FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Mono_FTNT
Staff
Staff
Article Id 220800
Description
 
This article describes that if a site-to-site IPsec VPN using dialup (dynamic) mode like below is configured:
 
# config vpn ipsec phase1-interface
    edit "to_BO"
        set interface "port3"
        set type dynamic
        set peertype any
        set dpd disable
        set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
        set psksecret fortinet
    next
end
config vpn ipsec phase2-interface
    edit "to_BO"
        set phase1name "to_BO"
        set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
    next
end
config router static
    edit 3
        set dst 10.10.2.0 255.255.255.0
        set device "to_BO"
    next
end
 
A static route defined over IPsec VPN tunnel is always on the routing table of a dialup VPN server (IPsec receiver) even if the IPsec VPN tunnel is getting down after upgrading the code from v6.4 (or earlier) to v7.0 (or later).
 
FGT_VM64S # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
       O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default
 
Routing table for VRF=0
S*      0.0.0.0/0 [10/0] via 172.16.132.254, port3, [1/0]
C       10.10.1.0/24 is directly connected, port4
S       10.10.2.0/24 [10/0] is directly connected, to_BO, [1/0] <----- This entry.

 

Scope

 

FortiOS v7.0 and v7.2

 

Solution
 
From v7.0,  the behavior removing a route from a routing table when IPsec VPN tunnel gets down has been changed, so a static route defined over IPsec VPN tunnel would not be removed from it even if the IPsec VPN tunnel is getting down.
 
For workaround, it is possible to configure quick mode selector on ipsec phase2-interface to the dialup VPN client(IPsec initiater).
 
# config vpn ipsec phase2-interface
    edit "to_HQ"
        set src-subnet 10.10.2.0 255.255.255.255 <----- Add the subnetwork.
    next
end
 
Then, remove the static route from the dialup VPN server (IPsec receiver).
Contributors