Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pft
New Contributor II

FGT 60B IPSec Routing

Hi, I' ve a strange problem with a FGT 60B and routing through an IPSec VPN. We have a cluster of two FGT110C where several FGT 50B conntects through IPSec tunnels. Now I' ve a FGT 60B which should also be connected by IPSec. Everything works fine so far. The tunnel comes up and clients behind the FGT 60B can connect through the tunnel. The problem is that the FGT 60B itself could not connect through the tunnel. It seems that its trying to route the traffic through the wan port and not through the virtual VPN port. So the FGT can not connect to FortiAnalyzer or internal DNS Servers. I tried it with exactly the same firmware and config on a FGT 50B and its working there. I' ve a second FGT 60B here that has the same problem. I already tried a factory reset and reconfig but without luck. - Firmware is 4.0 MR2 P6 - tried also P7 and P9 (FGT 110Cs are 4.0 MR2 P7) - IPSec interface mode - two routing entries - one host route to the FGT 110C through WAN port, one default route through VPN Interface Now I' m out of ideas and need help
13 REPLIES 13
emnoc
Esteemed Contributor III

The reason being, is the FGT does not know to use the tunnel and is sourcing the traffic with the WAN interface. What does your FGT have to access via the 110? As far as fortimanager goes, you should be managing this via the external WAN interface and all traffic is secured between manager and FGTs.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
pft
New Contributor II

Hi emnoc, thanks for your reply. Our main network is protected by the 110C. We have some branch offices which access ressources and applications in our main network. All of the branch offices are connecting through an IPsec tunnel between FGT50Bs and the 110C. Everything is working there. But the 60B which I want to use now for a new branch office has the problem. As I said the 50Bs are working fine with exactly the same config so I don' t know why the 60Bs don' t use the tunnel for it' s own traffic. Unfortunately I' ve no FortiManager.
emnoc
Esteemed Contributor III

what types of traffic are we talking about? management ssh/https. I just check my FGt and I can ping the inside address thru my ipsec-tunnel. But I can' t access the management functions of the FGT thru the ipsec-tunnel.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
emnoc
Esteemed Contributor III

Also are you policy or route-based VPNs? (I' m route based )

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
pft
New Contributor II

It is route based VPN. FGT 60B can' t ping anything through the VPN, FGT can' t connect to FA through VPN and FGT can' t reach contract registration and AV/IPS update through VPN. I can ping the internal interface of the FGT 60B through VPN but I' m not sure if I can access the management through HTTPS or SSH. I didn' t try that yet. I will try it on Monday when I' m back at office and give you reply. Thank you so far and have a nice weekend.
pft
New Contributor II

Ok, I can access the FGT 60B by HTTPS and SSH from main network through the VPN. But still don' t get any traffic from FGT 60B into the main network. Any suggestion?
emnoc
Esteemed Contributor III

FGT 60B can' t ping anything through the VPN, FGT can' t connect to FA through VPN and FGT can' t reach contract registration and AV/IPS update through VPN
Are you executing the ping and specifiying the interface ip_address to use for the ping? i.e " execute ping source a.b.c.d " By the default the ping is going to use the egress interface address.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
pft
New Contributor II

Great! When I ping with source IP I can reach the main network. So what can I do to get all connections working?
emnoc
Esteemed Contributor III

Hmm.. Don' t know if you can define the Src-address for things like FAZ and such. I know I had the same issues with management of a few FGT devices with snmp, we opt to used SNMPv3 to ensure security and used the outside WAN address. I think, if you ran a routing protocol over the VPN, you should beable to hit the inside address via the vpn, but I' m not 100% sure of this.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors