Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sagha
Staff
Staff

Created on ‎08-01-2024 05:15 AM

Article Id 329779

Technical Tip: Unable to route locally originated traffic via VRF1 using VPNv4 routes in vpn-id-ipip setup

Description This article describes that with multiple VRFs configured, traffic still gets routed via VRF0 instead of VRF1 despite having source-ip configured and route present in the routing table.
Scope

FortiGate, VPNv4 routes, VRF setup.
Explanation

There are two VRFs configured: 

  1. VRF0: Having default route via WAN1.
  2. VRF1: Having default route via VPN tunnel.

 

FGT # get router info routing-table all

Routing table for VRF=0
S* 0.0.0.0/0 [1/0] via 10.49.253.1, wan1, [1/0]

 

Routing table for VRF=1
B*V 0.0.0.0/0 [200/0] via 10.3.0.1 (recursive via VPN_A ), 18:22:42, [1/0]
              [200/0] via 10.3.0.2 (recursive via VPN_B ), 18:22:42, [1/0]

 

Locally originated traffic needs to be routed via VPN_A or VPN_A routes that are present in VRF=1.

Take syslog as an example: 

 

config log syslogd setting
    set status enable
    set server "10.8.2.53"
    set port 514
    set source-ip "10.5.6.12"
    set max-log-rate 8
end

 

Source-IP for Syslog locally originated traffic is also configured in VRF1.

 

config system interface
    edit "lo1"
        set vdom "root"
        set vrf 1
        set ip 10.5.6.12 255.255.255.255
        set allowaccess ping https 
        set type loopback
        set snmp-index 15
    next

Traffic can be seen leaving the FortiGate on the WAN1 interface instead of the VPN_A or VPN_B tunnel:

2024-07-31 09:31:30.279161 wan1 out 10.5.6.12.6852 -> 10.8.2.53.514: udp 553

2024-07-31 09:31:30.279197 wan1 out 10.5.6.12.6852 -> 10.8.2.53.514: udp 553


This would cause the connectivity to fail as the reachability for syslog server is only via VPN tunnels. 

As per the default behavior of FortiOS:

  1. All the local-out traffic is supposed to go via VRF 0 and this is by design of FortiOS. All normal VRF routes will have a copy in VRF0.
  2. The VPNv4 route will not have a copy in VRF 0, and that is why it will not work as VRF 0 does not have that route.

 

Since the default routes via BGP in VRF1 are VPNv4 routes, the traffic fails to be routed via VRF1 and still uses VRF0 to route locally originated traffic via the normal IPv4 default route that is via wan1.

Routing table for VRF=1
B*V 0.0.0.0/0 [200/0] via 10.3.0.1 (recursive via VPN_A ), 18:22:42, [1/0]
              [200/0] via 10.3.0.2 (recursive via VPN_B ), 18:22:42, [1/0]

This is the expected behavior of FortiOS where locally originated traffic via VPNv4 routes would not use the VPNv4 routes. There is a NFR raised for this and this might be added in future releases.

 

326
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.