Description
This article describes that if a site-to-site IPsec VPN using dialup (dynamic) mode like below is configured:
# config vpn ipsec phase1-interface
edit "to_BO"
set interface "port3"
set type dynamic
set peertype any
set dpd disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set psksecret fortinet
next
end
config vpn ipsec phase2-interface
edit "to_BO"
set phase1name "to_BO"
set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
next
end
config router static
edit 3
set dst 10.10.2.0 255.255.255.0
set device "to_BO"
next
end
A static route defined over IPsec VPN tunnel is always on the routing table of a dialup VPN server (IPsec receiver) even if the IPsec VPN tunnel is getting down after upgrading the code from v6.4 (or earlier) to v7.0 (or later).
FGT_VM64S # get router info routing-table all
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
Routing table for VRF=0
S* 0.0.0.0/0 [10/0] via 172.16.132.254, port3, [1/0]
C 10.10.1.0/24 is directly connected, port4
S 10.10.2.0/24 [10/0] is directly connected, to_BO, [1/0] <----- This entry.
Scope
FortiOS v7.0 and v7.2
Solution
From v7.0, the behavior removing a route from a routing table when IPsec VPN tunnel gets down has been changed, so a static route defined over IPsec VPN tunnel would not be removed from it even if the IPsec VPN tunnel is getting down.
For workaround, it is possible to configure quick mode selector on ipsec phase2-interface to the dialup VPN client(IPsec initiater).
# config vpn ipsec phase2-interface
edit "to_HQ"
set src-subnet 10.10.2.0 255.255.255.255 <----- Add the subnetwork.
next
end
Then, remove the static route from the dialup VPN server (IPsec receiver).
