Hello Dears I want to configure static route for the same network with two different interlaces (both of them are IPsec tunnel interface) as below :
Tunnel-1 is the main (Admin dstainse =10 and priority 1)
Tunnel-2 is the main (Admin dstainse =20 and priority 2)
the network want to reach is 192.168.1.0/24
Bests
Solved! Go to Solution.
config router static
edit 0
set destination 192.168.1.0/24
set device "Tunnel-1"
set distance 10
next
edit 0
set destination 192.168.1.0/24
set device "Tunnel-2"
set distance 20
next
end
config router static
edit 0
set destination 192.168.1.0/24
set device "Tunnel-1"
set distance 10
next
edit 0
set destination 192.168.1.0/24
set device "Tunnel-2"
set distance 20
next
end
hello dear and thnx for reply
is that ok ? if the tunnel-1 is being down does the device would remove the static route for it?
If the tunnel is down, it is removed from the routing table, yes.
Tunnel-2 would need to be UP otherwise, it will use the default route in case there's no other route.
In order to avoid routing private subnet towards the INET, i recommend adding a static route to Blackhole device w/ distance 254.
Protecting VPN traffic with blackhole routes has been discussed earlier in this forum:
https://community.fortinet.com/t5/Support-Forum/Re-evaluate-sessions/m-p/7866?m=120834#120872
In my post, I've provided a batch script which configures blackhole routes for all private networks.
The effect is that if traffic is routed via a VPN tunnel, and the tunnel goes down, this traffic is discarded instead of being sent out via the default route. This will prevent data leaking out the WAN interface.
Second effect: there is no session built involving this traffic and the WAN interface, so that if the tunnel comes up again, it will immediately continue to transport this traffic through the tunnel.
Helpful article: https://docs.fortinet.com/document/fortigate/7.4.0/administration-guide/432685/manual-redundant-vpn-...
There is a further option for the secondary tunnel "set monitor <phase1-interface of primary>.
The backup VPN stays down as long as the primary one is up.
Only when the primary goes down, the backup comes up.
But it's just optional...
Also consider enabling dynamic routing protocols on these tunnels, instead of the static routes - reliability of detecting tunnel being down is higher with dynamic protocols. Not rare a case when VPN tunnel is seen "up" but no traffic can actually pass inside it, dynamic routing protocol will detect this easily, static routes not so.
Hello,
You can configure the static route using the below command.
config router static
edit 1
set destination <ip address/netmask>
set device <tunnel interface>
set distance <value>
end
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.