FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff
Article Id 193839

Description


This article describes how FortiGate is selecting a gateway for static routes via an IPsec VPN tunnel.

 

Scope

 

FortiGate.

Solution


In the earlier version, the static route when configured via IPsec VPN tunnel showed up as a connected route in the output of '# get router info routing-table details'.

 

C 192.168.8.0/24 is directly connected, VPN-1

 

From FortiOS 7.0, this behavior has changed and the static route configured via the IPsec VPN tunnel would have the gateway as the tunnel ID of the IPsec VPN tunnel.

VPN phase-1 configuration.

 

config vpn ipsec phase1-interface
    edit "VPN-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set remote-gw 10.10.16.156
        set psksecret ENC xx
    next
end

 

Static route configurator.

 

config router static
    edit 2
        set dst 192.168.8.0 255.255.255.0
        set device "VPN-1"
    next
end

 

To confirm the gateway selected for the static route, run the following command.

 

diagnose vpn tunnel list
name=VPN-1 -NEW ver=1 serial=c
tun_id=10.10.16.156 dst_mtu=156@ dpd-link=on remote_location= weight=1
bound_if=39 lgwy=static/1 tun=intf/@ mode=auto/1 encap=none/52@ options[62@B]=npu frag-rfc run_state=@ accept_traffic=1 overlay_id=0

 

The above command would show tun_id that is selected as the gateway for the IPsec VPN routes configured.

 

get router info routing-table details | grep VPN-1
S 192.168.8.0/24 [10/0] via 10.16.16.156, VPN-1

 

Note:

In case the Remote Gateway IP has been changed, 'tun_id' will remain the same as before. But the tunnel will work as earlier.