if=internal2 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=14 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
WAN1 is the physical interface with the smallest index number (virtual interfaces are not taken in consideration) and it is configured with the IP 10.109.17.32.
FortiGate-61F # get system interface
== [ wan1 ]
name: wan1 mode: static ip: 10.109.17.32 255.255.240.0 status: up netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable mtu-override: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable
If pinging using the tunnel as outgoing interface the FortiGate will select 10.109.17.32 as source IP.
# execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
2021-08-03 10:51:22.684341 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:23.699906 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:24.709894 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:25.729909 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
Solution
There are multiple ways to change this behavior:
1) Configuring an IP address on the tunnel interface.
2) Specify a source IP where it’s possible, for example:
# execute ping-options source
# execute traceroute-options source
# config system dns
set source-ip
# config user ldap
edit <name>
set source-ip
# config user radius
edit <name>
set source-ip
3) In some cases, it is not possible to specify the 'source-ip' so the FortiGate will use the physical interface with the smallest index.
Example.
C:\Users\fortilab>tracert -d 10.10.11.2If an IP address is configured on the tunnel interface.
Tracing route to 10.10.11.2 over a maximum of 30 hops
1 8 ms 7 ms 8 ms 10.10.10.2
2 9 ms 9 ms 9 ms 10.10.10.1
3 9 ms 9 ms 8 ms 10.109.17.32
4 9 ms 9 ms 8 ms 10.10.11.2
Trace complete.
C:\Users\fortilab>tracert -d 10.10.11.2
Tracing route to 10.10.11.2 over a maximum of 30 hops
1 8 ms 7 ms 8 ms 10.10.10.2
2 9 ms 9 ms 9 ms 10.10.10.1
3 9 ms 9 ms 8 ms 172.16.1.1
4 9 ms 9 ms 8 ms 10.10.11.2
Related Articles
Technical Tip: Configure IP address on an IPSec tunnel interface
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.