Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Paul_S
Contributor

FGT to FGT with 0.0.0.0 and understanding VPN Routing

 VPN routing concepts seemed to have changed for any FortiOS 5.2 or higher. It is in the what's new area of 5.2.  VPN tunnels now use "add-route" which I don't understand in a 0.0.0.0/0 scenario.

 

I did many FGT<>FGT with split tunnel VPN and with old routing (Static routes), but not with the new routing.

 

I need help understanding how routing is controlled without static routes.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

5 REPLIES 5
Toshi_Esumi
Esteemed Contributor II

As far as I know nothing has changed with 5.2 routing with IPSec tunnel. With main mode you can leave the networks in phase2 as default 0.0.0.0 (it doesn't show up in CLI) and use static routes to control split tunnel if you want. We use BGP for that part but it's just a routing protocol, no difference from static routes. When we migrated from 5.0 to 5.2 on both sides, we didn't have to change anything. Only differences we noticed were password encryption level and the default DH group/keylife timer values.

Paul_S

I know that routing changed, because all my static routes for FGT-to-FGT VPN tunnels were deleted when I upgraded to 5.2.x and this note from "What's new", see screenshot.

 

 

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

Paul_S

I should mention that I setup my FGT-to-FGT tunnels in dynamic mode so that the site IP address can change without affecting the VPN tunnel.

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

emnoc
Esteemed Contributor III

The routing hasn't change, that just automate pushing a route into route table when   ipsec has been establish.

 

PCNSE 

NSE 

StrongSwan  

Paul_S

Something has changed. call it what you will. I am calling it routing, but if routing hasn't changed then something else has.

 

On the add static route dialog, I used to be able to select my IPSEC VPN tunnel (dynamic) name in the device box, but since upgrading to 5.2.x I can no longer do that. I only see IPSEC VPN tunnel names in the drop down box for static VPN tunnels.

 

Whether something has changed or not, how do you guys manage routes when you define a FGT-to-FGT tunnel with 0.0.0.0/0 on both sides?

FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+