- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Policy routing configuration
Hi,
I'm using a Fortigate 1500D with VDOMs in 6.0.14.
Here is my network topology :
Initialy, there is only N2 and N3 communicating with a static route on my firewall by R1 and R2.
My goal here is to add N1 which has to communicate with N3 using IPSEC connection over internet.
To do so I first tried to use policy routing through IPSEC using this CB which didn't worked.
Then I tried applying policy routing between N2 and N3 so that I could use static route for the IPSEC routing.
It only worked half way.
Here is my policy routing configuration :
When I'm pinging from N2 to N3 it's OK but on the other half, it's impossible to ping from N3 to N2.
Packets arrives to the firewall by R1 but the firewall isn't routing them. Here is a packet capture from the interface between the firewall and R1 :
Nothing is comming on the packet capture on N2.
What am I missing here ?
Solved! Go to Solution.
- Labels:
-
FortiGate
Created on ‎01-27-2022 07:52 AM Edited on ‎01-27-2022 07:52 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tested today, it worked :D
Final configuration on the firewall :
- First configure IPSEC with remote IP address like on this KB
- Configure one route to N3 using IPSEC GW with weight of 10
- Configure one route to N3 using R1 GW with weight of 10
- Configure one policy route for N1 -> N3 using IPSEC GW
- Configure one policy route for N2 -> N3 using R1 GW
Thank you for the HELP !!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems that the problem is on R3.
If N2 > N3 is ok, it means the packet is routed back by R3 the way it came (from IPSEC).
if N3 > N2 is not ok, and traffic arrives from R1, it means that R3 is routing according to routing table (to R1, not through IPSEC)
- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There is no R3 in the topology, N2 and N3 have to communicate by the link beetwin R1 and R2 and N1 and N3 have to communicate through IPSEC.
When policy routing is enabled, I can communicate from N2 to N3 but on the opposite, beetwin N3 an N2, ping packets get no responses from the firewall.
It's like the firewall has forgot about N2 beeing a directly connected network.
I tried using a "stop policy routing" policy on the firewall for any packets that were comming from the interface beetwin the firewall and R1 but it did nothing.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cancel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is your intention below?
N2<->FGT<->R1<->R2<->N3
N1<->FGT<-(IPSec)->R2<->N3
If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.
And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.
Toshi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes this is my intention
@Toshi_Esumi wrote:If so, the FGT needs to have a parallel routes for N3 subnet toward both R1 and IPSec in addition to the policy routes. The "priority" can be different through if static routes.
So policy routes do not replace static routes but indicate which static route stream should uses whatever the weight ?
And R2 needs to have policy routes too for the reverse direction. FGT doesn't accept asymetric routes like going out IPsec and comeing back rom R1. So R2 needs to make them symmetric.
On the other side this is way simplier, I can just have one route to N2 by R2 and one route to N1 by IPSEC since the destination isn't the same.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Correct. To be a candidate of policy-route "steering", there needs to be a proper/allowing route in RIB.
Created on ‎01-27-2022 07:52 AM Edited on ‎01-27-2022 07:52 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tested today, it worked :D
Final configuration on the firewall :
- First configure IPSEC with remote IP address like on this KB
- Configure one route to N3 using IPSEC GW with weight of 10
- Configure one route to N3 using R1 GW with weight of 10
- Configure one policy route for N1 -> N3 using IPSEC GW
- Configure one policy route for N2 -> N3 using R1 GW
Thank you for the HELP !!
