Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MustphaBassim
New Contributor III

Active/Standby static route

Hello Dears I want to configure static route for the same network with two different interlaces (both of them are IPsec tunnel interface) as below :

Tunnel-1 is the main (Admin dstainse =10 and priority 1)

Tunnel-2 is the main (Admin dstainse =20 and priority 2)

 

the network want to reach is 192.168.1.0/24

 

Bests

1 Solution
funkylicious
Contributor III

 

config router static 
edit 0
set destination 192.168.1.0/24 
set device "Tunnel-1" 
set distance 10 
next 
edit 0 
set destination 192.168.1.0/24 
set device "Tunnel-2" 
set distance 20 
next 
end

 

geek

View solution in original post

geek
7 REPLIES 7
funkylicious
Contributor III

 

config router static 
edit 0
set destination 192.168.1.0/24 
set device "Tunnel-1" 
set distance 10 
next 
edit 0 
set destination 192.168.1.0/24 
set device "Tunnel-2" 
set distance 20 
next 
end

 

geek
geek
MustphaBassim

hello dear and thnx for reply

is that ok ? if the tunnel-1 is being down does the device would remove the static route for it?

funkylicious

If the tunnel is down, it is removed from the routing table, yes.

Tunnel-2 would need to be UP otherwise, it will use the default route in case there's no other route.

In order to avoid routing private subnet towards the INET, i recommend adding a static route to Blackhole device w/ distance 254.

geek
geek
ede_pfau
Esteemed Contributor III

Protecting VPN traffic with blackhole routes has been discussed earlier in this forum:

https://community.fortinet.com/t5/Support-Forum/Re-evaluate-sessions/m-p/7866?m=120834#120872

 

In my post, I've provided a batch script which configures blackhole routes for all private networks.

The effect is that if traffic is routed via a VPN tunnel, and the tunnel goes down, this traffic is discarded instead of being sent out via the default route. This will prevent data leaking out the WAN interface.

Second effect: there is no session built involving this traffic and the WAN interface, so that if the tunnel comes up again, it will immediately continue to transport this traffic through the tunnel.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Immu
New Contributor III

Helpful article: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/432685/manual-redundant-vpn-...

 

There is a further option for the secondary tunnel "set monitor <phase1-interface of primary>.

The backup VPN stays down as long as the primary one is up.

Only when the primary goes down, the backup comes up.

 

But it's just optional...

Yurisk
Valued Contributor

Also consider enabling dynamic routing protocols on these tunnels, instead of the static routes - reliability of detecting tunnel being down is higher with dynamic protocols. Not rare a case when VPN tunnel is seen "up" but no traffic can actually pass inside it, dynamic routing protocol will detect this easily, static routes not so.

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
rtichkule
Staff
Staff

Hello,

 

You can configure the static route using the below command.


config router static

edit 1

set destination <ip address/netmask>

set device <tunnel interface>

set distance <value>

end

Labels
Top Kudoed Authors