Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MDIT
New Contributor II

Possible Routing Over VPN Issue

I am trying to setup a new site with a new Fortigate at it and put an IPsec tunnel between it and the parent site.  I have done this before but am having what I think are routing issues.

 

Site 1 - Firewall 1 (300E cluster running 6.2.4) IP Range - 10.200.0.0/24

Existing firewall running multiple services.

 

Configured a spare interface with 10.200.0.254/24 and enabled DHCP on that interface

 

Created a site-to-site IPsec VPN with 10.200.0.0/24 as local subnet and 10.200.1.0/24 as remote. Wizard created all rules and routes etc.

 

Static route were created by VPN wizard for 10.200.1.0 as follows: Route 1: Destination (10.200.1.0/24), Interface (VPN Tunnel), Distance (10) Route 2: Destination (10.200.1.0/24), Interface (Blackhole), Distance (254)

Site 2 - Firewall 2 (100E running 6.4.4 - upgraded from 6.2.7 when I had issues) IP Range - 10.200.1.0/24

New firewall just for this purpose

 

Configured a spare interface with 10.200.1.254/25 and enabled DHCP on that interface

 

Created a site-to-site IPsec VPN with 10.200.1.0/24 as local subnet and 10.200.0.0/24 as remote. Wizard created all rules and routes etc.

 

Static route were created by VPN wizard for 10.200.0.0 as follows:

Route 1: Destination (10.200.0.0/24), Interface (VPN Tunnel), Distance (10) Route 2: Destination (10.200.0.0/24), Interface (Blackhole), Distance (254)

 

 

I am not able to bring the tunnel up yet so have tested using route lookup and policy lookup to make sure everything is in place for when tunnel is up.  Route lookup hits the blackhole so no use.  Policy lookup says no route (which is technically true given it all blackholes).  I can't understand why the route blackholes though when there is a lower distance route available.

 

I am sure I am missing something really obvious as I've not done this for a long time.  I've checked against other sites with same setup and can't see what I have done wrong, but I am going blind to the setups now a I have stared at them so much.

 

Thanks for any help in advance.

4 REPLIES 4
emnoc
Esteemed Contributor III

"I am not able to bring the tunnel up yet so have tested using route lookup and policy lookup to make sure everything is in place for when tunnel is up"

 

So how are you testing?   (diag firewall iprope lookup) And what is in the route-table local|remote firewalls?

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

MDIT
New Contributor II

I just used the "policy lookup" and "route lookup" in the GUI.  Simple, but usually matches a route/policy if things work even when the interfaces are down.  Doesn't test but does tell me if there is a route or policy out, and in this case it matches the blackhole route and not the actual route.

emnoc
Esteemed Contributor III

But if the vpn is down that would be the normal behavior to match the BH rule. That is why I asked. What does your "get router info routing all" show in the local and remote FGT rib ?

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

MDIT
New Contributor II

I could have sworn that I had done this before and not had to have the interface up, but it was a while ago and I could be remembering incorrectly.

 

Remote FW routing shows:

S 10.200.0.0/24 [254/0] is a summary, Null

 

Local FW shows:

S 10.200.1.0/24 [254/0] is a summary, Null

 

I assume from what you say that the null is because the tunnel is down so there is no "live" route to that subnet.