- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: 5.4.4 Policy-based VPN FGT60E
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5.4.4 Policy-based VPN FGT60E
Hi,
I want to configure a policy based VPN from a remote site to a central firewall. All traffic from the remote site should be tunnelled, no local internet access. To my knowledge the only reliable way to do this is with policy based VPN, and it worked perfectly in 5.2.
So i've set up the vpn tunnel and created the policy with action: IPSEC and specified the tunnel. local net 10.x.y.0/24, remote net: 0.0.0.0/0 (i want to tunnel all traffic to central site, remember?), but this breaks the fortigate's own initiated traffic, so it can't reach the vpn remote peer because it's trying to reach it over the VPN, which isn't up because it can't reach the peer... catch 22. This did not happen in 5.2.
Config below:
hostname # config vpn ipsec phase1
hostname (phase1) # show config vpn ipsec phase1 edit "vpn-something" set interface "wan1" set keylife 28800 set peertype any set proposal aes128-sha256 aes256-sha256 set remote-gw x.y.z.x set psksecret somepsk next end
hostname # config vpn ipsec phase2
hostname (phase2) # show config vpn ipsec phase2 edit "vpn-something" set phase1name "vpn-something" set proposal aes128-sha1 aes256-sha1 set keepalive enable set keylifeseconds 3600 set src-subnet 10.x.y.0 255.255.255.0 set dst-subnet 0.0.0.0 0.0.0.0 next end
config firewall policy edit 1 set name "vpn all traffic" set srcintf "internal" set dstintf "wan1" set srcaddr "object1" #10.x.y.0/24 set dstaddr "all-nets" #0.0.0.0/0.0.0.0 set action ipsec set schedule "always" set service "ALL" set logtraffic all set inbound enable set outbound enable set vpntunnel "vpn-something" next
I have an identical setup on a 60D on 5.2.something with works perfectly. Anyone else run into this problem? Any fix for it?
//Emil
Solved! Go to Solution.
1 Solution
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just create a static /32 host route to the remote VPN gateway, pointing to the WAN port. This will allow the local FGT to contact the remote peer at all times, circumventing the default route.
You should see the effect in the Routing monitor.
BTW, I wouldn't touch policy-based VPN anymore - too much going on 'behind the scene' as e.g. routing. Your scenario can easily be fitted with a regular route-based VPN. Makes debugging and scaling easier.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just create a static /32 host route to the remote VPN gateway, pointing to the WAN port. This will allow the local FGT to contact the remote peer at all times, circumventing the default route.
You should see the effect in the Routing monitor.
BTW, I wouldn't touch policy-based VPN anymore - too much going on 'behind the scene' as e.g. routing. Your scenario can easily be fitted with a regular route-based VPN. Makes debugging and scaling easier.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
Thanks for your reply. I thought of the /32-route to the remote peer, in fact that is how i did this in 5.2 before I discovered that it could be done with policy-based VPN (and in 5.2 without the /32-route). That was for me ideal because that solution can cope with the FW getting a new dynamic IP/gateway on its WAN interface without anything breaking.
I suppose i will have to go this route (no pun intended), but the reason I'd rather not use this approach is that the internet connection of the branch office has a dynamic IP, and so in worst case the gateway IP might change, and if that happens i will lose the VPN + all remote access to the FW.
I really wish i could downgrade the 60E to 5.2, but afaik that's not possible.
//Emil
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again easy to fix. Assign the remote branch WAN ip to a dynamic DNS name, then build a site-2-site VPN from dynamic host to static IP, main mode. I pay dyn.com for DNS hosting my customer's dynamic gateways as they don't do it for free anymore. But Fortinet does, at least in v5.2 and v5.4.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, I'm already using dyndns for the VPN, but that's not the issue. Issue is that if the branch FW gets a new "default gateway" on its WAN1-interface, the old /32 route for the remote VPN peer will no longer work because it's pointing at the wrong next hop IP.
So if the branch FW first gets an ip 20.20.20.20, gateway 20.20.20.1, then I would configure a route for remote vpn peer 30.30.30.30/32 with 20.20.20.1 as nexthop (i'd do this for my remote access IP-ranges as well).
Then the ISP decides to change the ip/gw on the branch office internet connection to 40.40.40.40/40.40.40.1, and all of a sudden the VPN doesn't work, and I can't access the branch FW remotely because the /32-routes i have configured for that are still pointing at 20.20.20.1. Another issue is that this branch FW might get moved to another location/internet connection where the IP/gw will definitely change, and then they have to send me the hardware or I have to drive out there to reconfigure it before it can work at the new location.
I might be nitpicking, the risk of the ISP changing both IP and gw on the internet connection are pretty slim, but in the past I used to work with Firewalls from another vendor where this kind of setup was pretty easy to accomplish.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Now things get mixed up...in your initial post you state that the VPN is between a central site and a remote site. I am assuming that the central site has a fixed public IP address, or a DDNS name. As long as this is the case you can always connect a VPN from remote to central, using a static route. OK, routes to a FQDN are new in v5.4 but maybe you do have a static IP for your central site.
Main point is that the side which changes IP frequently (daily) or with unknown public IP must initiate the VPN, and the other side is the target.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently have an IPSec tunnel between two DYNDNS clients and I have never had a noticeable issue. Now these are homes/residential, so the traffic load is pretty low and reliability isn't really measured when the IPs change. That being said, it can be done. For what it is worth, I have never had to manually bring the tunnel up because one of the IP addresses had changed. It's been working without issue for over three years. No ISP leases out that long, especially not FIOS.
I need to add that the IPSec tunnels are in interface mode, not policy mode. Ditch policy mode. You'll only pull out your hair and age faster trying to get that legacy system set up.
Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com
Bob - self proclaimed posting junkie!See my Fortigate related scripts
at: http://fortigate.camerabob.com
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Damn I wish we had a virtual whiteboard here so I could explain this properly. :) One more try, from the beginning:
Central site: A-FW
WAN1 static IP: 1.1.1.1
VPN: localnet 0.0.0.0/0, remote net 10.x.y.0/24, peer gw: branch.fortiddns.com
Branch site: B-FW
WAN1 dynamic IP: 3.3.3.3, gateway 3.3.3.1
VPN: localnet 10.x.y.0/24, remote net 0.0.0.0/0, peer gw: 1.1.1.1
If i set this up with interface mode VPN, no traffic will go over the VPN because remote net is 0.0.0.0/0 and the default route received by B-FW on its WAN1 interface will take precedence.
If i set it up with policy mode VPN in FortiOS 5.4.4, B-FW will ignore its default route and try to reach 1.1.1.1 over the VPN instead... Obviously that won't work.
Regardless, the fix is unchecking "receive default route from DHCP" on B-FW WAN1, and add a static route in B-FW to 1.1.1.1/32, nexthop: 3.3.3.1. And this works. No problem.
What happens next:
B-FW gets a new DHCP IP from ISP in a different subnet: 4.4.4.0/24 and the gateway in that subnet is 4.4.4.1. But B-FW doesn't get the new default route because we unchecked that option (above). B-FW still has a route for 1.1.1.1/32, but next hop is 3.3.3.1. This doesn't work because 3.3.3.1 is no longer in the same subnet as B-FW's WAN1 interface.
Now you see the problem? If this happens i have to go onsite and manually reconfigure the route in B-FW to use nexthop 4.4.4.1. Same problem will arise if the branch office is moved to another internet connection with subnet 5.5.5.0/24, B-FW WAN1 will get IP 5.5.5.5, but the configured static route for 1.1.1.1/32 is still trying to use 3.3.3.1 as next hop.
Related Posts
- Possible to restrict website access to... 235 Views
- FortiGate SSL-VPN configuration and troubleshooting 609 Views
- Ha forti FGT60e and FWF60 (7.2.3) 411 Views
- Angular v13+ application with SSL VPN 1112 Views
- Fortiview application icon no longer appears 1792 Views
Labels
-
FortiGate
6,817 -
FortiClient
1,353 -
5.2
801 -
5.4
639 -
FortiManager
585 -
FortiAnalyzer
431 -
6.0
416 -
5.6
362 -
FortiAP
352 -
FortiSwitch
348 -
FortiClient EMS
277 -
FortiMail
266 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
165 -
6.4
128 -
FortiNAC
114 -
FortiGuard
108 -
FortiSIEM
92 -
FortiGateCloud
90 -
IPsec
90 -
FortiCloud Products
85 -
FortiToken
74 -
SSL-VPN
73 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
45 -
FortiEDR
42 -
Fortivoice
41 -
SD-WAN
37 -
FortiDNS
35 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
LDAP
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
FortiGate v4.0 MR3
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Fabric connector
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.