Description
This article describes that when FortiGate is forwarding traffic with an outgoing interface IPsec tunnel, and the tunnel does not have an overlay IP, the FortiGate selects the physical interface with the smallest index as source IP.
Scope
FortiGate.
Solution
Example.
FortiGate-61F # diagnose netlink interface list
if=lo family=00 type=772 index=1 mtu=16436 link=0 master=0
ref=9 state=present fw_flags=0 flags=loopback
if=dummy0 family=00 type=1 index=2 mtu=1500 link=0 master=0
ref=6 state=present fw_flags=0 flags=broadcast noarp
if=wan1 family=00 type=1 index=5 mtu=1500 link=0 master=0
ref=37 state=start present fw_flags=0 flags=up broadcast run multicast
if=wan2 family=00 type=1 index=6 mtu=1500 link=0 master=0
ref=18 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
if=dmz family=00 type=1 index=7 mtu=1500 link=0 master=0
ref=19 state=start present no_carrier fw_flags=8000 flags=up broadcast multicast
if=internal1 family=00 type=1 index=8 mtu=1500 link=0 master=0
ref=14 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
if=internal2 family=00 type=1 index=9 mtu=1500 link=0 master=0
ref=14 state=start present no_carrier fw_flags=0 flags=up broadcast multicast
WAN1 is the physical interface with the smallest index number (virtual interfaces are not taken in consideration) and it is configured with the IP 10.109.17.32.
FortiGate-61F # get system interface
== [ wan1 ]
name: wan1 mode: static ip: 10.109.17.32 255.255.240.0 status: up netbios-forward: disable type: physical netflow-sampler: disable sflow-sampler: disable src-check: enable explicit-web-proxy: disable explicit-ftp-proxy: disable proxy-captive-portal: disable mtu-override: disable wccp: disable drop-overlapped-fragment: disable drop-fragment: disable
If pinging using the tunnel as outgoing interface the FortiGate will select 10.109.17.32 as source IP.
# execute ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
2021-08-03 10:51:22.684341 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:23.699906 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:24.709894 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
2021-08-03 10:51:25.729909 Tunnel out 10.109.17.32 -> 1.1.1.1: icmp: echo request
There are multiple ways to change this behavior:
- Configuring an IP address on the tunnel interface.
- Specify a source IP where it’s possible, for example:
execute ping-options source
execute traceroute-options source
config system dns
set source-ip
config user ldap
edit <name>
set source-ip
config user radius
edit <name>
set source-ip
- In some cases, it is not possible to specify the 'source-ip' so the FortiGate will use the physical interface with the smallest index.
Example.
Tracing route to 10.10.11.2 over a maximum of 30 hops
1 8 ms 7 ms 8 ms 10.10.10.2
2 9 ms 9 ms 9 ms 10.10.10.1
3 9 ms 9 ms 8 ms 10.109.17.32
4 9 ms 9 ms 8 ms 10.10.11.2
Trace complete. If an IP address is configured on the tunnel interface.
Tracing route to 10.10.11.2 over a maximum of 30 hops
1 8 ms 7 ms 8 ms 10.10.10.2
2 9 ms 9 ms 9 ms 10.10.10.1
3 9 ms 9 ms 8 ms 172.16.1.1
4 9 ms 9 ms 8 ms 10.10.11.2
There is also a debug flow output on this article that shows the IP address with the lowest index number was used on the ping as a source when the ping option source was not set: Technical Tip: Self-originating traffic over IPSec VPN (For example ping)
Related article:
