FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmarcuccetti
Staff
Staff
Article Id 198591

Description
When FortiGate is forwarding traffic with outgoing interface IPsec tunnel, and the tunnel does not have an overlay IP, the FortiGate is selecting the physical interface with the smallest index as source IP.

Example.

FortiGate-61F # diagnose netlink interface list
if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=9 state=present fw_flags=0 flags=loopback
if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=6 state=present fw_flags=0 flags=broadcast noarp
if=wan1 family=00 type=1 index=5 mtu=1500 link=0 master=0
ref=37 state=start present fw_flags=0 flags=up broadcast run multicast
if=wan2 family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=18 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
if=dmz family=00 type=1 index=7 mtu=1500 link=0 master=0
ref=19 state=start present no_carrier fw_flags=8000 flags=up broadcast multicast
if=internal1 family=00 type=1 index=8 mtu=1500 link=0 master=0
ref=14 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
if=internal2 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=14 state=start present no_carrier fw_flags=0 flags=up broadcast multicast

WAN1 is the physical interface with the smallest index number (virtual interfaces are not taken in consideration) and it is configured with the IP 10.109.17.32.

FortiGate-61F # get system interface
== [ wan1 ]
name: wan1   mode: static    ip: 10.109.17.32 255.255.240.0   status: up    netbios-forward: disable    type: physical   netflow-sampler: disable    sflow-sampler: disable    src-check: enable    explicit-web-proxy: disable    explicit-ftp-proxy: disable    proxy-captive-portal: disable    mtu-override: disable    wccp: disable    drop-overlapped-fragment: disable    drop-fragment: disable

If pinging using the tunnel as outgoing interface the FortiGate will select 10.109.17.32 as source IP.

# execute ping 1.1.1.1

PING 1.1.1.1 (1.1.1.1): 56 data bytes

2021-08-03 10:51:22.684341 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:23.699906 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:24.709894 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:25.729909 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request

Solution
There are multiple ways to change this behavior:

1) Configuring an IP address on the tunnel interface.
2) Specify a source IP where it’s possible, for example:

# execute ping-options source
# execute traceroute-options source
# config system dns

    set source-ip
# config user ldap
    edit <name>
        set source-ip
# config user radius
    edit <name>
        set source-ip

3) In some cases, it is not possible to specify the 'source-ip' so the FortiGate will use the physical interface with the smallest index.

Example.



 
 
PC A is running a traceroute to PC B, a strange hop will be visible where FortiGate is replying using an unexpected IP.

C:\Users\fortilab>tracert -d 10.10.11.2
Tracing route to 10.10.11.2 over a maximum of 30 hops
  1     8 ms     7 ms     8 ms  10.10.10.2
  2     9 ms     9 ms     9 ms  10.10.10.1
  3     9 ms     9 ms     8 ms  10.109.17.32
  4     9 ms     9 ms     8 ms  10.10.11.2
Trace complete.
If an IP address is configured on the tunnel interface.
 
 

 
 
Then the traceroute will show the tunnel’s IP.
C:\Users\fortilab>tracert -d 10.10.11.2
Tracing route to 10.10.11.2 over a maximum of 30 hops
  1     8 ms     7 ms     8 ms  10.10.10.2
  2     9 ms     9 ms     9 ms  10.10.10.1
  3     9 ms     9 ms     8 ms  172.16.1.1
  4     9 ms     9 ms     8 ms  10.10.11.2

 

Related Articles

Technical Tip: Configure IP address on an IPSec tunnel interface

Contributors