Technical Tip: Static route for IPsec VPN shows gateway configured

sagha · ‎06-01-2021

Description
This article describes how FortiGate is selecting gateway for static routes via IPsec VPN tunnel.

Solution
In earlier version, static route when configured via IPsec VPN tunnel showed up as a connected route in the output of '# get router info routing-table details'.

C 192.168.8.0/24 is directly connected, VPN-1

From FortiOS 7.0, this behavior has changed and the static route configured via IPsec VPN tunnel would have the gateway as tunnel id of the IPsec VPN tunnel

VPN phase-1 configuration.

# config vpn ipsec phase1-interface
    edit "VPN-1"
        set interface "port1"
        set peertype any
        set net-device disable
        set proposal aes128-sha256
        set remote-gw 10.10.16.156
        set psksecret ENC xx
    next
end

Static route configurator.

# config router static
    edit 2
        set dst 192.168.8.0 255.255.255.0
        set device "VPN-1"
    next
end

To confirm the gateway selected for static route, run the following command.

# diagnose vpn tunnel list
name=VPN-1 -NEW ver=1 serial=c
tun_id=10.10.16.156 dst_mtu=156@ dpd-link=on remote_location= weight=1
bound_if=39 lgwy=static/1 tun=intf/@ mode=auto/1 encap=none/52@ options[62@B]=npu frag-rfc run_state=@ accept_traffic=1 overlay_id=0

The above command would show tun_id that is selected as the gateway for the IPsec vpn routes configured.

# get router info routing-table details | grep VPN-1
S 192.168.8.0/24 [10/0] via 10.16.16.156, VPN-1