Vincent802
New Contributor

IPSEC routing issue

Hello everyone,

 

I have the following problem;
I have a Fortigate 100D running 6.0.11, and I have set up an IPSEC VPN. The tunnel is online and clients in the network can access the remote network. I have created a static route on the Fortigate towards that subnet with a distance of 10 and pointing to the VPN interface.

However, when I try to ping the remote network from the Fortigate, it always uses the DMZ interface (this is disabled on our Fortigate). The remote network is only accessible from 2 local networks. The remote network is also able to access the 2 allowed local networks on the Fortigate, a traceroute reveals it passes the DMZ interface to reach its destination.

Is there a way I can add a local interface to the static route as gateway? Currently it shows the gateway as 0.0.0.0 in the static routes overview.

 

Any suggestions on what I'm doing wrong or what I can do to troubleshoot further?

7 REPLIES 7
sw2090
Honored Contributor

hm that is rather few information.

Basically the routing gives the way. So first of all there must be a route that matches the destination.  Secondly there has to be a policy to allow the traffic.

If destination is a physical,vlan or switch interface you don't need explicite static routing since these automagically create a "connected" route with them. 

In these cases you just need some policy to allow the traffic to flow :)

All other cases require explicit static routing.

 

Alas the VPN itself will listen on the interface you selected when you created it.

This is only used for the VPN itself (transport + encryption). 

The rest as said is given by the routing and policies.

 

Could you explan you problems a bit more detailed then?


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

Vincent802

Hi sw2090, thanks for you reply, I have updated my initial post.

sw2090
Honored Contributor

hm if it does that there must be some route matching the destination subnet that has the dmz interface as gateway. 

As said if that is physical interfaces, vlan interfaces or ipsec tunnels or switch interfaces (or trunks) there is no need for explicit static routing. The routing is already there once the interface is configured. 

Routing will be looked at in this order: 1. connected routes, 2. static routes and everything that don't match 1. or 2. will hit the default route.

On the other hand it could also be that the inteface shown to you is not correct. I remember that such things happened to me on a FGT too.

 

Also the tunnel could run client isolation which would mean that clients would not be able to access each other.

 

So have a look at your routing table on the FGT and see. 

 


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

ntaneja
Staff
Staff

Hi vincent

 

Please check below  document if this helps in your case
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Self-originating-traffic-over-IPSec-VPN-Fo...

 

Thanks

 

seshuganesh
Staff
Staff

I suspect you did not assigned any IP address to the tunnel interface of the firewall, if you do not assign any IP address to the tunnel interface it will take DMZ ip and leave the firewall. It will not go towards DMZ interface, it is just use that IP and try to enter IPSEC tunnel. If DMZ IP is not present in local phase2 selectors, firewall will block the traffic.

In order to avoid this scenario, either you need to define some IP address in tunnel interface and assign it to the local and remote selectors in phase 2 of the tunnel.

Or

You can set "execute ping-options source <lan interface ip>" (lan interface IP should be there in local phase2 selectors)

Then ping the remote network.

Debbie_FTNT

Here is a KB on this behavior (what source IP FGT uses for traffic into IPSec tunnel, if no source IP is defined manually or set on the tunnel interface): https://community.fortinet.com/t5/FortiGate/Technical-Tip-Source-IP-for-self-originating-IPsec-tunne...

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
anikolov

Hello Vincent,

 

Check seshuganesh comment. Please also know that if you are checking the firewall policy, this traffic won't be logged in the policies of this firewall (you won't see hit of a policy) as this is "self-generated" traffic. The ping will work if you use the recommendations in seshuganesh comment.

 

Regards,

Aleksandar Nikolov