Unlock Exclusive Benefits
Join Our Community Today!
Join our Community and post in the forum to earn your exclusive badge; celebrating 3 years of the Fortinet Community!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Default route across VPN tunnel
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Default route across VPN tunnel
We are using IPsec over a Metro Ethernet connection. This connection provides no Internet service, only service to HQ. The goal is to send all traffic across the tunnel. Now I've found a solution but I don't know why it works... One default route is created by DHCP for WAN1 and given distance 5. Still I want to use the tunnel for everything, except IPsec traffic itself obviously! Apparently I have to use the same distance for a second default route (the one across the tunnel) or everything breaks (it sends everything across the tunnel or to wan).
Additionally in order to distinguish both default routes I have: 1) dropped priority (not distance) of default route set by DHCP of wan1 to 3 (instead of 0) 2) specified a second default route 0.0.0.0/0 -> VPN_HQ (the tunnel interface) with priority 0 (hence making it the boss) The kernel routing table, and therefore also route cache now look like this: tab=254 vf=1 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=0.0.0.0 dev=34(VPN_HQ) tab=254 vf=1 scope=0 type=1 proto=11 prio=3 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.178.1 dev=5(wan1) It does what I want it to do. However I don't really understand how it knows that the outer-tunnel traffic should use wan1, while the inner-tunnel traffic uses VPN_HQ.
I would like to exclude that the fact that it is working is a bug. Or some side-effect which will make my life miserable in the future, like a ticking timebomb. In any case I haven't found any documents that would describe how to (correctly) create the setup that we desire... Any enlightenment on this matter is very welcome. Thanks, Marki
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tunnel comes up/stays up initiated by HQ side, not from local side.
If HQ's IP is static, I would set the /32 route toward wan if no internet should go out locally.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think it's possible for HQ to bring up the tunnel in this case since there is another firewall at branch side which doesn't forward (4)500 to the Fortigate. Ports (4)500 are only forwarded on HQ side to HQ Fortigate. And in fact HQ address is supposed to be dynamic...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Port forwarding forward all traffic destined to the port(s) you specified to the local device. So all IPsec related packets HQ send to the NAT outside IP reach the local FGT.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do not understand what I write.
Or I do not understand what I write.
There is (at least) another firewall between both Fortigate.
The one in front of the local Fortigate does NOT forward IPsec ports.
As such, HQ FGT cannot start IPsec communication.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You just didn't describe the detail for anybody to understand your set upon both ends related to the VPN. If you draw a diagram, it would tell a thousand words.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also I recommend you run sniffing on both ends with "any" for the interface then add option "4" so that you can see what interface it's coming in and going out. Then run IKE debugging to see how the IKE negotiation settles initiated by which side.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd like to summarize my findings for anyone trying to accomplish this in the future. Apparently the requirement of having a default route across the tunnel is not a common thing... Requirements: * WAN1 using DHCP * Tunnel setup using (D)DNS * all traffic must go through the tunnel The first two requirements make your setup portable. You can move the FGT around as long as DHCP/IP service is there and you get a DNS resolution for the hardcoded name. To emphasize the last point, the requirement is to have all traffic, both locally originating (from the FGT itself) as well as the users behind the FGT, go through the tunnel. This requires a default route pointing to the tunnel interface. In a first step this will result in a setup where the kernel routing table will contain two default routes like this: # get router info kernel tab=254 vf=1 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=0.0.0.0 dev=34(VPN_HQ) tab=254 vf=1 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.178.1 dev=5(wan1) The router's routing table will contain this: # get route info routing-table detail Routing table for VRF=0 S* 0.0.0.0/0 [10/0] is directly connected, VPN_HQ [5/0] via 192.168.178.1, wan1 This won't work because by default the route learned by DHCP has a distance of 5, while the default settings of the static route you point to the tunnel will be 10. You have to manually use the same distance as the route learned from DHCP. The router's routing table will now look like this: # get route info routing-table detail Routing table for VRF=0 S* 0.0.0.0/0 [5/0] is directly connected, VPN_HQ [5/0] via 192.168.178.1, wan1 Now at least the IPsec traffic itself flows correctly because it probably is hardcoded somehow that the actual IPsec traffic is supposed to keep using the only present physical interface (wan1), even though there are two equal routes (in theory, the "directly connected" interface might even "win") As far as the rest of the traffic goes, the FGT will perform ECMP and try to distribute the flows across the two routes/links. This will end up in some connections across the tunnel working flawlessly while others just don't establish (AFAIK a hash algorithm is used to distribute the flows, like odd IP uses link1, even IP uses link2, or the like). In our case this made for example FGT's syslog daemon go to 100% CPU because that local traffic was probably hashed to be egressed through wan1 but there was no policy allowing that.
To fix that (no more ECMP) you have to change the priority (a second setting beside the distance) of the route learned from WAN1 DHCP. In that case you have to configure this in interface settings and the resulting routing table then contains: # get route info routing-table detail Routing table for VRF=0 S* 0.0.0.0/0 [5/0] is directly connected, VPN_HQ [5/0] via 192.168.178.1, wan1, [3/0] You can see the priority (here: 3) appended to the route to wan1 which makes this route LESS preferred. IPsec traffic will continue to flow undisturbed (hope this is a feature, and not a bug :) whereas all other traffic will prefer VPN_HQ. This is also reflected in the kernel routing table: # get router info kernel tab=254 vf=1 scope=0 type=1 proto=11 prio=0 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=0.0.0.0 dev=34(VPN_HQ) tab=254 vf=1 scope=0 type=1 proto=11 prio=3 0.0.0.0/0.0.0.0/0->0.0.0.0/0 pref=0.0.0.0 gwy=192.168.178.1 dev=5(wan1) Happy tunnelling.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I do topologies where I need to default all traffic to the overlay (ipsec) a lot. Other options that what you did with the priority.
- disable default gw being received from dhcp. Add a static route to the tunnel ip you are connecting so your tunnel can come up and then add the default to the tunnel.
- If you have ECMP routes to the underlay and overlay you could just enable sdwan. Then set a rule that all traffic uses the overlay.
Glad you figured it out!
James (Jim) Hilving
Consulting Systems Engineer - CSE Team
Consulting Systems Engineer - CSE Team
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
james_h wrote:Concerning alternative 1: That wouldn't work when the remote IP is not static but (D)DNS is used, so we do not know it in advance.
- disable default gw being received from dhcp. Add a static route to the tunnel ip you are connecting so your tunnel can come up and then add the default to the tunnel.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,619 -
FortiClient
1,741 -
5.2
801 -
FortiManager
720 -
5.4
639 -
FortiAnalyzer
552 -
FortiSwitch
470 -
FortiAP
464 -
FortiClient EMS
421 -
6.0
416 -
5.6
362 -
FortiMail
315 -
6.2
251 -
SSL-VPN
236 -
FortiAuthenticator v5.5
234 -
Fortiweb
205 -
IPsec
203 -
5.0
196 -
FortiNAC
186 -
FortiGuard
139 -
6.4
128 -
SD-WAN
113 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
96 -
FortiAuthenticator
95 -
FortiToken
89 -
Customer Service
79 -
Firewall policy
78 -
Wireless Controller
77 -
4.0MR3
64 -
FortiProxy
59 -
High Availability
56 -
Fortivoice
53 -
FortiADC
53 -
FortiEDR
51 -
vlan
51 -
ZTNA
48 -
FortiExtender
45 -
FortiSandbox
44 -
Routing
44 -
FortiDNS
42 -
DNS
42 -
LDAP
41 -
BGP
40 -
Authentication
37 -
SAML
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
NAT
34 -
Certificate
34 -
RADIUS
32 -
SSO
31 -
Interface
31 -
FortiLink
29 -
FortiConnect
28 -
FortiWAN
27 -
VDOM
27 -
Web profile
26 -
FortiConverter
25 -
Application control
25 -
FortiGate v5.2
24 -
Logging
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Virtual IP
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiMonitor
18 -
Traffic shaping
17 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
SSID
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
Automation
14 -
Static route
14 -
System settings
14 -
IP address management - IPAM
14 -
snmp
13 -
FortiCASB
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
FortiManager v4.0
10 -
IPS signature
10 -
Security profile
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
Traffic shaping policy
9 -
Proxy policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
Web rating
6 -
Fortinet Engage Partner Program
6 -
FortiGate-VM
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
Authentication rule and scheme
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
TACACS
2 -
Schedule
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1688 | |
| 1087 | |
| 752 | |
| 446 | |
| 227 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.