I have the following problem; I have a Fortigate 100D running 6.0.11, and I have set up an IPSEC VPN. The tunnel is online and clients in the network can access the remote network. I have created a static route on the Fortigate towards that subnet with a distance of 10 and pointing to the VPN interface.
However, when I try to ping the remote network from the Fortigate, it always uses the DMZ interface (this is disabled on our Fortigate). The remote network is only accessible from 2 local networks. The remote network is also able to access the 2 allowed local networks on the Fortigate, a traceroute reveals it passes the DMZ interface to reach its destination.
Is there a way I can add a local interface to the static route as gateway? Currently it shows the gateway as 0.0.0.0 in the static routes overview.
Any suggestions on what I'm doing wrong or what I can do to troubleshoot further?
hm if it does that there must be some route matching the destination subnet that has the dmz interface as gateway.
As said if that is physical interfaces, vlan interfaces or ipsec tunnels or switch interfaces (or trunks) there is no need for explicit static routing. The routing is already there once the interface is configured.
Routing will be looked at in this order: 1. connected routes, 2. static routes and everything that don't match 1. or 2. will hit the default route.
On the other hand it could also be that the inteface shown to you is not correct. I remember that such things happened to me on a FGT too.
Also the tunnel could run client isolation which would mean that clients would not be able to access each other.
So have a look at your routing table on the FGT and see.
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
I suspect you did not assigned any IP address to the tunnel interface of the firewall, if you do not assign any IP address to the tunnel interface it will take DMZ ip and leave the firewall. It will not go towards DMZ interface, it is just use that IP and try to enter IPSEC tunnel. If DMZ IP is not present in local phase2 selectors, firewall will block the traffic.
In order to avoid this scenario, either you need to define some IP address in tunnel interface and assign it to the local and remote selectors in phase 2 of the tunnel.
You can set "execute ping-options source <lan interface ip>" (lan interface IP should be there in local phase2 selectors)
Check seshuganesh comment. Please also know that if you are checking the firewall policy, this traffic won't be logged in the policies of this firewall (you won't see hit of a policy) as this is "self-generated" traffic. The ping will work if you use the recommendations in seshuganesh comment.