Description

This article describes how FortiGate is selecting a gateway for static routes via an IPsec VPN tunnel.

Scope

FortiGate.

Solution

In the earlier version, the static route when configured via IPsec VPN tunnel showed up as a connected route in the output of '# get router info routing-table details'.

C 192.168.8.0/24 is directly connected, VPN-1

From FortiOS 7.0, this behavior has changed and the static route configured via the IPsec VPN tunnel would have the gateway as the tunnel ID of the IPsec VPN tunnel.

VPN phase-1 configuration.

config vpn ipsec phase1-interface
    edit "VPN-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set remote-gw 10.10.16.156
        set psksecret ENC xx
    next
end

Static route configurator.

config router static
    edit 2
        set dst 192.168.8.0 255.255.255.0
        set device "VPN-1"
    next
end

To confirm the gateway selected for the static route, run the following command.

diagnose vpn tunnel list
name=VPN-1 -NEW ver=1 serial=c
tun_id=10.10.16.156 dst_mtu=156@ dpd-link=on remote_location= weight=1
bound_if=39 lgwy=static/1 tun=intf/@ mode=auto/1 encap=none/52@ options[62@B]=npu frag-rfc run_state=@ accept_traffic=1 overlay_id=0

The above command would show tun_id that is selected as the gateway for the IPsec VPN routes configured.

get router info routing-table details | grep VPN-1
S 192.168.8.0/24 [10/0] via 10.16.16.156, VPN-1

Note:

In case the Remote Gateway IP has been changed, 'tun_id' will remain the same as before. But the tunnel will work as earlier.