Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
v20100
New Contributor III

Adding Static routes by Named Address

Hi

For IPsec Tunnel routes, I would like to add the destination information with Named Address, as I already created groups addresses containing various subnets and hosts.

However, it only shows the addresses for our internal vlan no other groups and nothing can be added from here.

 

Not sure if it is a problem with the web interface or if I need to create the groups somewhere else (been created in Policy & Objects) but it would be great if that worked instead of having to create all the routes separately by Subnet

 

Thanks

4 REPLIES 4
MikePruett
Valued Contributor

Interface based VPN?

 

You are wanting to do routes based strictly on the named subnets? I always (if interface based ipsec) put a static route utilizing the subnets in question.

ede_pfau
Esteemed Contributor III

Should work in v5.4.x

Are the addresses by chance tied to an interface (other than "Any")?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
v20100
New Contributor III

Thanks both. Some clarifications: some IPsec sites have numerous subnets. I created the objects for each subnets and an object group containing the subnets objects.

When it comes to adding the static routes, instead of having to manually re-enter all the routes manually for each subnet, I thought that the 'Named Address' tab was exactly for that, as we already have a group defined.

@ede_pfau: we are in 5.4

The only addresses that show up when using the Named Address tab are for our internal Vlan and yes they have the LAN (port1) interface set.

I then tried to create a new object and assigned the VPN for interface but it still does not appear in the Named Address tab. but I am also after the Address group not an object only. When I create an address group that contains the object with the VPN for interface, it complains with "One or more members are associated with an interface, etc...

So back to square one.

It is a shame it is not much easier to setup a site to site VPN!

emnoc
Esteemed Contributor III

It is a shame it is not much easier to setup a site to site VPN!

 

 

if it's numerous sites ( spokes ) and all are unique you can do it easy with just dynamic-routing. People seems to forget that this or was design to manage routing with better ease.

 

 

PCNSE 

NSE 

StrongSwan