Description
This article describes how important a static route gateway address is for IPsec point-to-point / site-to-site connections.
Scope
FortiOS 6.4.x, 7.2.x.
Solution
1) FortiOS 6.4.x.
a) There is no ip address assigned to the IPsec interface:
# show system interface to_FGT2
# config system interface
edit "to_FGT2"
set vdom "root"
set type tunnel
set snmp-index 11
set interface "port3"
next
end
This is how the routing table looks:
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* directly connected, to_FGT2 distance 0
b) An IP address is assigned to the IPsec interface:
# show system interface to_FGT2
# config system interface
edit "to_FGT2"
set vdom "root"
set ip 172.18.1.1 255.255.255.255
set allowaccess ping https ssh snmp http fgfm
set type tunnel
set remote-ip 172.18.1.2 255.255.255.252 <- Will be assigned as a gateway address
set snmp-index 11
set interface "port3"
next
end
This is how the routing table looks:
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* 172.18.1.2, via to_FGT2 distance 0 <- though the ip address of 172.18.1.2 does not exist, the IPsec traffic works fine.
2) FortiOS 7.2.x.
For FortiOS 7.2.x, the gateway address will stay blank regardless of whether any IP address is assigned to the IPsec interface.
This is how the routing table looks:
Routing table for VRF=0
Routing entry for 0.0.0.0/0
Known via "static", distance 10, metric 0, best
* via to_FGT1 tunnel 10.1.2.2 vrf 0 --> this tunnel information is added as of 7.0.1
See the following document for more instructions:
In conclusion, IPSec point-to-point / site-to-site connections do not require gateway addresses to be assigned on the static route.
