Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sid_dawg
New Contributor

Interface for site to site VPN

Traceroute for remote address across the VPN showing the incorrect second hop. The second hop is going through the 'mgmt' 'DMZ' 'wifi-controller' interface. This happens because the VPN interface has an IP address of 0.0.0.0 so the FortiGate uses the first interface according to the ifindex number.

 

Does this matter or what interface should i set it too? i have multiple vlans however I use one vlan for all internal connection traffic.

sidney yoder
1 Solution
anil_nayak_FTNT

Hello,

 

When the ipsec-virtual-interface is set to 0.0.0.0 it cannot be used in route table, thats when FGT selects the interface with the highest interface-index in the traceroute hop-count, but that entry in the table doesnot mean that the traffic is routed through that wrong interface that is displayed in the table. If you wish to see the correct vpn interface in the tracert, then you can configure the vpn-interface with an ip-address  

 

Regards Anil Nayak

View solution in original post

3 REPLIES 3
gschmitt
Valued Contributor

sid dawg wrote:

This happens because the VPN interface has an IP address of 0.0.0.0 so the FortiGate uses the first interface according to the ifindex number.

Uhm this shouldn't be the case.

Even if your interface has an 0.0.0.0/0.0.0.0 IP it shouldn't be in the routing table at all and a static route (or a dynamic route from your ISP) should override it regardless

ede_pfau
Esteemed Contributor III

I don't see this behavior on my FGT, and I've never 'numbered' my VPN interfaces.

Check the routing table (Routing > Monitor) for the remote network. Where does the default route point to?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
anil_nayak_FTNT

Hello,

 

When the ipsec-virtual-interface is set to 0.0.0.0 it cannot be used in route table, thats when FGT selects the interface with the highest interface-index in the traceroute hop-count, but that entry in the table doesnot mean that the traffic is routed through that wrong interface that is displayed in the table. If you wish to see the correct vpn interface in the tracert, then you can configure the vpn-interface with an ip-address  

 

Regards Anil Nayak